Comment: Is your data in the hacker's firing line?

Is your organization among those that protect their databases but fail to afford their unstructured data the same protection?
Is your organization among those that protect their databases but fail to afford their unstructured data the same protection?

Databases have come a long way in a few short years, largely driven by the surge in volumes of data that most companies now handle on a regular basis.

Our observations suggest that as much as 80% of data in most organisations is shared between user’s network storage facilities, which, as the name implies, means that the information can be duplicated and/or accessed by many different people.

This issue creates something of a security headache for the average IT manager, as most of this data is what is known in IT circles as unstructured, meaning it is difficult to index and, by association, almost impossible to audit in any meaningful way.

And it's against this backdrop that today's IT managers need ask where all this unstructured data is coming from, and whether it is really necessary in a modern, well-organised business?

The problem facing the public sector is that this information comes in a variety of guises: patient records within the Health Sector; benefit applications within Social Services, right up to draft government policies in Downing Street. These various forms, documents, emails, conference call recordings and draft legislation are unquestionably vital in the day-to-day running of these departments, yet they are routinely stored as file data (the 80% we talked about) and left to fend for themselves on the network.

Malicious insiders and external hackers desire this type of data and recognise its worth, even if your organization currently does not. Imagine the damage an outsider who accessed these files could do with this sensitive information, not to mention the damage caused to the reputation of the department involved. Many organisations protect their databases but fail to afford their unstructured data the same protection – is yours one of them?

Evidence that this isn't pure fabrication but does actually happen in the real world can be found in the ongoing case against former MI6 worker, Daniel Houghton, who pleaded guilty to stealing top secret material but also claimed he made copies of the electronic files and attempted to sell them for £2 million to Dutch intelligence agents. Documents containing details of secret information gathering software Houghton devised and is thought to have copied are still missing. In July 2010, the US military confirmed that more than 90 000 classified military documents had been copied, including battlefield and intelligence reports – one of the biggest leaks in US history.

Regulators are increasingly concerned about the potential damage sensitive information contained in files can cause in the wrong hands, and they are creating and enforcing data security requirements for unstructured data. Compliance can be expensive, and it's not optional.

In the UK, lapse security policies and procedures could result in a breach of the Data Protection Act and possibly incur a financial penalty of up to £500 000 from the ICO (Information Commissioners Office).

Now you should be able to recognise the importance of protecting your unstructured data, the question is where is all this valuable file data coming from? Here's a quick checklist of sources to consider as you survey your own file data landscape, as well as thoughts on protecting these files:

Applications and databases

Whether your applications and databases are running in-house or in the cloud, mid-level managers are probably using them to export interesting data for analysis, reporting, presentations and other legitimate activities. The aforementioned US military breach is one very public example of the damage that can be caused when files containing exported information are stored on shared file systems. For other government departments this data may include personal identifiable information such as credit card information or medical records, which could add compliance requirements such as HIPAA, SOX, PCI and/or the Data Protection Act (DPA) to the list.

Intellectual works

Copious amounts of file data never experiences the safe confines of a database or an application. Instead it goes straight from the mind of knowledge workers into a file stored somewhere on the network.

These files often contain intellectual property and a wealth of information about opportunities, partnerships, business operations, future plans and strategic advantages. Sharing this information on file servers and network-attached storage (NAS) devices can be critical for mobilising your company and uniting distributed project teams, but it’s just as critical to ensure that the data is protected from intentional or even inadvertent harm.

Application communication and storage

When applications need to communicate with each other, but don’t speak a common language, using intermediate files on a shared file system can serve as a form of enterprise application integration. For example, a doctor’s surgery with a legacy application running on a mainframe, and another medical department application running on Microsoft servers, can use files on a shared file server or NAS device to exchange information between the disparate systems. While only the applications should have access to those shared files, it’s highly likely that the file servers or NAS devices where the files are stored are accessible by many users. So, care has to be taken to safeguard access and prevent sensitive data from being compromised.

An even more basic, and more common, use of shared file systems by applications is when applications simply store their output or intermediate results in files. Applications can generate a lot of file data, and once this application-generated file data exists on shared storage, it needs to be protected against excessive access.

Digital media

No, I'm not talking about employees who store their movies and music on your enterprise file servers. Instead, think: digital recordings of calls between departments and external teams; video from security cameras; and even training and education materials such as podcasts and videos.

Media files can be large, and when they are generated through ongoing business operations such as contact centre recordings and surveillance videos, there can be a lot of them. If, for example, your department is processing pharmacy refills or purchases made with credit cards, your media files are governed by HIPAA and PCI regulations, and must be protected. Similarly, you will want to make sure only those with a ‘need to know’ can access your surveillance video.

Informal business processes

Files are sometimes just more practical, functional or convenient than formal systems. For example, despite the widespread deployment of contact centre software, your representatives may keep documents or spreadsheets to track ongoing cases, details that don’t fit in standard forms, or other information they want to have readily at-hand. These types of informal process files are often stored on shared file systems so that teams can communicate across work shifts and geographies. While these files facilitate more efficient business, they can expose sensitive or regulated data to too many users, depending on the nature of your business.

Protect your data

It's clear from these anecdotes that data is abundant in most businesses and, perhaps worse from a security standpoint, can be generated by many different sources.

This diversity means that, whilst this data has value to a typical business, because it can be mined for useful statistics, it also has value to the criminal community as well.

It's therefore incumbent on any IT security professional to work out who owns the data flowing across company resources and who needs access.

Recognising the fact that unfettered and unaudited access to data is not something that any IT manager or their staff actually wants is the first step in ensuring that your data is protected from prying eyes.


Raphael Reich is director of product marketing at Imperva. Reich has done pioneering work championing the importance of unstructured data governance and educating organizations on data protection and security. Prior to joining Imperva, he held senior positions in product management and product marketing at Cisco, Check Point, Echelon and Network General. Additionally, Reich was a software engineer at Digital Equipment Corporation. He has over twenty years of business experience and holds a bachelor’s degree in computer science from UC Santa Cruz and an MBA from UCLA.

What’s hot on Infosecurity Magazine?