Six steps for securing unstructured data

I have recently noticed a dramatic increase in client inquiries about the security of unstructured data. Information that does not have a predefined data model or fit readily into relational data tables can be problematic. Typically this sort of data is stored in traditional Windows and Unix file systems.

This trend indicates a heightened awareness of both the growth in the volume of unstructured data held by organisations and the security risks this data represents.

Nonetheless, Gartner believes the security of unstructured data remains a seriously under-recognised problem.

Many organisations have terabytes or even petabytes of data in file shares, home directories, departmental folders, project folders or drop-folders that are effectively invisible to the information security organisation.

The result is an extraordinary proliferation of data that is often unnecessary, redundant or inappropriate, and a proliferation of individual users with unnecessary or inappropriate, and therefore dangerous access to that data.

Security professionals should implement six best practices to help protect their organisation against the security risks of unstructured data:


1. Appoint data stewards
Develop, implement and communicate a process and policy for the governance and management of unstructured data. One of the key roles within the information governance (IG) programme is the data steward.

Educating data stewards about how to identify data security risks, and aligning them with the information security team, will provide a much-needed communication pathway between the business and the information security organisation.

This pathway, which does not exist in most organisations, provides bidirectional benefit. The business has the ear of the information security organisation and can better communicate its strategies in a common language, while the information security organisation has a pathway to communicate security risks effectively.

2 Create an oversight committee
Create an oversight committee to review the potential impacts and risks of unstructured data.

This committee, which is a tactical working group typically composed of security professionals and system administrators, should be an adjunct to the organisation's established information security governance programme.