This interesting topic is often overlooked, but I see it increasingly in my security assessment work today. Unstructured...
information is difficult to secure because it's so pervasive within every network; it's the proliferation of Word documents, Excel spreadsheets, text files, .PDF files and even flat little database files. Many of these unstructured files contain sensitive and regulated information -- literally strewn across the entire network on every single storage device that you can imagine, such as server shares, laptops, thumb drives and so on. These files can often be found in locations that you've never even thought about or knew existed.
I'm coming across operating systems and applications that leave temporary files on the local drives in TEMP directories and even some "crash-dump" files that contain sensitive information. This can become an issue if the information is sent out to a vendor. I'm seeing laptop computers where the users have literally copied entire databases, entire public shares right off of a server -- anything and everything that they can copy onto their system so they can take it with them and work offsite. When performing security assessments, I see just a Windows desktop with sensitive files and information right there. Outlook .PST files are another repository for sensitive communications. I'm even seeing sensitive data unsecured on mobile devices, like PDAs and smart phones, where users are storing sensitive customer information.
I'm a strong believer that documented policies can only go so far. When finding and protecting unstructured information, you absolutely have to use technology to help. Numerous vendors now provide products to help manage security. Use tools to figure out what you have, where it is, how it's classified (e.g., public, private, sensitive, confidential, etc.), then take the internal steps to better organize and manage that unstructured data, and protect the data with better authentication and access controls within the network environment. Finally, educate your users so that they are aware of the sensitive nature of their data and the security risks carried with it. This will take effort, but it's a very important issue that requires serious attention.
Listen to the Storage Security FAQ audiocast here.
Go to the beginning of the Storage Security FAQ Guide.