Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • The Security Leadership Issue
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
CybersecurityCybersecurity Education & TrainingLogical SecuritySecurity & Business Resilience

Protecting enterprise data — wherever it lives

By Grady Summers
lights coming out of server

Image via Unsplash

October 2, 2023

Experts estimate that unstructured data now makes up 80% to 90% of the average organization’s data. That means the vast majority of data in an organization isn’t stored in nice, neat databases or secure applications. It’s sitting in text documents, spreadsheets, email messages, slide shows, video files and other formats. It’s stored on local devices, in the cloud and on filesharing services. As its name implies, unstructured data is just that — unstructured.

That might not sound like a problem, but it creates significant cybersecurity challenges. For example, if I asked where a company stores its key financial data, they might tell me it’s in their enterprise resource planning (ERP) or financial system. And while that’s probably true, it isn’t the whole answer. The organization likely uses spreadsheets for financial planning and analysis, and sensitive financial data certainly resides in PowerPoint presentations for senior leaders and the board of directors. Where are these stored? Who has access to them? Have they been shared with other teams? Are they stored in the cloud?

If an organization can’t answer those questions, it’s a good time to reevaluate the approach to data access security. Simply put, it's no longer enough to manage structured data. Enterprise security teams need to control access to all data — no matter where it lives.

Understanding where enterprise data lives

It’s hard to protect enterprise data if the security team doesn't know where it is — which means organizations need to improve their visibility. Security teams can start by conducting a data inventory audit to better understand where the enterprise’s most sensitive data actually lives. There’s nothing revolutionary about this idea — in fact, it’s been step one for data protection for more than 30 years. Still, it can be surprising how many companies acknowledge that they’re still at this step. This is a growing problem today because as networks become more complex and organizations collect an ever-increasing volume of data, starting a data inventory from scratch will only become harder with time. Don’t fall into that trap — security needs to know where the metaphorical “crown jewels” are.

This is particularly important as the amount of unstructured data continues to expand at an astonishing rate. A concerning number of organizations believe protecting data at the application level is enough — and while restricting who can access structured data within programs like SAP or Salesforce is certainly a good idea, it doesn’t address the full problem. If, for example, a list of Social Security numbers is sitting in a file share folder somewhere, that’s important to know. If a list of customer financial records is sitting on an email server, that’s important to know, too. Today’s organizations have access to technology that can automatically scan unstructured data to look for patterns like Social Security numbers or credit card information. Once security knows where that data is, they can govern its access accordingly.

Governing access to structured and unstructured data

Identity is the structure upon which that governance is built. Whether the identity in question is a human or machine identity, they should have a clearly defined role that determines what information and systems they are permitted to access. Modern identity tools have gotten very good at automating the process of provisioning those entitlements and permissions, and that system should be integrated with data access security systems to ensure that those entitlements are being applied not just to applications, but to unstructured data as well. It’s also important to know not just who has access to data, but how that access is granted. Is there a formal “front door” where users can request approval? That sort of process is essential, and security should make sure the organization has effective data access controls implemented.

It’s critical to make sure only the right people have access and to validate that access regularly. On top of that, it’s a good idea to tie access validation into a lifecycle management system that can automatically reassess entitlements and permissions when users’ roles and responsibilities change. An employee who moves from a human resources job to a communications role should not retain access to the payroll system — for example — and an employee who leaves the company should have their access privileges revoked immediately. By regularly validating permissions and entitlements, security can ensure that each identity has access only to the information it needs — greatly reducing the potential damage if a compromised identity falls into the wrong hands.

Identify, assess, govern

Today’s organizations should address data access security through an “identify, assess, govern” approach. That means identifying where their data lives, assessing who has access to it, and establishing a process to govern that access over time. That might sound like an oversimplification, but it’s a helpful way to frame the approach to what can be an intimidating process. Unstructured data is growing at an exponential rate, and it’s something every organization will have to grapple with eventually. Don’t wait until after a breach — prioritize data access security and ensure unstructured data isn’t exposed and waiting for an attacker to exploit it.

KEYWORDS: cyber security threat data compliance data management enterprise risk management governance

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Grady Summers is EVP, Product and Solutions at SailPoint. Summers specializes in identity and governance management.

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Top Cybersecurity Leaders
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Columns
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    Logical Security
    By: Charles Denyer
Subscribe For Free!
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

  • Duty of Care
    Sponsored byAMAROK

    Integrating Technology and Physical Security to Advance Duty of Care

Popular Stories

Pills spilled

More than 20,000 sensitive medical records exposed

Laptop in darkness

Verizon 2025 Data Breach Investigations Report shows rise in cyberattacks

Coding on screen

Research reveals mass scanning and exploitation campaigns

White post office truck

Department of Labor Sues USPS Over Texas Whistleblower Termination

Computer with binary code hovering nearby

Cyberattacks Targeting US Increased by 136%

2025 Security Benchmark banner

Events

May 22, 2025

Proactive Crisis Communication

Crisis doesn't wait for the right time - it strikes when least expected. Is your team prepared to communicate clearly and effectively when it matters most?

September 29, 2025

Global Security Exchange (GSX)

 

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • cyber-data-freepik1170x658x82.jpg

    Protecting operations and data against cyberattacks

    See More
  • State sponsored attackers--protect the enterprise

    Protecting the enterprise against state-sponsored attacks

    See More
  • data-center

    Strengthening the frontlines for unstructured data security: Protect it first

    See More
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing