Data storage protection: What problems can you face and how to solve them with data governance tools

Almost any information not located inside the DBMS is classified as unstructured data. Today, unstructured data is one of the main information assets of any company. It includes electronic documents and files located in corporate storage units, namely office documents, PDF files, scanned copies, and audio and video content.

The problem of protecting unstructured data storage units is acute in many companies. Before proceeding to the protection methods, it is necessary to determine why the task of protecting such systems is vital.

According to various estimates, the average amount of unstructured data can reach 90 percent of the total amount of electronic data located on the company's hard drives. However, most unstructured data often does not bring value to the business. In many corporate storages, you can find:

• Duplicate documents that employees create due to lack of copy control.
• Outdated files that have not been accessed for years.
• Content unrelated to the company's direct business activities (photos, videos, files).

It is also important to note that the average growth in the volume of unstructured data can reach 30 percent per year, which requires a constant expansion of storage space.

The lack of control over such data leads not only to unnecessary storage costs but also carries the risk of violating regulatory requirements and data breaches.

Data Governance solutions come to rescue

There is a separate class of products -- Data Governance (DG) which can also include Data-Centric Audit and Protection (DCAP) that help to control and protect unstructured data. DG solutions help to solve the following tasks:

• Audit of user actions in relation to storage units of unstructured data.
• Classification of documents located in protected storage units.
• Analysis and management of user access rights.
• Data integrity monitoring.

What kind of unstructured data stores do companies use?

The infrastructure of even a small company can include different types of file storage. Let me highlight the most common ones:

• File storage controlled by Windows Server, including DFS.
• MS SharePoint portals, including cloud versions.
• MS Exchange mail servers.
• Repositories based on Linux.
• Atlassian Confluence knowledge bases.
• NextCloud cloud storage.
• Dell EMC and NetApp NAS systems.

Separately, I should also mention MS Active Directory domain controllers. Formally, they cannot be called unstructured data stores, but DG solutions usually deal with their protection too.

For companies with heterogeneous file stores or an infrastructure that includes several interconnected domains, the use of DG / DCAP solutions becomes even more relevant. Such solutions allow you to use a single interface to manage all security features related to data storage.

Inside Data Governance tools

Prior to DG, customers used DLP tools for solving similar problems. However, DLP functionality in terms of protecting unstructured data storage units was often limited to the classification functionality. At the same time, due to the specifics of DLP systems (control over user actions on workstations), it was difficult to fully use DLP with plenty of unstructured data storage units.

Data Governance systems are usually used for quite clear tasks, such as control over data and access rights, as well as provision of access to data located in corporate stores.

Let me touch upon an example of an essential task that Data Governance products help to solve - finding the location (or classification) of critical information in corporate stores.

To solve this problem, DG systems have a large number of pre-installed categories of information that fall under international legislation and industry requirements. DG systems also support a significant list of file formats. Data Governance solutions also allow you to customize categories when searching for non-standard information, but at the same time relevant for a particular company.

The categories represent combinations of phrases, words, regular expressions, and also the frequency of their occurrences. You can create your own or use pre-installed categories in such a way that the number of false positives is minimal.

At the same time, there is a function for analyzing the content of graphic data formats both using the OCR module and the module for searching for templates of scanned copies of documents, built on the basis of artificial intelligence and neural networks. This module is in high demand since employees of IT and information security departments sometimes do not have complete information about where exactly the most valuable data is located.

The continuous classification of file storage units provided by Data Governance solutions makes it possible to reduce the risk of leaks of critical information and simplify the audit process.

Analysis of data access rights

Understanding the location of critical information assets entails a second important task -- determining the current access rights to company resources. To solve this problem, DG tools can also be used. I am talking about both the analysis of access rights to a particular directory/document and the ability to view all the resources available to a specific employee.

I must say that even in a simple infrastructure with a file server based on Windows Server, it is challenging to solve this task without Data Governance tools, taking into account that access rights can be issued both directly and through security groups and policies, which, in turn, may be inherited. In addition, we should not forget about such risks as the presence of critical documents in the public domain, direct access rights of some employees, and unmanaged directories.

Using DG solutions, you can automatically identify the above risks and reduce unnecessary access rights. For the safe reduction of rights, some Data Governance tools have the ability to simulate changes in rights. This allows you to understand, even before the actual change, what resources an employee may lose access to based on his previous activities with different data sets.

Identifying illegal access to data and preventing data breaches

Audit of employees' actions in terms of data access is one of the most important features of DCAP / DG products. An audit of activities is not only an opportunity for a retrospective investigation of information security incidents but also a solution to such everyday problems as the loss of documents by employees. Typically, such tasks are solved by sending a request to the company's IT service desk, which, in turn, restores the document from a backup copy (if it exists).

Data Governance tools record all cases of accessing a document, including the facts of moving, renaming, deleting and changing access rights. With Data Governance solutions, processing a search request or restoring access to a document will take several minutes.

Data Governance at the service of the IT department

Data Governance solutions are helpful not only for solving the problems of the security department but also for IT teams. DG systems can help IT professionals solve problems related to optimizing the load on file storage. DG products can detect the presence of duplicates of large files, identify resources that have not been accessed for a long time or analyze documents that occupy most of the disk space.

IT departments often use domain controller protection functionality. Here we are talking about tasks related to controlling changes that involve the Active Directory, as well as analysis of configurations and settings of various accounts. With DG products, you can quickly identify the list of accounts with permanent passwords, the presence of empty security groups or inactive accounts.

Regulatory compliance

The enumeration of the complete list of standards, requirements, laws, and legal acts for which Data Governance systems are helpful requires a separate article. I can only note here that the options for auditing access and analyzing the contents of file storage, for example, for the presence of personal data, can seriously reduce the cost of preparing and passing audits while increasing the level of the information security posture of your company.

Conclusion

The practical benefits of Data Governance systems often become visible not only to a few departments using them but also to business as a whole. Data Governance systems have a high level of automation and can reduce costs. Problems described in this article can be solved with different products, from semi-automatic DG systems using scripts to full-featured systems of the DCA / DG class. Separately, it is important to emphasize the usefulness of DCAP / DG systems in terms of optimizing file storage, which, with a limited amount of computing resources, can ensure the smooth operation of any business.

Image credit: nialowwa/depositphotos.com

Alex Vakulov is a cybersecurity researcher with over 20 years of experience in malware analysis. Alex has strong malware removal skills. He is writing for numerous tech-related publications sharing his security experience.