How can I get a handle on unstructured information in my environment?
I'm coming across operating systems and applications that leave temporary files on the local drives in TEMP directories and even some "crash-dump" files that contain sensitive information. This can become an issue if the information is sent out to a vendor. I'm seeing laptop computers where the users have literally copied entire databases, entire public shares right off of a server -- anything and everything that they can copy onto their system so they can take it with them and work offsite. When performing security assessments, I see just a Windows desktop with sensitive files and information right there. Outlook .PST files are another repository for sensitive communications. I'm even seeing sensitive data unsecured on mobile devices, like PDAs and smart phones, where users are storing sensitive customer information.
I'm a strong believer that documented policies can only go so far. When finding and protecting unstructured information, you absolutely have to use technology to help. Numerous vendors now provide products to help manage security. Use tools to figure out what you have, where it is, how it's classified (e.g., public, private, sensitive, confidential, etc.), then take the internal steps to better organize and manage that unstructured data, and protect the data with better authentication and access controls within the network environment. Finally, educate your users so that they are aware of the sensitive nature of their data and the security risks carried with it. This will take effort, but it's a very important issue that requires serious attention.
Listen to the Storage Security FAQ audiocast here.
Go to the beginning of the Storage Security FAQ Guide.
08 Mar 2007