Data is the driving force behind every organization, whether an organization is primarily a retailer, a manufacturer, healthcare provider or a bank, it will possess some if not large amounts of personally identifiable information (“PII”), possibly protected health information (“PHI”) and definitely business confidential information. This represents just some of the sensitive information that most business have in their care. Add to this, that most sensitive data is also subject to increasingly stringent privacy regulations while simultaneously increasing in value on the black market.
With the cost of file sharing and synchronization technology decreasing, organizations are able to analyze and share data in real-time, however it also makes it easier to increase the number of unnecessary copies of sensitive business and consumer data. Although helpful to legitimate business activities, this unchecked proliferation of sensitive data makes it easier for cyber criminals to gain access and increases the likelihood that data will be mishandled.
Consolidating your sensitive data footprint
Consolidating your sensitive data footprint is the most effective way to protect it, and to do so, you first need to locate it in your environment. Your next step is to properly classify it, which means assigning a level of sensitivity to each piece of information, making it easier to identify, locate, retrieve and most importantly protect.
Classifying data helps your organization allocate its resources and set priorities, meaning you’ll take the most stringent measures to protect the most sensitive data. Without data classification, you will likely expend resources treating all data as if it were equally sensitive, which leads to under-protecting highly sensitive data and overprotecting public data. The first exposes you to data breaches, the second is a waste of resources and a drag on productivity. The key to facilitating legitimate access for authorized users while protecting sensitive data is data classification.
Each organization will define “sensitive” data differently, although some data must be treated as sensitive based on regulatory requirements. Each regulation has varying levels of compliance requirements. For example, HIPAA regulation includes 18 identifiers of sensitive data that must be protected ranging from name or phone number to highly confidential Social Security number or medical record data. On the flipside, the PCI-DSS regulation essentially has one identifier, cardholder data, which is actually the Primary Account Number (PAN) or magnetic strip and the name, expiration date, or service code.
As you begin the process of data classification for your organization, you can use this definition of sensitive data to help make decisions: Sensitive data is any data that if lost, stolen or exposed, could financially harm an organization, cause reputational damage, or be reason for termination.
Establishing different levels of sensitivity
As you proceed to classify your data, you’ll find you need to establish different levels of sensitivity. As the potential impact moves from low to high, the sensitivity increases, and therefore, the classification level of data should become higher and more restrictive. In a simple classification scheme, data is classified as:
Public: Not unique to the organization and not related to internal matters.
Internal: Unique to the organization but for public release, such as internal memos.
Confidential: Not for distribution, including employee records and corporate strategy Assigning a level to files and data elements helps you make critical decisions regarding where data is stored, how it’s used, and how you can best protect your most valuable data assets. For example, should our policy allow confidential data to be stored in the cloud? And how do I protect confidential information that is stored in the cloud?
The process of locating sensitive information once you have defined what is sensitive in your environment requires that you search wherever your employees are storing data, including on their desktop devices, in the cloud, in shared spaces like file servers, in databases that are part of the applications they use on a daily basis, and on websites. Devices typically storing the most amount of sensitive data are desktop computers and file servers.
Sensitive data management
On premise environments are likely not the only place that you are creating and storing data though. The cloud poses its own set of problems for sensitive data management. Individuals are creating data on a computer and immediately syncing it to the cloud. That means data gets proliferated quickly, maybe even among multiple cloud storage providers. Pay special attention to managing the data you store in the cloud.
Educating data producers, consumers and owners about their role in protecting sensitive data and empowering them to help reduce your exposure is critical to shrinking your footprint. You can do this by adding more information to a file containing sensitive data. The metadata for the file, or the alternate data streams within the file, can contain information about how much sensitive data is contained within it. You can thus classify files as containing sensitive HR, PCI, PHI data and so on.
One way this works in practice is that, for example, if data is copied from a source classified as sensitive, the new file would be updated to reflect the classification based on its source. Ideally, you also make this practice automatic, so that as new data gets created. Monitoring file activity for changes and updates to classifications ensures that the business data handling policies are automatically enforced.
The proliferation of sensitive information has made the already challenging work of security professionals increasingly difficult, however, by reducing their sensitive data footprint companies can reduce the risk associated with data mishandling , the potential for a breach of privacy or worse.