Data governance is critical to prevent insider data loss

David Gibson, director of strategic accounts and technical marketing at Varonis, says that governance is now key to securing, but also effectively managing, both structured and unstructured data. The reason, he says, is that, in many of the security breaches over recent weeks, employees or contractors were able to delete or download thousands of files without raising concerns. The reason: no one was able to determine what sensitive data they had access to and secure it before any information could be stolen, or audit data use and alert on anomalous behaviour. Says Gibson: "These recent attacks and breaches demonstrate how critical it is that organisations be able to answer the following questions: Who has and should have access to data? Who is using their access? Who is abusing their access? Who owns the data? And, what data is sensitive?" He points to the fact that much of the data accessed and leaked comprised unstructured or semi-structured data, such as documents, spreadsheets, images, presentations and video, all of which resided on file shares accessible throughout organisations. Gibson suggests that more than half of the files and data employees can access are not relevant to them. "Stale, excessive permissions are rarely revoked. In many cases an organisation's data is open to global access groups, with no reliable way of remediating access without impacting the business," he says. Add to that the fact that more than half of the data on file systems, NAS devices, SharePoint sites and email systems lacks an owner, and the scale and source of the problem becomes clear, he asserts. "It is a profound operational failure of many organisations that they are unable to perform the most basic management and protection tasks to secure their critical business assets," insists Gibson. "Organisations must ensure that controls are in place to mitigate the risks of data leakage, theft and loss arising from excessive access rights and permissions, and non-existent audit trails," he adds. He strongly recommends automated data governance, because manual permissions and group changes are unreliable and error prone. In many cases, says Gibson, the IT group is unable to reliably identify business owners of data sets or involve data owners in the governance process. "Determining who has access to a data set, which folders a user or group can access and identifying unneeded permissions can be a challenge," he warns.