Are your organisation’s secrets actually secret?
If we look back over recent years, organizations quickly established databases for storing information and, with them, ways to mine these records to squeeze as much intelligence out of them as possible. However, what has often been ignored is the wealth of data stored in widely accessible files on shared network storage. In fact, these files actually make up as much as 80% of an organizations data, according to IDC. That is a lot of information and begs the question “where is all this unstructured data coming from and is it really necessary?”
In the public sector, this information comes in a variety of guises – patient records within the Health Sector; benefit applications within Social Services, right up to draft government policies. These various forms, documents, emails, conference call recordings and draft legislation are unquestionably vital in the day to day running of these departments yet are routinely stored as file data (the 80% we talked about) and left to fend for itself on the network.
It is desirable by malicious insiders and external hackers who recognize its worth, even if you currently don’t. Imagine if an outsider accessed these files the damage they could do with this sensitive information and also the damage that would be caused to the reputation of the department involved! Many organizations protect their databases but fail to afford their unstructured data the same protection – is yours one of them?
In case you need evidence that this isn’t pure fabrication but does actually happen in the real world, the case is still ongoing against former MI6 worker, Daniel Houghton, who pleaded guilty to stealing top secret material but also claimed he made copies of the electronic files and attempted to sell them for £2 million to Dutch intelligence agents. Documents containing details of secret information gathering software Houghton devised and is thought to have copied are still missing. Also this month the US Military confirmed that more than 90,000 classified military documents had been copied including battlefield and intelligence reports – one of the biggest leaks in US history.
Regulators are increasingly concerned of the potential damage sensitive information contained in files can cause in the wrong hands and are creating and enforcing data security requirements for unstructured data. Compliance can be expensive—and it’s not optional. Take HIPAA (Health Insurance Portability and Accountability Act), for example, the US Department of Health & Human Services’ (HHS) Office for Civil Rights (OCR) recently announced significant proposed changes to the act including compulsory breach notification expected to become law later this year – not a cheap exercise just contacting everyone involved let alone the knock on effect to public confidence. A little closer to home lapse security policies and procedures could result in a breach of the Data Protection Act and could incur a financial penalty of up to £500K from the ICO (Information Commissioner’s Office).
So, hopefully now you recognize the importance of protecting your unstructured data, the question you need to answer is where is all this valuable file data coming from? Here’s a quick checklist of sources to consider as you survey your own file data landscape, as well as thoughts on protecting these files:
Applications and databases
Whether your applications and databases are running in-house or in the cloud, mid-level managers are probably using them to export interesting data for analysis, reporting, presentations and other legitimate activities. The US military breach mentioned above is one very public example of the damage that can be caused, and the far reaching consequences when spreadsheets, documents and presentations containing exported information are stored on shared file systems for enhanced communications and collaboration, poses a credible data security risk that needs to be mitigated. For other government departments that data may include credit card information, an individual’s details or medical records could add compliance requirements such as HIPAA, SOX, PCI and/or Data Protection (DPA) to the list.
Intellectual works
Copious amounts of file data never experiences the safe confines of a database or an application, instead it goes straight from the mind of knowledge workers into a file stored somewhere on the network. Software source code is an obvious example, as are legal documents, draft policies, employment records and various research projects. These files often contain intellectual property and a wealth of information and rich detail about opportunities, partnerships, business operations, future plans and strategic advantage. Sharing this information on file servers and network attached storage devices can be critical for mobilizing your company and uniting distributed project teams, but it’s just as critical to ensure that the data is protected from intentional or even inadvertent harm.
Application communication and storage
When applications need to communicate with each other, but don’t speak a common language, using intermediate files on a shared file system can serve as a form of enterprise application integration. For example, a doctors surgery with a legacy application running on a mainframe, and another medical department application running on Microsoft servers, can use files on a shared file server or NAS device to exchange information between the disparate systems. While only the applications should have access to those shared files, it’s highly likely that the file servers or NAS devices where the files are stored are accessible by many users. So, care has to be taken to safeguard access and prevent sensitive data from being compromised.
An even more basic, and more common, use of shared file systems by applications is when applications simply store their output or intermediate results in files. Applications can generate a lot of file data, and once this application-generated file data exists on shared storage, it needs to be protected against excessive access.
Digital media
No, we’re not talking about employees who store their movies and music on your enterprise file servers. Instead, think: digital recordings of calls between departments and external teams, video from security cameras, and even training and education materials such as podcasts and videos. Media files can be large, and when they are generated through ongoing business operations – like contact centre recordings and surveillance videos – there can be a lot of them. If, for example, your department is processing pharmacy refills or purchases made with credit cards, your media files are governed by regulations such as HIPAA and PCI, and must be protected. Similarly, you will want to make sure only those with a need-to-know can access your surveillance video.
Informal business processes
Files are sometimes just more practical, functional or convenient than formal systems. For example, despite the widespread deployment of contact center software, your representatives may keep documents or spreadsheets to track ongoing cases, details that don’t fit in standard forms, or other information they want to have readily at-hand. These types of informal process files are often stored on shared file systems so that teams can communicate across work shifts and geographies. While these files facilitate more efficient business, they can expose sensitive or regulated data to too many users, depending on the nature of your business.
Conclusion
Valuable file data on shared file systems is plentiful in most organizations and comes from a number of sources, including applications, databases, knowledge workers, digital media and ad-hoc business processes. It’s got obvious value to your organization, and regulators and auditors recognize its value too. Unfortunately, if you’re harboring any malicious insiders, they’re also coveting this data. Surely that’s enough of a driving factor for you to get to grips with who has access to the file data on your network, who is actually accessing it, who owns it and make sure that only those with legitimate reasons for accessing it can.
Recognize the value of the information you and your colleagues have access to – before someone else does.