Protecting an organization’s most sensitive information – intellectual property, financial documents, personal information on both employees and customers, etc. – is an important responsibility for IT and security departments. Amid the growing presence of cyber crimes and theft, industry and government regulations, including the Health Insurance Portability and Accountability Act (HIPAA), the Payment Card Industry Data Security Standard (PCI DSS), the Sarbanes-Oxley Act (SOX), and the European General Data Protection Regulation (GDPR), were put into place to help protect this data.
While these regulations were intended to force good behaviors in order to improve the overall risk posture of global organizations, these compliance mandates created parallel projects for many organizations focused on proving compliance and protecting themselves. Fortunately, by implementing a governance-based approach to identity governance, you can secure your organization’s sensitive data while simultaneously complying with these laws, saving time and resources that can then focus on moving your business forward.
You Can’t Protect What You Can’t See
Security today requires so much. More than ever before: endpoint protection, anti-virus, encryption, virtual private networks, etc. In this context, security could be seen as a necessary evil. Sensitive information must be protected since the consequences of not doing so are catastrophic. But what is the cost of security? Have businesses become so paralyzed that they lose their innovative drive? Forego a competitive advantage in order to stay safe? Slow down their international business expansion?
Many regulations require protection of your sensitive data, but with 80% of all data in enterprises being unstructured – and therefore residing outside applications and databases – effectively managing access to all your sensitive data is a challenge. Unstructured data – text documents, spreadsheets, presentations, e-mails, etc. – does not follow the same rules that structured data does, and it is growing at an alarming rate. The amount of data is doubling in growth every two years.
In order to protect your data, you must first find where all your files reside, determine what sensitive information it contains, and who has access. Some organizations have policies in place that instruct employees where to place sensitive information. Unfortunately, even if policies are in place, it doesn’t mean that they are followed. You must employ a solution that can not only identify sensitive information, but then also validate and enforce the rules you put into place. And for compliance requirements, you need the ability to attest to these policies and controls.
Managing Access to Sensitive Data
A common problem with unstructured data is that access can be granted from multiple authoritative sources and through multiple permission tracks. Once you’ve identified the sensitive data files, you then need to know who not only has access to those files, but also what they’re doing with that access. Having this information will also help when compliance auditors arrive and want to know how you are ensuring the right people have the right access to the right data at the right time.
Another piece of this puzzle is to elect the correct owners for your data. Structured data has traditionally been assigned business owners to help manage access to it and the same should be true for your unstructured data. But just as it can be difficult to identify what data is sensitive and what isn’t, it can be challenging to designate the right owners for your data.
Rather than assign data owners based on usage, your process should include the option for business users to provide direct feedback, or elect an owner. The issue many organizations face is that the correct data owner cannot be found by traditional means; more often than not, this information only resides in the minds of the users who actively utilize the data. The solution? Instead of attempting to create rules to automatically assign owners, ask those who work with the data on a regular basis to be your eyes and ears. Those who work most closely with the information can collectively identify who would be best to own and govern access to the data in question.
Unstructured data is estimated to grow 10x in volume by 20201.
Automation is Key
Because of the sheer volume of unstructured data an enterprise can possess, it is nearly impossible for the governance of this data to occur manually. Automation must be implemented so that responses can occur in real-time and with high efficiency from both the IT and business sides of house.
Tools such as automated provisioning and de-provisioning of access, self-service access requests and automated certifications of access are all needed in order effectively govern data stored in files.
SailPoint Can Help
To fully address today’s modern data security needs, organizations are moving beyond traditional data access governance solutions, and incorporating sensitive data stored in files and folders as part of their comprehensive identity governance program.By taking this approach, organizations will reduce their risk of breach by 60%1.
In order to protect access to sensitive data, you must have a holistic view across your entire infrastructure. If your IT team or business owners are unaware of where sensitive data resides, cannot see all the permissions a user has, or how this access is being used, they simply cannot make the right access decisions to mitigate security and compliance risks.
IdentityIQ File Access Manager helps answer these essential questions:
- Where is your sensitive information?
- Who has access to it and is that access too broad?
- What are those users doing with their access, and do these actions violate your security policy?
- Can you prove all this to an auditor?
Accurately identifying data owners is a key step towards effectively controling and securing your organization’s data. While structured data stores have generally been assigned business owners, unstructured data usually do not have a complementary owner. Without proper data owners, unstructured data in files can be easily overlooked, incorrectly classified and improperly managed in terms of who has access.
Organizations who fail to actively assign accountability who are most knowledgeable about who should and shouldn’t have access are leaving themselves open to data breaches and regulatory penalties.
Once the owners have been elected from those who actually use the data on a regular basis, you must then enable them to manage their data via user-friendly tools that ultimately save them time.
IdentityIQ File Access Manager allows data owners to:
- Get visibility over the data they own.
- Self-configure alerts that are brought directly to their attention.
- Provide controlled access through self-service access requests.
- Give IT oversight and compliance through periodic entitlement reviews.
- Add access and remove high-risk access through actionable intelligence
Organizations in regulated industries will always be concerned with maintaining compliance. The security of this sensitive information and compliance with any regulations is imperative.
IdentityIQ File Access Manager helps compliance efforts by providing:
- Visibility into the location of sensitive documents.
- Validation that sensitive documents aren’t being leaked outside of protected areas.
- Activity monitoring to ensure that only the proper identities are accessing the data.
Compliance with laws and regulations is important for organizations in regulated industries, but it should be the spur that helps you secure your organization’s sensitive data, not the end result. SailPoint can help you get compliant, stay compliant – and more importantly – ensure the security of your enterprise’s sensitive data. Learn more.
- Gartner Identity & Access Summit, Las Vegas, 2017
You might also be interested in:
Find out how SailPoint can help your organization.