At some point you've made good progress to ensure that your credit union is sufficiently protected from data loss. But with the rapid advancement of hacking techniques and the increasing threat to all types of financial organizations how can you be certain that the protection you've put in place isn't woefully out of date?
In order to assess your data protection capabilities, you first need to determine if you can answer basic questions about data. Can you answer, for any data set, “who has access to it, who is accessing it, who should have access to it, who owns it, when was the last time access was reviewed, which data is critical, and which, if any, critical data is overexposed?” Each question you can’t answer represents an opportunity to improve your security.
With more than 23 million records containing personally identifiable information leaked in 2011 alone (source: privacyrights.org), it is more important than ever for organizations to ensure sensitive data is secure. In many organizations, keeping up with data growth and preventing a data catastrophe seems insurmountable with existing IT resources — imagine how it is going to be in a few years without additional skilled staff to help you.
Recent advancements in data governance software automation enable IT to more easily implement steps to prevent data from being misused or stolen. Here are the top seven:
1. Audit Data Access
The first step towards getting your data under control and averting disaster is to properly audit all data access activity. Once your data touches are being audited, you can easily determine who is doing what with your data. Auditing also provides the necessary data to allow IT to determine who owns a data set so they can be involved in deciding who should have access to their data and what constitutes acceptable use.
2. Inventory Permissions and Group Memberships
Once you are tracking what people are doing with your data, you need to look at who has access to what data. A full inventory of permissions for all of your data stores and the folders within them can take time, especially if you’re creating it manually. Thankfully you can now automate this. By combining the permissions data with group memberships, you can start to see who has permission to access each file or folder. With this data IT can quickly answer fundamental data protection questions like “Who has access to a data set?” and “Which data sets does a user or group have access to?” This forms the foundation for assessing and cleaning up permissions.
3. Prioritize at-risk data
While all data needs to be protected, not all data is created equal. Some files contain confidential corporate information; other files contain sensitive customer data. By using tools that analyze your data to identify sensitive content and combining that data with other relevant metadata you will be able to locate files and folders where such data is overexposed.
4. Remove global access groups and revoke broad access rights
In many organizations today, access controls have been in place for years and often much of the data is open to global access groups like the “Everyone” group. Even if this exposed data isn’t sensitive or confidential in nature, excessively broad access controls invite trouble. Removing global access groups is a good step towards ensuring that only the right people can get to your data.
5. Identify Data Owners
Once you’ve done these general housekeeping tasks it is time to look at individual datasets to figure out who is qualified to make access decisions, and designate a data owner. The appropriate owner (or custodian) will often be one of the active users of that data, or their immediate supervisor. Automation can significantly reduce the time it takes to identify data owners, by analyzing access activity over time and indicating likely candidates.
6. Lock down, delete or archive stale data
In many organizations stale data is clogging up vast amounts of storage space, making it harder to manage. In addition to the cost of storing all of this stale data, keeping it on your active servers increases the risk of misuse. Automation can analyze access activity and identify data that is not being used or non-business data, and even move, archive, or delete it.
7. Clean up stale groups and access control lists
Unneeded complexity slows performance and makes mistakes more likely. Organizations often have as many groups as they do users – many are empty, unused or redundant. Access control lists often contain references to previously deleted users and groups (also known as “Orphaned SIDS”). These legacy groups and misconfigured access control objects should be identified and remediated to improve both performance and security.
Automation is the only way forward given the vast number of processes which the average IT security manager has to manage, and the almost infinite number of threats which the hacking community has forced as to defend ourselves against. By following the above suggestions and sticking to the seven steps you can be confident your organization's data is secure.