This blog was adapted from the original article on TDWI.
Unstructured data security and protection requirements continue to expand due to ongoing ransomware threats, sophisticated cyberterrorism and cybercriminal organizations, and an increase in natural disasters. AI innovations in the last year have also introduced new threats and risks to corporate data.
In this article, we’ll cover what storage and IT managers should consider regarding unstructured data security and governance.
1. Know your data.
Gaps in visibility, hidden applications and obscure data silos in branch offices all contribute to higher risk. Consider that protected data will end up in places where it shouldn’t, such as on forgotten or underutilized file servers and shadow IT cloud services. Employees unwittingly copy sensitive data to incompliant locations more often than you’d think. You’ll need a way to see all your data in storage and search across it to find the files to segment for security and compliance needs.
You can use the data management capabilities in your NAS/SAN/cloud storage products to search for file types such as HR and IP data, but you’ll need to integrate visibility across all storage vendors and clouds if you use more than one vendor’s solution. Knowing how much data is cold, what data is obsolete, and what data should be deleted are equally important for eliminating unwarranted exposure and risks.
2. Set cold data thresholds with security and business leads.
IT infrastructure teams must collaborate with security and network teams to procure, install, and manage new storage and data management technology, but focusing on the data itself is imperative. The goal is to create requirements and guidelines for data management, security and governance and enhance those already in place. Cross-functional teams with departmental leaders can also create policies for data tiering and archiving, which reduces the footprint of data residing on primary storage where the 3x backup copy standard is in place.
3. Use AI/automation to tag and find sensitive data.
A real struggle with massive volumes of unstructured data spread across enterprise data silos is that it can be painstaking to find data sets that need a higher level of protection. Start by enriching file metadata with custom tags that indicate regulated or sensitive PII and IP information. Data classification is also useful in the case of a regulatory audit or even for use cases such as legal discovery. AI tools such as Amazon Macie can help by analyzing the content of millions of files for sensitive data, such as customer contact information or credit cards. IT can use the output of such AI scans to segregate and tag those data sets, move them to the most secure storage location, or delete them altogether if corporate rules require that.
4. Create policies for automated data movement across vendors.
Such policies, for example, could dictate that files containing financial data move to encrypted cold storage after one year of age, customer files move to immutable cloud object storage for a period once an account is closed or inactive, or that ex-employee data be deleted after 30 days from an employee’s last day. Automated policy features in storage and data management technologies can make this easier to execute for small IT teams. The goal is to lower the risk of data being in the wrong place at the wrong time, thereby creating security loopholes that a bad actor can easily exploit. Getting rid of unnecessary data and/or moving it to archival storage is also a great way to save money on expensive primary storage.
5. Leverage monitoring and alerting features in IT systems.
IT and data management applications today provide alerts and notifications that can help you proactively identify threats and improve unstructured data security. Use these tools to monitor storage and backup systems for any anomalies, such as excessive file retrievals from one user account, indicating a possible security incident. Monitoring features can show other details such as orphaned data or duplicate data that may increase liabilities. Or, you may want to see metrics indicating potential performance problems, such as a file server or NAS device reaching capacity. Ensure you have a process in place to review alerts and monitor data to escalate and fix issues; AI, of course, is already doing this automatically in newer technologies.
6. Leverage affordable ransomware protection in the cloud.
An immutable copy of data in a location separate from storage and backups provides a way to recover data in the event of a ransomware attack. However, keeping multiple copies of data can get prohibitively expensive. Determine whether the data is in active use. If the data is cold or inactive, you don’t necessarily need multiple copies of it. An effective strategy is to tier cold data from expensive storage and backups into a resilient destination such as Amazon S3 IA with Object Lock. By moving cold data to object-locked storage and eliminating it from active storage and backups, you can create a logically isolated recovery copy. Object-locked storage is an immutable medium to prevent deletion or alteration and it is also significantly cheaper than file storage.
7. Incorporate data auditing and tracking for generative AI.
There is much to consider when it comes to safely and ethically adopting generative AI solutions in the workplace. Strategies may include developing employee guidelines for which data is sanctioned to send to generative AI tools and for what kinds of research and use cases. Conversely, IT must lock down sensitive data (such as software code, proprietary information, customer information, HR data) that individuals should not access for use in AI. Also, request documentation from vendors that incorporates AI in their products about how they are handling your data and how they can help mitigate any data risk from their tools. Maintain an audit trail of all corporate data used in AI applications and track who commissioned derivative works from generative AI tools. Doing so can protect your organization against any lawsuits for copyright infringement. Read this blog to learn more about data management and AI.