In-Depth
New Regulations Bring Advancements in Data Governance
As critical unstructured data grows exponentially amid a variety of data privacy laws, organizations are turning to data governance automation.
By David Gibson
This year has ushered in an announcement by President Obama of a renewed focus on data privacy in the "Data Privacy Bill of Rights" and the European Union has proposed sweeping data protection legislation and increasing fines for non-compliant organizations.
These regulations are designed to increase governments' ability to punish organizations that allow major data breaches to occur or who sell customer data to third parties without authorization. They also aim to further protect information held by social networks and cloud computing services.
For the proposed EU data privacy regulations, organizations will have 24 hours to notify data protection authorities and affected parties in cases where private data has been compromised. By making sure that the rules also apply to foreign groups' European subsidiaries, the new rules will force global companies to strengthen their data protection policies. All companies with more than 250 employees will be required to have dedicated staff to deal with data protection issues. The rules will give the EU similar powers in policing privacy to those it wields in competition matters, where it can impose fines of up to 10 percent of turnover for violations.
In a teleconference recently between members of the European Commission (EC) in Brussels and the U.S. Department of Commerce in Washington, DC, EC vice president Vivian Reding suggested that the U.S. copy the EU's approach -- one that could imply a heavier hand. Reding said that the aim of meetings between the commercial regulators for the two governments was nothing short of "regulatory convergence" -- suggesting that they should come to an agreement on the language of the respective laws governing how ISPs and content providers handle personal data protection. She said that it's up to Washington to catch up with the "gold standard" that Europe has already set.
Thus, while Europe and Washington battle it out about the respective effects of the U.S. Patriot Act 2001 and adequate levels of protection for European data and American data centers, U.S. organizations doing business in Europe will have to establish mechanisms to comply with this new law.
New Regulations Are Ushering In Advanced Technology
When these various global regulations are combined with the rapid growth in organizational data, many organizations are not only struggling to comply with data laws and how to prevent loss of critical IP and customer data. In 2011 alone, more than 23 million records containing personally identifiable information (PII) were leaked, according to privacyrights.org.
In many cases, the biggest risk surrounding data does not come from hackers directly compromising customer and employee files, but from employees and contractors with overly permissive access, lack of access auditing, lack of context and lack of automation for the volumes of unstructured data that exist in company archives.
Protecting critical, unstructured data and comply with global data laws will be costly in terms of personnel and security. For example, the labor expense to manually protect and manage 5 terabytes of unstructured data annually is often in the hundreds of thousands of dollars. Potentially even more costly is the risk of data loss that may result from overly permissive access. Organizations that manage unstructured data manually normally discover that over 50 percent of the data people can access is not appropriate for them -- inevitably resulting in data loss (i.e., WikiLeaks) and preventing organizations from complying with data laws.
As critical unstructured data continues to grow exponentially and with so many different data privacy laws globally, organizations are turning to data governance automation, which provides repeatable and measurable processes for ongoing management, tracking, compliance reporting and protection of private data. A sustainable solution for safeguarding sensitive data requires an automated method to:
- Identify and prioritize exposed, sensitive content
- Examine the permissions users and groups have to data
- Trace how permissions were granted
- Visualize user and group permissions to folders
- Review user and group activity on data
- Recommend entitlement changes
- Determine business impact by testing permission changes prior to enactment
To provide comprehensive compliance and protection capabilities, automation must non-intrusively collect critical metadata (such as who has access to what data, who is using their access, who shouldn't have access, who owns the data, and what data is sensitive).
Until recently, tools were not designed to integrate seamlessly with existing processes and multiple platforms, so most data protection tasks (such as entitlement reviews, data usage audits, data owner confirmation, and state data identification) have been manual, error-prone, or haven't been performed at all. In many cases, IT is unable to reliably identify business owners for data sets or involve data owners in the governance process.
Determining who has access to a data set, which folders a user or group can access, and identifying unneeded permissions can be a challenge, and often IT is completely unable to answer questions such as, "Who accessed or deleted my data?"
Unstructured data management for access control, auditing, classification, ownership and authorization is now at the same situation that search was 10 or 15 years ago. No one would think today of going to the Internet and going to look for information without a sophisticated search engine, such as Bing or Google. The same applies to data governance practices for unstructured data. Without visibility, intelligence, and automation, it's impossible to have the proper governance in place. The manual approaches to data management and protection that worked 10 years ago no longer work, and even adding headcount to the problem will not bring any resolution.
It is possible today for organizations to effectively and automatically manage data access control, ownership, classification, entitlements and authorization processes on the platforms that host unstructured data. Data governance software automation enables organizations to proactively protect sensitive data and comply with global data regulations and at the same time significantly increase IT workforce productivity.
David Gibson, director of strategy at Varonis Systems, has been in the IT industry for over fifteen years and has helped companies design and implement enterprise network architectures, VPN solutions, enterprise security solutions, and enterprise management systems. You can contact the author at dgibson@varonis.com.