There’s a technical support specialist living in Austin, Chris Vickery, who makes the news from time to time. As a hobby of sorts, Chris searches the Internet for massive databases that have been left unsecured on the Internet, exposing sensitive information about millions of people. Last December, Chris found the voter information of 191 million people, including birthdays, home addresses, email addresses, and phone numbers, freely available on the Internet. He’s also found over 3 million unsecured health records and the unsecured personal information of over a million children.
Unfortunately, the problems that Chris has exposed are not isolated incidents. Managing access to data, especially unstructured data, is a growing problem for organizations around the world. Most enterprises now store so much unstructured data on file servers and NAS devices, on SharePoint sites, and in cloud storage services that they have no effective way of determining what they possess, where it is stored, or who has access to it. The inability to effectively govern data presents serious and growing risks, including brand damage, and regulatory and legal exposure.
So what can be done to better protect sensitive data? We believe that answer lies in the integration of identity governance and data access governance. These two solutions work hand-in-glove to give organizations the preventive and detective controls required to restrict access to data and identify and remediate data security issues.
Priority one is putting appropriate preventive controls in place. Users should have access to only the minimum resources they need (“least privilege”) and access to sensitive data should be highly restricted. This sounds straightforward, but how do you know what data is sensitive and what access privileges are appropriate for a given job function? Data governance tools can help by finding sensitive data across the enterprise and by collecting and analyzing permissions to show “who has access to what.” Identity governance can help ensure that all user access conforms to policy and job roles, and that inappropriate access is promptly revoked.
Organizations need detective controls to review and monitor user access and activity for anomalies that need further investigation. In other words, it’s not enough to simply define access controls and forget about them. Too many factors in the environments are constantly changing (users, applications, directories, etc.), and sometimes policies and procedures are not followed to the letter. Detective controls allow organizations to identify and rectify problems before they lead to a catastrophic breach. Examples of detective controls include periodic review of access by supervisors and data owners and monitoring of user activity affecting sensitive data. Every organization will benefit from detection of situations like a fired employee who still has access to cloud storage or a user who has downloaded a large volume of sensitive data on multiple occasions.
Cases of unsecured data like those highlighted by Chris Vickery should serve as a serious wakeup call for organizations to build a layered defense that combines identity and access governance and data governance.
To learn more about when identity meets data, visit our data access governance page.