Wednesday, 8th July 2020

Sensitive data discovery: before you can control and protect it, you need to know where it is

The consequences of sensitive data getting into the wrong hands can be significant, and a considerable source of risk and anxiety for organisations. But a bigger problem logistically can be determining where such data exists across the business, so companies can implement protective measures. James Paton, CEO of SynApps Solutions, explains.

Since and even before its introduction two years ago, the EU’s General Data Protection Regulation (GDPR) has shone a bright light on the risk of having sensitive data strewn across an organisation – and of companies not quite knowing where versions or copies of this data might exist. As a result of this lack of visibility, locking down sensitive information so that it doesn’t get into the wrong hands becomes very difficult.

Security assessments and tightening of controls, and even initiatives to move data to the cloud as part of digital transformation programmes, are further drivers for organisations to get a better handle on where all of their sensitive data currently resides.

And of course GDPR isn’t the only regulatory driver for organisations to increase their understanding of where and how they manage and use sensitive data. The Payment Card Industry (PCI) data security standard affects any merchandiser handling branded credit cards from the major card schemes. Listed companies, meanwhile, must keep track of market-sensitive information and be able to report on where it is under market abuse regulations. And public sector and health organisations must be vigilant about sensitive citizen/patient data. The list goes on.

‘Find my sensitive data’ services

It is in response to many of these challenges that there has been new innovation in the form of ‘sensitive data discovery’ on demand: that is, managed services that any organisation can tap into if they need to trace and report on where particular types of data exist.

Run securely in the cloud, or in company’s own data centres, and fully resourced with highly qualified engineers, such hosted services remove a great burden from IT/compliance departments. Rather, it becomes possible for them to scan for instances of sensitive data across whole IT estates, and dynamically generate board-level reports, without having to allocate dedicated internal resources.

For organisations that want to go further, there are value-added services that can analyse the findings at a more detailed level, and suggest ways to bring sensitive data under more effective control.

By overcoming previously poor visibility to provide comprehensive sensitive data discovery, this kind of service can empower businesses to progress their bigger projects, such as digital transformation and cloud migration, fulfilling the CxO strategic agenda.

Knowledge is power: driving better user behaviour

The potential a sensitive-data discovery service becomes even more significant where end users are engaged and involved in the remediation process, if sensitive data is found to exist where it shouldn’t – for example, unprotected on someone’s laptop. Alerts to individual users can prompt them to take appropriate remedial action in line with company policy.

Where all such activity is recorded and monitored, this alleviates the pressure on internal compliance teams to interpret and react to all of the findings from a data scan – which could run into thousands of information policy contraventions that need to be addressed. This also has the added benefit that, if an audit is launched, the organisation is fully covered by a comprehensive record of all steps that have been taken.

Beyond board-level HERO reports and information for internal governance purposes, data discovery services can also report on organisations’ exposure to risk, with associated values and ROI metrics – so companies can see issues that are still outstanding, what it would take to remediate them, and what intrinsic value that would have.

One of the most persuasive arguments in favour of using such services is the speed of deployment, and of getting actionable results – this could be within just a few hours, for instance. Which means IT teams could very efficiently and sustainably scan their organisations’ entire digital estate - across multiple systems and operating environments - on a quarterly or annual basis.

Data discovery as-a-service, and the ‘sensitive data’ variety in particular, are a potential game-changer for organisations seeking to regain control of their diverse information assets - especially in the light of digital transformation programmes and cloud ambitions. After all, the first step in optimising what you do with something is scoping what you’re dealing with.

Digital transformation needs security at heart, says Jonathan Whiteside, Principal Technical Consult...
One dataset to rule them all, one team to find them. One tool to bring them all and the database bin...
The rise of the Chief Data Officer (CDO) has been meteoric in recent years. Despite being one of the...
According to the recently-published DLA Piper GDPR Data Breach Survey 2020, more than 160,000 data b...
By Nehal Maniar, Chief Technology Officer, Trūata.
By Greg Foss, Senior Threat Intelligence Director, VMware Carbon Black.