When it comes to securing access to applications and structured data, enterprises know what they should do to get it done. They certainly don’t always do it: but the processes and the technology to make it happen are well understood. When it comes to securing unstructured data — data that resides in file shares, SharePoint, and certain cloud services — things get a little murkier.
For starters, enterprises have a challenge finding this data strewn about the enterprise environment, let alone are able to prevent or detect unauthorized access to unstructured data. But with 80 percent of organizational data actually being unstructured, it’s crucial that they learn quickly.
Fortunately for everyone: the security industry, analysts, and enterprises realize that they must bring the same level of maturity and control to unstructured data that they bring to structured data. To gather insight on the state of this trend, and the challenges enterprises face in securing unstructured data, I spoke with Paul Trulove. Paul is the VP of SailPoint’s SecurityIQ business and has a lot of thoughts on this subject.
The intersection of identity, and identity governance, and data access governance, seems to be blurring. Can you speak to just how companies are extending identity governance to also governing access to files that are stored in unstructured data?
I think if you step back and look at what’s happening in the industry, people are beginning to get past a roadblock in their identity programs. Many enterprises were trying to catch up with the most basic of compliance and governance requirements being handed down by either their audit teams, or externally enforced by some kind of regulatory body. It was that, or enterprises were caught-up trying to replace their legacy approaches to provisioning, whether that was a homegrown system or another commercial, off-the-shelf product.
So many of our large customers lived in one of those two camps and they weren’t really able to step back and look at the big picture of what they needed to work on to address not only the most important things today, but the emerging concerns of what they’ll need to address in the years ahead.
I think the ability to govern access to all sensitive information in the enterprise is probably one of the top things that we hear about. More and more customers want to do this in a consolidated, consistent manner, which means the identity teams are now being asked to step into other areas of responsibility for IT, and at least provide guidance and not take over some of those activities directly.
What areas of identity management do you see as playing the largest role here?
Identity governance systems are quickly becoming the central platform for security in the enterprise. I think more and more people are recognizing that while they may have done a good job securing access to applications, databases, platform systems, they kind of forgot about all the file storage systems that are sitting outside of those. When you combine that with the reality that most data now in an enterprise is actually unstructured and stored in files not in a database or some type of an application, there’s a pretty glaring hole that becomes obvious immediately. Then, you have organizations that have already been breached, and unstructured data is very portable, and so they’ve lost sensitive data that could have been a PDF that had trade secrets. It could have been a customer list, it could have been credit card information. It doesn’t really matter. We’re just finding that more and more, a lot of the data that people are trying to protect is moved into some kind of very portable file format and is being stored in a variety of places, and not being scrutinized and controlled in the same way that all of the other systems have been.
Have you seen the industry changing to the concept of protecting access to unstructured data?
Yes. At the recent Gartner IAM Summit, governing access to sensitive data stored in files was probably a hotter topic this year than it has ever been. One of the reasons is that I think customers like to think of problems in as neat of a package as they can, and the term ‘data access governance’ has become very problematic because it doesn’t mean the same thing to everybody. For a long time, the analysts that were covering it were scratching their heads about this because there’s a bunch of different technologies that could be used to partially solve the problem, but they weren’t very clear on which approach was correct. This left customers out there looking for answers.
The fact is that there wasn’t a lot of pragmatic answers to that question. All of the sudden, analysts have begun to say that there’s a significant need in the market for us to be more definitive. The good thing is we’re starting to see the identity analysts understanding that the ability to govern access to unstructured data, or more generically, sensitive data stored in files, is an extension of identity governance.
What are some of the challenges larger enterprises have in looking more comprehensively at data access governance?
I think there are a number of big ones. The first one is simple. It is organizational responsibility. Governing access to data often falls between defined responsibilities within the IT organization, and therefore, unless somebody’s really looking to go do extra work, a lot of times no one is directly assigned.
We highly recommend to our identity practitioners to go annex this area before another team ends up being assigned the responsibility. If that happens, you’ve bifurcated the identity governance program in a very unintentional way.
The other is that structured data, such as data stored within SAP and Salesforce, is very different to manage than unstructured data. Unstructured data is different because you’ve now made this a function where everybody in the organization has the ability to create files and move data around from structured systems into files, and then concentrate information as they roll up things into Excel analysis, or PowerPoint presentations for management, or something like that. You have to take a very different approach to figuring out what’s sensitive, whether that sensitive data is located in the right place, and what policies you have that help guide you around that.
Then, ultimately, who has access to it becomes a very difficult thing to ascertain unless you take the next step, which is assigning data owners. You need to assign strong stewards of the data. This is critical to whether or not you can actually control who has access to it, because at the end of the day, when somebody is being granted access or their access needs to be revoked, you have to know who to go to.
The data ownership problem is a very unique challenge in identity management because you tend not to have gone through a process of really understanding who the right owners are, and then empowering them to actually participate in those ongoing identity governance controls.