Tips for Managing Unstructured Data Security

All information is an attractive target for bad actors, but some data is inherently more valuable. Malicious, state-sponsored and hacktivist attacks constantly probe enterprise networks, seeking to infiltrate and find sensitive information in core enterprise systems. As enterprise defenses have matured, attackers now target the same information in less secured, unstructured file repositories and email. Enterprises must understand where sensitive unstructured information resides and apply appropriate security controls to mitigate these risks. Unstructured data security should include stringent centralized access controls and protections to ensure only the right users – have access to the right content – at the right time.

MOST DATA IS UNSTRUCTURED

Unstructured data does not have a pre-defined organization schema and is stored in its native format. Most everyday files, such as documents, emails, presentations and multimedia files, are exampled of unstructured data.

Structured data is best exemplified by a spreadsheet or database of individual items organized and sorted into tables, rows, and columns, making it easy to search, filter, and analyze. 

Unstructured data represents 80-90% of all stored information and is growing at a rate of 55-65% a year. Consider a typical employee during a typical workday and how many documents, spreadsheets, presentations, and emails they create or read. Now, multiply that by the entire workforce. Despite companies prioritizing data and information management at the top of their list, many still struggle to put “guardrails” on all this content. 78% of organizations have little to no understanding of what’s in their unstructured data and file shares.

COMMON SOURCES OF UNSTRUCTURED DATA

The most common repositories for unstructured information are file servers, Microsoft SharePoint, Outlook, and cloud coloration platforms such as Microsoft 365, SharePoint Online, GCC High and Google Drive. The expanded presence of unstructured data significantly increases the existing unmanaged risks for an organization. Enterprises must take steps to eliminate this risk by understanding what and where sensitive unstructured information resides and applying the necessary security controls. These include access control, data loss prevention, encryption and activity logging.

UNSTRUCTURED DATA PROTECTION

With most organizations embracing the Cloud, unstructured data is now spread across a multitude of locations, including file servers, on-premises SharePoint servers, hosted SharePoint farms, or cloud-based repositories. Protecting unstructured data in Cloud, on-premises, and hybrid environments is a top concern for IT and information security managers.

Companies embracing cloud technologies like Microsoft 365 (M365) and other cloud-based sharing tools to facilitate the collaboration of unstructured data has widened the security gap. In general, many companies feel that data governance and controls for the storage and access of unstructured data are falling short. AIIM’s Optimize M365 for Controlled Content Services report indicated that 42% of respondents felt records were everywhere and information volume and variety were expanding too quickly in M365 to be effectively managed.

Data Access Governance (DAG)

Data Access Governance (DAG) is a strategy encompassing the processes, policies and technologies used to manage, monitor, and control access to enterprise data. It helps organizations gain visibility into unstructured data, wherever it resides, and apply enforcement policies to ensure that only authorized individuals can access it.

Attribute-based Access Control (ABAC)

When it comes to managing access to sensitive information, data-centric attribute-based access controls (ABAC) have the ability to apply more fine-grained control to restrict what authorized users can do once they have access to files over other technologies like the commonly used role-based access control (RBAC).

For example:

• Should a user be free to edit and share a document?
• Or should they only be able to view it with the ability to edit, print or download options disabled?
• Who should they be able to share it with?
• And how should it be shared? Email, SharePoint only, or not at all?
• What about encrypting unstructured data at rest, in use, or in transit?

To truly secure unstructured data against loss or misuse, organizations need the ability to granularly control both data access and usage. Attribute-based access control (ABAC) affords this ability by looking at the data and user requesting access in context to deny or approve access. If access is granted, it can apply additional controls based on that information to restrict usage and sharing rights according to the policy.

Data-centric access controls and protection are most effective when integrated together and included in an overall risk management program. A proper risk management program should also include:

• Periodic and real-time data discovery to identify unsecured sensitive unstructured data
• Automated or manual data classification and metadata tagging
• Data-centric access, usage and sharing policies
• Privileged user access restrictions
• Encryption key management requirements for key rotation and expiration

Are Third Party Solutions Needed?

While on-premises and cloud file sharing and collaboration platforms provide functionality that increases work productivity, enterprises must properly govern and control their use to prevent data breaches. Microsoft Purview Information Protection (MPIP) contains data discovery, classification and EDRM features, making it the most visible product in this space. It is already included in many Microsoft licenses. However, according to the AIIM survey, 63% of respondents still see the need for third-party M365 solutions to achieve the centralized and effective control necessary to maintain the confidentiality of sensitive unstructured information.

Collaboration platforms generally lack built-in, sophisticated access control models that balance the need for enterprise control with end user empowerment. In addition, organizations that use a combination of on-premises and unstructured cloud data repositories, need the ability to manage access centrally and consistently across multiple platforms, each with different capabilities. Third party tools can help ensure consistent policies are applied across all data repositories and collaboration tools.

ABAC-enabled access and protection for Microsoft Applications

NC Protect is specifically architected to maintain the confidentiality and security of unstructured information stored in on-premises and cloud environments. It provides the ability to classify, secure, and audit access to sensitive information in M365 SharePoint Online, SharePoint Server and Windows file shares. The NC Protect solution is unique because it also ensures that accounts with privileged IT administrator rights cannot be used to view protected information – maliciously or mistakenly.

It uses granular attribute-based access control (ABAC) policies to dynamically determine if the specific access request should be allowed or restricted in real time. NC Protect’s ABAC approach leverages content attributes (e.g., classification, sensitivity, author, site permissions, etc.) and user attributes (e.g., group permissions, security clearance, role, location, time, etc.) as part of the policy to block or allow access. Once the policies are defined, any new data or users that are introduced into the business processes are adopted by these conditions and secured accordingly.

When a policy (condition) is modified to include/exclude an attribute or the content changes, at the next interaction between that user and content the new governing policy will be invoked and applied. NC Protect’s policies can easily be applied across Microsoft 365 SharePoint Online, GCC High, SharePoint Server and Windows file shares.

Contact us to learn more.