Is Data Your Weakest Link?
If you’re used to talking about data security, you’re probably used to hearing about structured data. Many solutions and mechanisms exist to protect structured data in databases, and those solutions are often what’s being discussed in the data security sphere.
We spend much less time talking about unstructured data, even though many breaches and compliance violations actually occur with unstructured data.
Recently, ShardSecure’s VP of Product Joe Sorial and Field CTO Julian Weinberger had a conversation about the major challenges in data security and compliance for unstructured data. Today, we’ll recap their full BrightTALK discussion and explain how you can strengthen your security and resilience for unstructured data.
Why is unstructured data important?
Unstructured data is often more valuable than companies realize. It can include intellectual property, including design files, schematics, source code, and even music and video files. Unstructured data also includes machine learning datasets, which are crucial to training successful models and highly sensitive to tampering.
In short, unstructured data is high-value. It’s also growing fast, with 55% to 65% annual growth — four times faster than structured data. This makes it an increasingly important asset to protect.
What causes weak data security?
There are many threats in today’s digital landscape, and any number of these threats can lead to weak data security. Misconfigured security settings in the cloud, for instance, are a common source of data breaches, as are overlooked repositories of unstructured data like file servers.
Human error and insider threats are other common challenges that can lead to the accidental or intentional exposure of confidential data. One report showed that one in ten employees leaks sensitive company data every six months, while another revealed that 82% of breaches in 2021 involved human error.
Data security is further complicated by cloud adoption, which creates an environment where data storage infrastructure is no longer under the data owner’s control. Without proper access controls and security solutions in place, companies face problems with cloud administrators having access to their sensitive unstructured data.
How does compliance complicate things?
Gartner predicts that by the end of 2024, 75% of the world’s population will have its personal data covered under data privacy regulations. Although these regulations can encourage strong security practices, their constant evolution presents a major challenge to companies.
Take, for instance, the way that Schrems II invalidated the GDPR’s reliance on standard contractual clauses to protect personal data with US cloud providers — or the way that the new EU-US Data Privacy Framework is expected to provide a workaround to Schrems II, but only for the next few years.
With a patchwork of changing and sometimes conflicting regulations, the question becomes not just “how do I protect my company’s unstructured data?” but also “how do I protect my company’s unstructured data and make sure it stays compliant with ever-shifting regulations?”
So, what can be done to protect your unstructured data in the cloud? We’ll offer some suggestions below.
Get to know your data
The first step to protecting your unstructured data is to understand it.
Learn where your data resides. Believe it or not, anywhere from 43% to 62% of organizations don’t know where their data is stored. To remedy this problem, companies should undertake data discovery projects to understand exactly which data — including IP, PII, and source code — is located where.
Learn who has access to your data. Following the principle of least privilege, it’s crucial to know who has access to data and to limit that access to the minimum required to perform job duties. Otherwise, companies run the risk of data leaks.
Learn your data workflows. Even if your company can identify the initial storage locations where your data resides, there’s more to consider. Does your organization know which machines and humans can read your data once it’s accessed by an application or series of applications? Understanding how your unstructured data can be accessed at every step in its lifecycle is crucial to keeping it safe.
Learn which compliance frameworks you have to meet. Today, many businesses are bound by multiple kinds of data regulations:
- Industry-specific laws like HIPAA for healthcare organizations or GLBA for financial institutions.
- Data privacy laws for individual US states like California’s CCPA.
- Data privacy laws for different countries like the EU’s GDPR or Canada’s PIPEDA.
It’s important that businesses understand each of these regulatory frameworks and routinely review their policies to make sure they’re maintaining compliance with ever-evolving laws.
Regain control of your data
Once you understand where your unstructured data resides, who has access to it, and what you’re legally required to do to protect it, the next step is to take action.
Separate data access from infrastructure: Companies need to ensure that infrastructure administrators don’t have access to their unstructured data. This measure has the added benefit of meeting compliance with European data regulations like the GDPR, which require data owners to decouple their data access from cloud and infrastructure administrators.
Create adaptable data workflows: Companies should also implement data workflows that can adapt to constant changes in data compliance frameworks. These workflows should ideally be both scalable and transparent so they can upscale without major disruption as the organization grows, and they should be effective in hybrid- and multi-cloud environments.
Achieve data security and compliance with ShardSecure: ShardSecure simplifies data security and compliance efforts with our agentless data control platform. Our technology offers strong, transparent data protection with minimal to no performance hit, allowing companies to separate their data access from infrastructure admins without disrupting their workflows. Data becomes unreadable to all unauthorized users the moment it’s written to storage, helping companies meet compliance with both Use Case 5 of Schrems II under the GDPR and a broader range of cross-border data privacy laws.