Corporate data accessed by too many

Growth in data volume and ease of access among causes for increasing security breaches, warns a security expert, who adds that flexibility of controls can mitigate threats.

With increasing ease of access to corporate data, organizations are in danger of "breaches" in the form of files, rather than database records, warned security vendor Imperva, adding that the number of affected companies is set to rise.

As more and more sensitive data gets disseminated as unstructured content, hackers may seek to take advantage of the loopholes, and make away with confidential data for financial or personal gains, Stree Naidu, Imperva's Asia-Pacific vice president, told ZDNet Asia in an e-mail interview.

"While most business applications use structured storage such as databases to maintain and process sensitive and critical data, users are constantly creating and storing more unstructured content, based on the information taken from these systems," he said.

Such information include data stored in excel spreadsheets, presentations and medical lab results sent as letters to patients. However, it is not merely the transfer of the information that is opening up loopholes and opportunities for unauthorized access, Naidu explained.

The documents do not actually need to be sent anywhere for a threat to exist. What we've observed, and the recent WikiLeaks incidents have shown, is that data is accessible by too many people within the business--people who do have a legitimate need for access, despite strict company policies," he pointed out.

Therefore, reducing access rights to a business need-to-know level and monitoring access activity are some ways to mitigate the risk.

Furthermore, with data volume increasing at 60 percent every year, increased sharing of data, as well as data retention policies, are also contributing to the threat of security breaches, Naidu said.

The situation is further complicated by the fact that files are "autonomous entities", which organizations do not have control of even with today's tools, he added. Unlike database records, which are created by pre-programmed applications, the inability to maintain control of files "may result in excessive access privileges and an inadequate audit trail of access to sensitive information".

Cloud-based software such as Google Docs and Jive, and internal document management systems such as Microsoft's SharePoint or EMC's Documentum becoming part of enterprise IT, have also upped the attack surfaces and, therefore, risk of threats.

The Wikileaks incident last year was a clear indication that "massive leakage and compromise of sensitive information is indeed becoming a clear and present danger", according to Naidu.

Another case of high-profile breach involved a former Goldman Sachs employee, who stole source code used for a proprietary high-frequency trading program, by using his desktop to upload the code to a server based in Germany, Naidu noted.

The bank identified the misconduct after observing large amounts of data leaving the servers, which led to the rogue employee's arrest.

With these in mind, Naidu said organizations ought to budget and plan for the next generation of file access monitoring and governance tools to reduce the risk of file exposure. Some key characteristics to take note of include:

  • Policies set and expressed by content of file, rather than metadata
  • Flexible deployment, without impacting data stores or network architecture
  • Adaptive deployment with focus on the most accessed files, without compromising the ability to track sensitive information in older files
  • Ability to identify file owners and excessive rights to files

The executive also advised that enterprises be constantly on the lookout as hacking methods are always "improving and evading detection". Businesses, he urged, should increase monitoring visibility of traffic and setting security controls across all organization layers.

"A security control should understand these shifts in the hacker industry and rapidly incorporate these changes in their organization," said Naidu. "This could even include incorporating a reputation-based control, which could stop large automated Web-based attacks known to originate from malicious sources."