The majority of companies today are battling to adequately protect their data. While technically it is IT's job to do this, a lack of understanding of the business requirements is proving a major stumbling block.
There are several steps companies should follow to keep their sensitive information adequately protected and managed, while still enabling the proper users to have access to it. In an ideal world, an organisation's data is protected through access control lists and security groups.
An access control list is essentially a set of data that lets a computer's operating system know which permissions, or access rights, each user or group has to a specific object on the system, be it a directory or a file. Each object has a unique security attribute that identifies which users have access to it.
Users fit into these groups based on their role in the business, or whether they need this information to do their jobs. Once all users have been properly placed into the appropriate group, the groups are sorted into access control lists. In this way, only the users who have a right to the information, and who need it, will be able to access the data in a particular folder.
However, this is far easier said than done. IT faces many obstacles in keeping the right users in the right groups, and then keeping these groups in the proper folders. Employees change roles within a company, join different teams, and as they change, so does the amount and type of data they need access to. Access control lists are rarely accurate, and too often, users have access to a lot more information than they strictly need to do their jobs properly. This leads to a far greater risk of theft, data loss or misuse.
There are several steps to follow to properly protect a company's data. A good starting point is prioritising the data. From a purely financial perspective, it makes no sense to protect all data in the same fashion, as some data is more valuable and more sensitive than other data. Thinking strategically about what is most valuable can help you focus attention and budget where it's most needed. Identify which data is the most valuable and sensitive, and classify data accordingly to lower risk.
Secondly, auditing data access is a must. Without a thorough record of access, a company cannot hope to pick up any abuse, misuse or non-use. A company must know who deleted a file, what data individuals use, and what is not being used at all. A comprehensive audit will enable the organisation to pinpoint who owns a data set, which data sets support which business units, and how to lock down a data set with minimum disruption.
Next, have access controls and inventory permissions in place. Understanding who should and who shouldn't have access is vital. Data sets cannot be managed without the understanding of who should and shouldn't access them. Unless these questions can be quickly and easily answered, IT cannot hope to protect the data.
Following this, IT must keep and manage lists of data business owners and the folders that they control and manage. These lists will help IT with the other tasks I've mentioned, such as permissions and access, and will help pinpoint stale data for archiving. Once technical can quickly and accurately pinpoint the data owners, elements such as permissions, and therefore protection will be far more accurate. It is also important to review entitlements and permissions regularly, to ensure these lists are up to data and no user has access to data they do not need.
Finally, stale and unused data must be dealt with. A lot of data contained by unstructured and semi-structured platforms is stale and out of data. This data must be archived and in time deleted. This will not only lower the risk of stale data being accessed by inappropriate individuals, it will free up expensive data centre resources.
