How Data Governance Can Improve Your Security Posture
Data fuels today’s digital economy, with organizations around the globe collecting, storing, analyzing, sharing and monetizing massive data stores in search of market insights, operational efficiencies and customer experience enhancements. Protecting all that data has become an extreme challenge, however.
Unrestrained data growth has been an issue for decades, and it has become particularly acute over the past two years. The shift to remote work and the increased reliance on multiple cloud platforms and services has dramatically accelerated data sprawl. As a result, few organizations know where all of their sensitive data resides — and that lack of visibility seriously compromises their ability to secure and protect their data.
Recent research finds that the average organization has data stored in more than a dozen different repositories — not including the ones they don’t know about. Most organizations have significant amounts of sensitive data residing in unsanctioned cloud storage as well other “informal” repositories such as email, collaboration portals, messaging services and personal devices.
Identify and Classify
A data governance framework is essential to gaining visibility into your data storage environment, limiting sprawl and ensuring compliance with various government and industry regulations that stipulate how data should be collected, shared and used. A well-designed governance program helps organizations identify what data they have, where it resides, its operational value and who can access it.
A data discovery process is the first step. Most business intelligence software includes data discovery tools that connect to your network and identify data assets wherever they reside. Once you’ve created a comprehensive inventory of your data, discovery tools can scan metadata to identify data attributes that can be used to classify data based on use case and value to the organization.
Armed with that information, you can establish baseline security practices that match data value. Generally speaking, data can be classified according to three value levels:
• Public data. This includes anything intended for public use that would result in little to no risk if it were disclosed. This might include press releases, blog posts or research publications.
• Private data. This includes personal information (PI) that can’t necessarily be linked to a specific person but could result in a moderate level of risk to the organization. It could include search histories or past addresses.
• Restricted data. This includes more sensitive personal identifiable information (PII) such as Social Security numbers or tax ID numbers that could be used to distinguish an individual’s identity. It would also include intellectual property, trade secrets, financial statements and more.
The governance program should also describe specific security measures based on data classification. These measures would establish controls on who can access data and what they can do with it. That typically will require identity and access management tools to ensure users can only access the data they need for their jobs. More sensitive data will require stronger measures such as multifactor authentication, secure remote access, risk-based/adaptive security and granular password management to help provide control over user credentials and activity.
A governance program should also include procedures for storing, archiving, backing up and securing data. These are primarily IT issues, but a variety of emerging tools are simplifying these processes through automation. For example, automated archival tools streamline the process of moving data off primary storage tiers, and e-discovery tools deliver powerful search and tagging functionality that improve the ability to review and classify data.
Poor visibility into sprawling storage environments have contributed to increased risk of breaches and leaks. Although the numbers won’t be finalized for a few months, 2021 data breaches in the U.S. are expected to surpass the record set in 2017. Our cybersecurity experts can provide guidance on establishing a data governance program that will reduce your risk.