Many organizations struggle to control unstructured data—text files, emails, instant messages, word processing documents, and media files—across their environments. One tool that's often used to protect unstructured data is data loss prevention (DLP). These tools alone, though, can't cope with the data protection, privacy, and management needs of businesses today.
Forrester Research's Q2 Wave report on unstructured data security platforms identified a number of factors organizations should weigh when preparing to protect their unstructured data.
For example, when choosing a solution to protect unstructured data, a business should evaluate the tool's overall manageability, usability, and support capabilities. That should include ease of policy creation and customization, the availability of predefined templates and workflows, the flow of investigating alerts, and the navigation of the user interface required for ongoing operations.
When picking a solution to protect unstructured data, one key area to focus on is zero-trust policy enforcement. Zero trust always requires verification before access is granted to data. Solutions that support zero trust use information about data sensitivity and contextual data about a user, devices, or other conditions and attributes to automatically determine whether access should be granted.
Another area to focus on is information governance, which can eliminate redundant, obsolete, and trial or transitory data. Governance can also reduce storage and management costs, as well as power consumption, driving greener and more sustainable IT practices.
Here's why data lifecycle management is critical to your unstructured data security program.
Managing the data lifecycle
Generally speaking, a system for securing unstructured data needs to help an organization understand the value of its data, allow it to protect its data while it is in use, and protect its data over its lifecycle by preserving that information in a long-term repository, which protects data not only now but in the future.
That contrasts with DLP software, which requires an explicit policy to flag sensitive data and locks data down by placing it in quarantine. Data lifecycle management looks at the problem through a different lens. It helps an organization become proactive in understanding its information and in applying policies to information so it can be protected while in use and over its lifecycle. It has more capabilities than DLP, such as data discovery, data classification, encryption, obfuscation, and defensible disposition, which allows data to be disposed of after its business purposed has ended.
A data lifecycle management system recognizes that the value of data and the people who need access to data changes over time. The window for business relevancy for a document is about two years; for email, about 90 days. While the value drops off, however, the necessity to keep certain documents doesn't change.
DLP reacts to documents in transit based on policies. It will do something in response to activity around the document. That can sometimes pose a problem when people are collaborating on a project. Because data lifecycle management can be used to define who or what has access to a document, those kinds of snags are avoided. DLP can serve a valuable function, but organizations need a deeper and wider toolbox to understand the data they have and are creating so they can assess its value and protect it.
Moreover, data lifecycle management solutions allow access to be altered over time to meet the changing nature of the document. If it's the kind of document that needs to be retained for compliance or legal reasons, it will be placed in the long-term repository, where it can be accessed by folks who typically need access to older data: lawyers, clients, the records management team, auditors, investigators, etc. The repository can become a single source of truth for your organization.
The data lifecycle management system also helps you get rid of any unnecessary copies of documents that end up in the repository, and defensibly deletes the repository copies once they become irrelevant to the business. That's very important, because a common requirement of the new generation of consumer protection laws—such as the European General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA)—is that an organization know the business purpose of the consumer data it holds and who has access to it. Once that purpose has expired, the data needs to be deleted. If it isn't, the organization leaves itself exposed to sanctions, fines, and investigations.
Take the holistic view
Data lifecycle management helps secure and protect data over its entire use to the business—not just in transit, as DLP does—and evolves with the document from the point it's created to the point it's disposed of. It will analyze, investigate, and interrogate the data and look for value by identifying where sensitive information and low-value data are. That's more of a holistic view of securing and protecting data than DLP alone can muster.
That kind of view is very valuable to an organization. Organizations have to wrangle with a lot of much information in order to comply with new laws such as the GDPR and CCPA. They have multi-petabytes of data to deal with now. Only seven or eight years ago, 250TB was considered a lot of data.
In that mass of information, many organizations don't know where their sensitive data is. They need to find it quickly and make retention decisions about it. They also need to get rid of redundant data. It's been estimated that for every document in an organization, there are seven to 10 copies of it.
Block the exits
DLP has its place. It's valuable to block the exit from an organization any data in motion that has been appropriately tagged as containing customer information or intellectual property or significant customer categories. However, the business transformation challenges posed by the existing threat landscape is broader than that.
