Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


04:48 PM
Connect Directly

Herding Your Cats: Strategies For Securing Unstructured Data

When is a database not a database? When large volumes of sensitive data are stored in unstructured formats

[Excerpted from "Beyond The Database: Protecting Unstructured Data," a new report posted this week on Dark Reading's Database Security Tech Center.]

Most database security tools -- indeed, most database security strategies -- assume that sensitive data is stored in structured, relational database format. But as any IT professional knows, the enterprise is full of "databases" that are stored in all sorts of ways -- and many of them are anything but structured.

Flat-file databases. Spreadsheets. Email files. Microsoft Word documents and PDFs. Any of these can be sources of sensitive data, and even with a strong database security strategy in place, might fall into the wrong hands.

This is what's known as unstructured data, and we're accumulating it at a breakneck pace — specifically, a compound annual growth rate of 61 percent, according to IDC.

This data may be stored in a variety of unstructured ways, such as folders on a file server, laptop hard drives, Microsoft Access databases, and USB drives. And it can be just as valuable in its unstructured form as the data stored in traditional structured databases. It needs protection, and there must be a strategy for securing it. That means gaining an understanding of this data's characteristics.

The first step is to create a list of important data types you may hold. For Acme Inc., an e-commerce company, we might include cardholder data; personally identifiable information (customer and employee); intellectual property; financial information; and business operations data, such as email and contracts. The main idea is to understand the types of data and how we will respond once each is discovered.

Once a list is compiled, map these data types to a classification and handling policy that outlines how groups of data should be managed. The most common mistake we see when IT groups write these policies is specifying exactly how data should be protected. That approach is inefficient and causes more work for you later. Instead, be flexible -- provide a range of solutions, rather than mandates.

Finding data can be tricky. You know where it should be stored, but where else is data you want to protect hiding? The 2009 Verizon Data Breach Incident Report concluded that 67 percent of data lost was of an unknown type and took the companies affected by surprise.

List the places known to house the data you want to protect. Next, ask your users where they store data. You may be surprised to find shares on laptops, data stored inside applications, application logs, and file shares containing sensitive information that shouldn’t be open to the world. Most users will be forthcoming, but some will overlook locations they have forgotten about or don't access any longer.

Find data strings that indicate sensitive data -- such as credit card numbers or other data formats that suggest sensitive information -- and begin searching file shares, laptops, and connected storage devices anywhere you can. Another approach is to ask users to review documents they own and identify those with sensitive data that needs to be protected or organized. This moves the burden from a small group of people and spreads it to a larger group, thus less effort per person. The only issue is getting people to actually do it.

Once you've found the data you need to secure, you'll need to apply the appropriate controls, which may include access control, encryption, and/or data leak prevention. To find out more about the data discovery process -- and the tools and processes used to secure the sensitive data you find -- download the free report.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Adam Ely is the founder and COO of Bluebox. Prior to this role, Adam was the CISO of the Heroku business unit at Salesforce where he was responsible for application security, security operations, compliance, and external security relations. Prior to Salesforce, Adam led ... View Full Bio


Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/6/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Lessons from COVID-19 Cyberattacks: Where Do We Go Next?
Derek Manky, Chief of Security Insights and Global Threat Alliances, FortiGuard Labs,  7/2/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-07-08
Buffer overflow exists in Geovision Door Access Control device family, an unauthenticated remote attacker can execute arbitrary command.
PUBLISHED: 2020-07-07
An issue was discovered in CMSUno before 1.6.1. uno.php allows CSRF to change the admin password.
PUBLISHED: 2020-07-07
Victor CMS through 2019-02-28 allows XSS via the register.php user_firstname or user_lastname field.
PUBLISHED: 2020-07-07
A memory leak in Openthread's wpantund versions up to commit 0e5d1601febb869f583e944785e5685c6c747be7, when used in an environment where wpanctl is directly interfacing with the control driver (eg: debug environments) can allow an attacker to crash the service (DoS). We recommend updating, or to res...
PUBLISHED: 2020-07-07
Gossipsub 1.0 does not properly resist invalid message spam, such as an eclipse attack or a sybil attack.