This is a multiple-choice question: What’s the most pressing issue currently keeping IT managers up at night?
Possible answers:
a) dastardly hackers who can loot the company’s family jewels;
b) fraud by malicious insiders;
c) uncertainty about disaster recovery in case of major disruption;
d) malware infestation that can gum up an entire system for days; or
e) something else.
The correct choice is: e) something else. The corresponding answer would be: “Not knowing exactly where all the enterprise data is housed on a daily and hourly basis.”
According to the findings in a research project released June 27, undertaken by Ponemon Institute and underwritten by enterprise data integration provider Informatica, the uncertainty about the location of sensitive and confidential data is more of a worry than a hacker or malicious employee.
In an effort to learn how organizations are responding to threats to the security of their structured and unstructured data, Ponemon put together an extensive survey of 1,587 global IT and IT security practitioners in 16 countries. To ensure that researchers obtained knowledgeable and high-quality responses, only IT practitioners whose jobs involve the protection of sensitive or confidential structured and unstructured data were allowed to participate.
Here’s a summary of key findings:
—Data in the dark keeps IT practitioners up at night. Fifty-seven percent of respondents said not knowing where the organization’s sensitive or confidential data is located keeps them up at night. This is followed by 51 percent who said migration to new mobile platforms is a concern.
—Sensitive or confidential data is often invisible to IT security. Only 16 percent of the respondents believe they know where all sensitive structured data is located, and a very small percentage (7 percent) know where unstructured data resides.
—Organizations mainly rely upon the classification of sensitive data to safeguard data assets. The two most popular technologies for structured data are sensitive data classification and application-level access controls. Only 19 percent said their organizations use centralized access control management and entitlements, and 14 percent use file system and access audits.
—Automated sensitive data-discovery solutions are believed to reduce the risk to data and increase security effectiveness. Despite the positive perception about automated solutions, 60 percent of respondents said they are not using automated solutions to discover where sensitive or confidential data is located. Of the 40 percent of respondents who said their organizations use automated solutions, 64 percent said they use it for discovering where sensitive or confidential data is located in databases and enterprise applications. Only 22 percent use it to discover data in files and emails.
—Specific automated solutions would improve an organization’s compliance and data protection posture. The most popular capabilities are automated user access history with real-time monitoring followed by policy workflow automation.
For purposes of this research, data-centric security assigns a data security policy at creation and follows the data wherever it gets replicated, copied or integrated—independent of technology platform, geography or hosting platform. Data-centric security includes technologies such as data masking, encryption, tokenization and database activity monitoring.