Earthquakes and Identity Governance: The Magnitude of Preparedness

Those who have spent any time in California are undoubtedly familiar with the possibility of an earthquake.  However rare they are, most have taken at least some level of preparation—whether knowing about evacuation routes, or putting together an earthquake kit with batteries, water, flashlights, etc. During a recent trip to Northern California I came to the realization that if 3 in 5 organizations expect to get breached (2017 SailPoint Market Pulse Survey), their level of preparedness is far lacking relative to that of a major earthquake, a much rarer event.

In general, most mature IT organizations have at least some form of an identity governance program to protect access to applications, databases, and platforms that contain sensitive customer, HR or even financial data.  But as with almost any company, business users are constantly extracting and downloading data from these systems as they collaborate and create new content such as documents, reports, and presentations.  This new user-generated content is then stored in local file shares, SharePoint, or even in cloud storage systems like Box or OneDrive. This creates a new area of risk exposure for the business, as sensitive data is now stored in files, often outside of the visibility and control of the organization’s identity governance controls.

The risk exposure from data stored in files (also known as unstructured data) continues to grow every day, much like the stress being accumulated along a fault line.  According to Gartner, upwards of 80% of enterprise data now consists of unstructured data.  Even as the bulk of corporate data now resides in ungoverned repositories there just isn’t the same level of urgency to protect this data.

Over the past few months, I have been surveying customers about how they are approaching this rapidly escalating area of risk. The response I get from many organizations is often “we know we have these files out there all across our company, but we just don’t have the bandwidth, tools…or it just isn’t a priority right now.”  Many predict that the next “big one” will hit California within the next 30 years, but you need only to wait a few days to hear news about the latest big data breach.  Now is the time to prepare.

Just as we are learning to better predict earthquakes, organizations are learning about the risk presented by their data stored in files (sometimes the hard way) and how to address it.  Gaining control over these ungoverned files shouldn’t be treated as a disparate initiative from your overall identity governance program. It should be part of a comprehensive approach to identity governance, which extends controls and protects access across all applications AND data stored in files.

With a holistic approach in place, you can apply consistent access controls and policies for sensitive data, no matter where it resides, throughout each user’s lifecycle.  Whether data is stored in file shares, NAS, SharePoint, or in the cloud (Box, Dropbox, OneDrive, Google Drive), you can get visibility to where users are storing their content, determine whether there is sensitive information within the data, and gain insight into what your users are doing with these files.

I recently had the opportunity to meet with several SailPoint customers (who happen to be based in California) that have clued into the compliance and security benefits of extending their identity governance strategy.  Only by taking a comprehensive approach can they stand ready to take on any threat…whatever the magnitude. I’m sure many in California can attest to the value of an earthquake kit, and it would be wise for us all to take the same proactive preparation when it comes to governing our data stored in files. If you’re ready to start putting together your identity governance kit, read Securing Access to Files with Identity Governance informative as the first step to understanding how you can get your organization prepared.