It’s Time to Lasso Your Data
It’s time to get hold of your organization’s data. I know, it’s a scary proposition. It can lead you, as my Texas friend would say, into a state of “fixin’ to start.” Meaning, you think about it, but the task feels daunting and you move on to more tractable problems.
But let’s zero in on just one aspect of this data roundup. OK, actually, two aspects.
- What organizational content is stored where?
- What’s the security level of the content in each of these locations?
Why does this matter?
A New Approach to Protecting Your Data
This is moving from a good idea to something that’s becoming critical. Yes, if you’re subject to regulatory compliance of some sort (hello, GDPR!) understanding what content you have, where, and how it’s safeguarded is an important first step in managing that compliance process.
But here’s something even more concerning. Think about the BYOD phenomenon. Now recognize the reality that if users don’t feel like they have the proper tool to help them work, they will go sign up for some free(ish) tool and use that. And what do they do with that tool? They generate content. Data that is relevant to your organization. That data may be trivial—who’s available for a meeting and when—but it may be much more sensitive. And where is that content stored? It’s stored on servers outside your control. Maybe they’re super secure. Maybe they aren’t so secure.
Who’s storing the content? Who’s deciding what gets stored where? Who is remembering to go back and delete content from these servers-you-don’t-control? Who’s making sure the content is being shared with just the right people? Who’s managing and auditing that process?
Why, your users are doing all that. Or not.
How are you feeling now?
We IT-oriented folks have followed a recipe for years. Set up a secure place to store the content. Manage it. Rinse and repeat. That’s still an important part of the security mix.
But now we have this “data leakage” to places you didn’t set up and secure.
Time to Find Your Data
So, to start, you had better think seriously about discovering where this content is. After all, you can’t manage it if you don’t know where it is, and if it exists.
Once you’ve discovered where the data is, we can begin to talk about how we want to manage it. Fortunately, there are tools to discover and manage the content. But that’s getting ahead of ourselves; I’ll take that up in a future post. For now, I suggest meeting with each of your function/department heads and asking them some questions.
- What services/tools does your function/department use?
- What content do you store there? Can you describe the content you store?
- Who has access to the content? Is it just people internal to our organization? Or do partners that you work with also have access? And how are they granted access?
- Is there one account in use? Or several?
- Is there one person that serves as the “admin” for this service/tool?
Once you go through this discovery process, create a map or other visualization of the data you collected. Next, decide on the security level of the data, based on what the content is.
Finally, estimate how susceptible to compromise the data in a given tool/service is. One shorthand way of making this estimate is to group content repositories that can be accessed by persons external to the organization in one bucket, and content repositories that can be accessed only by internal people in a separate bucket.
What Then? Watch This Space
Once you have this visualization put together, you’ll be in a much better position to do something about it. Stop fixin’ to start and get going! In an upcoming post I’ll zero in on some tools that can be used to help with this discovery and subsequent content security management. More to come!