How much of your data is in your control? Our research shows that 7 in 10 users have access to data they shouldn’t have access to. This is especially true of the huge stores of unstructured data that live outside of structured systems and applications behind the corporate firewall. Corporate unstructured data is growing at an alarming rate, and every email sent or document created adds up. But, unlike structured systems and data, unstructured data generally does not have an easily identifiable owner overseeing who has access. Simply look at the recent hacks of some very high profile individuals, like in the case of Colin Powell’s email hack and the damage done. Lack of data access governance is a far-reaching issue with potential for a lot of damage to be done.
To put the problem into context: structured systems such as an ERP or financial application typically have a business owner to oversee and govern who has access to it and the data stored in it. But in most organizations, there is no owner for the data extracted from these applications and copied onto an Excel spreadsheet or a PowerPoint to be emailed later on to several recipients. Instead, the care-taking of the resulting unstructured data is usually left up to the users who create or use it on a regular basis.
This is why ensuring the security of unstructured, sometimes highly sensitive data, can be a very tall order. But, it is possible and made easier with data access governance.
Data access governance, as part of an overall identity management strategy, is vital to an enterprise’s security posture.
The challenge in governing data, especially unstructured data, is identifying the right data owner. Typically, the people who own the data are the ones who create or use it, meaning there is no single owner to oversee unstructured data and its security. For data access governance to work, an owner needs to be ‘elected’ who can oversee the data, where it lives and how it’s being distributed.
How do you know who to elect? Through data owner election. This process is a quick but effective way to make sure the right person owns that data. For example, the HR department hires an intern who is tasked with updating employee information in a database.
In the owner election process, business users, most often those who also touch that data, are prompted to decide who owns the data in a collaborative effort to distinguish who the owner is. If we were just going by usage, the intern is the one who should own it because they access it the most and use it the most. But data owner election puts a process in place to apply logic to the process. In this case, it’s likely that the intern’s manager, or even the department head, is the most logical owner.
While automated methods of finding, categorizing and controlling access to the data can be a good start to mitigating risks, ultimately the ability to identify the proper business owner for your unstructured data by asking the actual business users is the only way to truly protect it.
Why it’s important
By implementing a data access governance solution, enterprises have more autonomy over their own data and a way to manage it all, answering the question of who has access to what, no matter where that data lives. While security is often the main reason or impetus for implementing data access governance, it comes with the side benefit of improved workplace productivity and better processes for compliance.
When IT has all the information on an organization’s users and their access – to both applications and data – they have the power to quickly make the right decisions in the event of a data breach.
It’s your data. Own it.
SailPoint can help you manage your unstructured data with data access governance. Get the full guide on getting your data in your control, or sign up for a live demo of SecurityIQ.