Almost every day there is news of a company's security breach and, increasingly, many of these incidents are originating from an employee or other internal source. It is a costly price to pay, as any company that has gone through the ordeal will attest. Gartner analysts estimate that the cost of sensitive data breaches will increase 20 percent per year through 2009. Security continues to be top of mind, and companies are investing heavily in improved security processes to monitor and manage vulnerabilities, and control access.
Ironically, with all this emphasis on security, Gartner has found little or no correlation between enterprises that spend the most on security and enterprises that are the most secure.
This would seem counter-intuitive, but for experts in the data management field, this finding corresponds with one of the biggest issues companies face as they try to establish data governance – finding the data.
The reality is that data is usually distributed throughout systems, often misinterpreted, and easily stuffed within other bits of information. Changes to business rules and applications cause data to become more obscure and convoluted over time. This makes it extremely difficult to understand where data is located and how it transforms across the enterprise. If companies cannot locate their sensitive data, it cannot be protected no matter how many security applications are deployed.
Why is it so difficult to find the data?
There are many companies such as Vontu, Vericept and Tablus (EMC) that specialize in finding sensitive information in what is called unstructured data, such as text files, excel spreadsheets and email messages. The relatively small amount of unstructured data in a typical laptop usually contains no more than a few dozen pieces of sensitive data. A company's ability to locate this type of data is usually manageable, as long as the right technologies are in place. And many companies have ongoing efforts to analyze and remediate unstructured data.
Unfortunately, most sensitive information is stored in databases and applications – what is called structured data. Corporate databases, for example, contain hundreds or thousands of tables, each with dozens or hundreds of columns and millions of rows. This is where sensitive data protection gets more complex.
In a structured world, sensitive data is elusive
There are two big misconceptions that continue to persist about structured data discovery, to the detriment of enterprise security.
The first misconception is that sensitive information is easier to find in structured environments, because companies mistakenly assume that structured data is broken down into logically named and well documented tables and columns.
The second misconception is that the same technologies and methods used to find sensitive data in unstructured environments can be applied to scan databases in the structured environment.
Unfortunately, there is a set of unique challenges in the structured data world that reveals a different reality. First, there is the problem of detection:
Finally, we have a problem with reporting and remediation. For unstructured data, the unit of analysis for reporting and remediation is a file. For structured data, it is a column, a row or a value. While it is usually straight-forward to quarantine a file, it is very difficult to do the same thing for database rows and columns since they are used by different applications in a variety of ways that are difficult to capture.
New tools hold the promise of help
The complexity of looking for sensitive data in structured data sets is staggering. Most companies are just beginning to think about protection of company data assets and are embarking on discovery efforts to identify all instances of sensitive data in their structured data systems. In the last two to three years, new data discovery tools have emerged, and are finding a receptive audience – particularly in the financial, government and healthcare sectors – where control over sensitive data is a top priority.
While security professionals are not, nor should they be, data management experts, there is a unique place for security knowledge and expertise in the data management field, and vice versa. With the onslaught of security breaches aimed at the core of a company's assets, there will be a continued integration of these two fields.