By Pete Schmitt, CTO, cStor
Data. It is the one thing that all companies have and need to protect. The problem is determining what data needs protection. Is it all data? The easy answer is no. Yet, most companies spend a great deal of money on storage, protection, and backup of everything.
Discovery and classification of data in an organization that must protect the rights of its customers is no easy task. It starts with a policy on paper. This policy generally makes the classification of documents data the responsibility of data owners. Who is the data owner? It’s a good question.
A Data Owner has administrative control and has officially been designated as accountable for a specific information asset dataset. This person also controls who has access to the data.
A Data Custodian is the person with technical control over an information dataset. Typically, this person controls the admin, sysadmin, sa, or root account or equivalent access levels. This is a crucial task and must be executed in agreement with the access rules established by the Data Owner.
A Data User has a critical role to protect and maintain information systems and data. For the purpose of InfoSec, a Data User is any contractor, employee, or third-party provider who is authorized by the Data Owner to access information assets.
The policy on paper will define the types of classifications. The most common ones are:
Trade Secret – Data that is defined as business-critical, IP, acquisition info, financial forecasts, etc.
Confidential – Data that is restricted to a subset of employees, such as SSNs, bank accounts, or credit card information.
Internal Use – Data that can be viewed by all employees but is not for general use.
Public Use – Data that can be viewed or used by employees or the general public.
The policy will outline who has access for each classification, and agreements for use. If done well, or even just okay, companies can protect the data that is most important. With all that said, data discovery and access tools are vital. It will show where sensitive data lives, where it’s overexposed, who is accessing it, and how to lock it down. In addition, it will also identify stale data that is no longer accessed by actual humans. This allows the organization to save disk space, lower cost and simplify your environment all at once.
Any company that relies on sensitive data to run the business could potentially benefit. cStor has recently implemented data discovery and access solutions into healthcare, utilities, and federal and state agency clients. Each of these verticals has sensitive data that is under industry and federal regulations that govern the use, storage, and disclosure of the information.
In 2016, it is estimated that over 16 million medical records were lost because they were inadequately protected. The reputation damage alone is bad, but the fines and lawsuits take their toll on the organization’s finances as well. cStor works closely with organizations to find the best of breed protection and fit to protect data on the levels that each individual situation warrants.
For data discovery and access, a product like DatAdvantage from Varonis uses machine learning and bi-directional cluster analysis to pinpoint users that have access to files they don’t need to do their job. It is a single interface for managing permissions and security groups. Companies can secure data from the inside out through User Behavior Analytics (UBA). By using machine learning to find patterns and anomalous behavior to stop breaches before they happen.
The sophisticated threat models analyze behavior across multiple platforms and alert the suspicious activity and potential data breaches, from Crypto Locker infections to ransomware, compromised service accounts to disgruntled employees, it will detect and alert on all sorts of abnormal user behavior.
Another advantage of this type of product is monitoring that is non-intrusive and doesn’t require native auditing, making it easy to perform security investigations, prove compliance, and find lost files. The tool will automatically detect and correct changes that don’t meet an organization’s change management policies and satisfy many of the requirements prescribed by SOX, HIPAA, PCI, GLB, FERC/NERC, and more.
If you would like to discuss the options that are available to you in protecting your important data or unique challenges you are experiencing, please give us a shout.
To learn more about this subject, you are welcome to join us for a free, 30-minute webinar on Wednesday, March 22, at 10 am PDT.