All information is an attractive target for bad actors, but some is inherently more valuable than others. State-sponsored and hacktivist attacks constantly probe enterprise networks seeking to identify the location of sensitive information. Attackers historically targeted core enterprise systems but as the defenses for those systems have matured, attackers now target the same information but in less secured unstructured (broadly speaking, file and email based) repositories. Enterprises must take steps to eliminate this risk by understanding what and where sensitive unstructured information resides and apply the necessary controls. Unstructured data security should include stringent centralized access controls and protections to ensure only the right users – have access to the right content – at the right time.
MOST DATA IS UNSTRUCTURED
Unstructured data does not have a pre-defined organization schema and is stored in its native format, such as Office documents and multimedia files. Structured data on the other hand is best exemplified by a database of individual items organized and sorted into tables, rows, and columns
Unstructured data represents over 80-90% of all stored information and is growing at a rate of 55-65% a year. Consider a typical employee throughout the course of a typical workday and how many documents, spreadsheets, presentations, and emails they create or read. And all that content is proving hard to manage with 78% of organizations having little to no understanding of what’s in their unstructured data and file shares. Despite companies putting data and information management at the top of their list many still struggle to put “guardrails” all this content.
COMMON SOURCES OF UNSTRUCTURED DATA
The most common repositories for unstructured information are file servers, Microsoft SharePoint, Outlook, and cloud equivalents such as Microsoft 365 (SharePoint Online, OneDrive and Teams) and Google Drive. This expanded footprint of unstructured information makes an already vulnerable source of unmanaged risk for an organization exponentially bigger. Enterprises must take steps to eliminate this risk by understanding what and where sensitive unstructured information resides and applying the necessary controls, which should include data encryption, centralized access management, and activity logging.
UNSTRUCTURED DATA PROTECTION
The rush to embrace technologies like Microsoft 365 (M365) and our Cloud sharing tools to collaborate on unstructured data has only widened the security gap. In general, there is a lack of governance and controls applied to the storage and access of unstructured data. AIIM’s recent Optimize M365 for Controlled Content Services report indicated 42% of respondents felt records were everywhere and information volume and variety were expending too quickly in M365. With many still moving data to the Cloud, this security gap for unstructured data, regardless of location – file servers, on-premises SharePoint servers, hosted SharePoint farms, or cloud-based repositories – is a top information security concern for IT and information security managers.
Mature and proven security controls exist to reduce the risk posed by the volumes of sensitive unstructured data. The two families of controls most applicable, that can meet most security requirements, are those for access controls and for data confidentiality.
Access controls apply the granular restrictions needed to ensure that only those authorized are granted read or write privileges to sensitive unstructured data. Well governed and effective access control often requires the use of third-party solutions as unstructured data platforms lack built-in, sophisticated access control models that balance the need for enterprise control with end user empowerment. In addition, organizations use multiple on-premises and cloud unstructured data repositories, need the ability to manage access controls centrally and consistently across multiple platforms, each having different capabilities.
In addition, data-centric controls that can also restrict what authorized users can do once they access files is also needed to more effectively protect unstructured data. For example, should a user be able to free edit and share a document? Or should they only be able to view it with the ability to edit, print or download options disabled? Who should they be able to share it with? And how should it be shed; email SharePoint only or not at all? What about encryption of unstructured data at rest, in use, and in transit? To truly secure unstructured data against loss or misuse organization need the ability to granularly control data access and usage. Attribute-based access control (ABAC) affords this ability by looking at the data and user requesting access in context and apply the appropriate controls based on that information to also grant or restrict usage and sharing rights as needed.
Data-centric access controls and protection are most effective when integrated together and included in an overall risk management program. A proper risk management program will also include:
- Periodic and real-time data discovery to identify unsecured sensitive unstructured data
- Automated or manual data classification and metadata tagging
- Data-centric access, usage and sharing policies
- Privileged user access restrictions
- Encryption key management requirements for key rotation and expiration
Are Third Party Solutions Needed?
While on-premises and cloud file sharing and collaboration platforms provide functionality that increases work productivity, enterprises must properly govern and control their use in order to prevent data breaches. According to the AIIM survey 63% of respondents still see a need for M365 additional third-party solutions are required to achieve the centralized and effective control necessary to maintain the confidentiality of sensitive unstructured information.
NC Protect is specifically architected to maintain the confidentiality and security of unstructured information stored in on-premises and cloud environments. It provides the ability to find, classify, secure, and audit access to sensitive information in file servers, M365 and other cloud applications. The NC Protect solution is unique in that it also ensures that accounts with privileged IT administrator rights cannot be used to view protected information – maliciously or mistakenly.
It uses granular Attribute-Based Access Control (ABAC) policies to create information barriers that dynamically determine if the specific collaboration should be allowed or restricted in real time. NC Protect’s ABAC approach leverages content attributes (e.g., classification, sensitivity, author, site permissions, etc.) and user attributes (e.g., group permissions, security clearance, role, location, time, etc.) as part of the policy to block or allow access. Once the policies are defined, any new data or users that are introduced into the business processes are adopted by these conditions and secured accordingly. When a policy (condition) is modified to included/exclude an attribute or the content changes, at the next interaction between that user and content the new governing policy will be invoked and applied. NC Protect’s policies can easily be applied to all of your Microsoft applications and file shares.