Click to learn more about author Paul Trulove.

In addition to the myriad cybersecurity risks organizations already face, another vulnerability has emerged that affects most enterprises: the presence of sensitive data stored in unsecured files, i.e. unstructured data. Unstructured data can exist in a variety of forms, including documents, spreadsheets, presentations and reports, and it’s typically stored in individual files. Controlling access to unstructured data has become a chronic challenge for the majority of organizations across the globe, with many enterprises having far more unstructured data than they realize and this data is growing at a rapid rate.

According to Gartner, as much as 80 percent of enterprise data is unstructured, and most organizations don’t have adequate visibility and control over that data, which leads to serious risk. For example, professional hackers are increasingly targeting unstructured data because it’s typically easier to steal and yields a treasure trove of valuable information. Failure to secure unstructured data also can increase regulatory risk, with privacy regulations like GDPR and HIPAA requiring appropriate security over both structured and unstructured data. Historically, organizations have focused most of their efforts on protecting structured data, but failing to address unstructured data can now result in severe fines and legal penalties.

Tactical Best Practices for Managing Unstructured Data

To thoroughly safeguard the informational assets and sensitive data stored in unstructured files – while also lowering the risk of security breaches and compliance penalties – organizations and their identity governance leaders should abide by the following four best practices:

• Take Control of Unstructured Data: Without a doubt, data is the focal point of unstructured data management. In order to manage unstructured data effectively, however, identity governance expertise and processes are required. For instance, make sure Identity and Access Management (IAM) leaders can ensure that all high-risk, sensitive unstructured data has an appropriate access control model in place. Additionally, access to sensitive data should be granted according to predefined access policies. Periodic access reviews should be conducted by appropriate business and technical owners, and inappropriate access to unstructured data should be remediated in a timely manner.

• Bridge Peer Data Management Groups: To effectively manage unstructured data, IT groups need to coordinate and collaborate across departmental boundaries, rather than focus on domain-based risk management plans. Specifically, IAM leaders should include the management of unstructured data in their identity governance mission statement, plans, and budget. They should  share that with colleagues and executives so they understand that identity governance is a key ingredient of securing unstructured data. Also, if other groups feel they own the management of unstructured data, volunteer the identity governance group to collaborate with them on a complete solution.         

• Invest in Complementary Tools: Given the unique challenges unstructured data presents, IAM leaders need to invest in complementary tools to analyze unstructured data and determine exactly how it should be managed. In particular, look for tools that offer sensitive data discovery and classification, data ownership and control capabilities, and entitlement analysis. Most importantly, ensure all tools for managing unstructured data can be quickly and easily integrated with identity governance solutions so policies and processes already being used for securing structured data and applications can be leveraged.       

• Say No to Management Silos: While it’s tempting to implement a tactical tool for managing unstructured data, it’s critical to never lose sight of the need to govern and control data access across an entire organization. By investing in a unified solution to manage access across applications, systems, and data stored in files, IAM leaders can ensure policy and process consistency and avoid the wasted effort of duplicating identity governance functionality in domain-specific tools. Furthermore, to effectively reduce risk, organizations must be able to see the big picture. Governing with centralized visibility into “who has access to what?” across both structured and unstructured data is paramount.                 

Security, Compliance and Efficiency Require a Comprehensive Approach

Given the severity of security and regulatory risk, unstructured data is an issue that can no longer be ignored or addressed with legacy approaches. IAM leaders must view the management of unstructured data as a key extension of their mission and work closely with the rest of their organization to establish a comprehensive identity governance strategy that spans all applications, systems, and data. In doing so, security threats can be better addressed, compliance can be continuously ensured, and business goals can be accelerated by guaranteeing that the right people have the right access to the right information at all times.