MANAGING THE
New research uncovers data management gaps that increase risk. Automated, intelligent solutions can reduce the governance burden on IT.
DATA LIFE CYCLE:
Across the fast-evolving world of information technology, one of the few certainties is the exponential and ongoing growth in data.
In the next two years, organizations expect a 450% increase in the volume of information coming through their virtual doors, according to an AIIM survey. IDC predicts the amount of data created over the next three years will be more than that created over the past 30.
Organizations are already making good use of this expanding digital resource, using data to improve and speed decision-making, optimize operations, increase sales, and build customer loyalty, among myriad other benefits. Helping matters, storage prices as well as computational costs have plummeted and, thanks to the cloud, storage capacities have become virtually unlimited. Even so, “store everything” is not an effective information governance strategy, according to Gartner.
Even if it were practical and affordable to retain each bit of data generated by every data center, cloud service, smartphone, and edge device, hoarding data unnecessarily introduces daunting management challenges and cybersecurity risks.
Could the CISO’s job description possibly get any broader? Even before the global pandemic disrupted the workplace, CISOs and their security teams were already being asked to protect systems and data across cloud and mobile environments, managing risk for the workforce as well as with partners, vendors, and increasingly digitalized supply chains.
Security leaders must do all this without taking their eye off what Microsoft CISO Bret Arsenault calls “the pedestrian, but still most important, part of the job.” These are the basic security hygiene tasks — patch management, identity and device management, threat detection, and incident response — that take up the bulk of a security analyst’s day. As organizations adapt to the broad remote-work policies that fell into place swiftly as the global health crisis took hold, “routine” operations management has become anything but routine.
SCROLL
About the research
450% increase
in the volume of information coming through their
virtual doors
With an average of over 300,000 new threats appearing daily, something will eventually penetrate the perimeter.
The Zero Trust model is an emerging path to robust security. It replaces the assumption that everything behind the corporate firewall is safe with three principles:
How would you characterize data governance
and compliance at your enterprise?
Verify explicitly
Use least privilege access
Assume breach
Effective data management and data loss prevention (DLP) must take into account the entire life cycle of data — creation, storage, movement, use, and deletion — and ensure the data is protected at each stage, from data center to cloud to endpoint. The IDG survey suggests, however, that the growing volumes and types of data amassing within organizations are outpacing existing governance practices and data management tools.
On the positive side, most organizations recognize the risk associated with unsecured and poorly tracked data. Too often,
Biggest challenges in records management
PRODUCTIVITY
SECURITY
SELF-SERVICE
THE PATH TO ELIMINATING PASSWORDS
Organizations can balance security and employee productivity — and gain visibility — with the right authentication and identity verification capabilities. For example, the solution must ensure that only the right people have the right access to the right resources. This mitigates access risk by protecting, monitoring, and auditing access to critical assets.
THE GOOD, THE BAD, AND THE UNKNOWN
Specifically, enterprises should seek solutions with:
Single
sign-on (SSO)
Users sign in once with one account to access devices, apps, and data. IT administrators should be able to easily centralize user account management, and automatically add or remove user access to applications based on group membership.
Single sign-on (SSO)
Application
access
Rather than launching apps one by one, seamless access means giving users one portalfrom which they can easily see and open all of their apps. Even better, they should be able to personalize their app organization for easier discovery. Another important consideration is mobile access; it should be just as easy to securely access enterprise apps through a mobile device as it is from a desktop or laptop.
Application access
Access
request
In addition to auto-enrolling users in groups based on organizational policies, empower users with access requests. Simply define a safe set of apps in which users can self-enroll, then make it easily discoverable from their existing app access experiences.
Access request
Guest user collaboration
Give contractors, visitors, and vendors a familiar access experience for improved collaboration. Instead of creating secondary accounts, the right access solution allows guests to use their preferred identity provider.
Guest user collaboration
Robust, frictionless security requires considerations around identity management procedures and processes. IT must be able to protect access to applications and resources across the corporate data center and into the cloud, while monitoring suspicious activity through advanced security reporting, auditing, and alerting to mitigate potential security issues. Also, consider ways to empower users to be part of the organization’s security solution by helping spot and report potential breaches to IT.
SECURITY
Following the Zero Trust model helps organizations achieve all of these goals. Two important steps to take in this approach are:
Multi-factor authentication (MFA)
User
involvement
This capability prompts a user during the sign-in process for an additional form of identification, such as entering a code on their cellphone or providing a biometric scan. IT can set fine-grained policies to trigger MFA prompts only in suspicious and high-risk instances, reducing barriers to productivity while maintaining security. Also, to aid with adoption and enrollment, allow users to register their security contact information to be shared across multiple experiences. In fact, with sufficiently strong MFA, organizations can move toward a passwordless model for access — furthering their maturity with the Zero Trust approach.
Multi-factor authentication (MFA)
By giving end users the ability to review their sign-in activity, they can check for unusual behavior — such as someone trying to guess their password or a successful sign-on that they did not request. This simple step makes it seamless for users to report suspicious activity to IT.
User involvement
Empowering users to manage their own identity not only improves their engagement with security, but it also allows IT teams to focus on more strategic security priorities. For example, giving users the ability to reset their own passwords and manage their profiles reduces friction and improves productivity. Self-service enables IT to provide the guardrails for access but puts the day-to-day management and security of identity in the user’s hands.
Password reset requests tend to be the largest percentage of the IT help desk workload, sometimes accounting for more than 20% of their time. With self-service password reset (SSPR) functionality, users are empowered to reset their own passwords from a web interface that can be accessed remotely. IT can also set the right level of security for their organization by dictating which forms of second-factor confirmation will be required to authorize the reset.
SELF-SERVICE
Password reset requests tend to be the largest percentage of the IT help desk workload, sometimes accounting for more than
20% of their time.
To further empower self-sufficiency and increase efficiencies, give end users the ability to manage their own identity attributes, such as resetting their security contact info, updating their authorized work devices, and reviewing sign-in information.
As IT and compliance teams seek to address data lifecycle and DLP management challenges, they are relying on increased automation as well as cloud-based solutions. Six out of 10 respondents say the majority of data management processes performed at their organizations are automated. The main challenges for those organizations include some notable differences from those faced by organizations that have automated fewer than half of their data management activities.
TURNING TO AUTOMATION AND THE CLOUD
The IDG survey results indicate that many organizations have yet to gain complete visibility and control over the data that fuels their operations. Indeed, many may not even recognize the extent of their unstructured data reserves, and a high percentage are probably exposing themselves to unnecessary risks by retaining data far too long.
Automated processes and cloud-based data storage and management can help to address some of these challenges. Ideally, organizations should consider comprehensive solutions that address every stage of the data lifecycle and every platform on which data resides. These solutions must deliver capabilities that include identity access management for managing access to data, automated data classification for improving scale and accuracy, and artificial intelligence (AI) to rapidly extract useful information from unstructured documents, emails, and rich media.
MANAGING DATA FROM BEGINNING TO END
LEARN MORE
LEARN MORE
In the next two years, organizations expect a
Unfortunately, that message hasn’t reached every organization. A new IDG study finds more than one-third of organizations lack data retention and deletion plans — meaning they save all of their data by default.
Furthermore, 75% of the organizations surveyed admitted to not having highly efficient data governance and compliance operations. The bulk of the respondents characterized data governance and compliance within their organizations as either “generally efficient” or “adequate.” These lower levels of data oversight and control simply aren’t tenable, given the risks associated with data loss, corruption, or exposure, along with severe regulatory and legal non-compliance penalties.
IDG surveyed 302 organizations with 500 or more employees in late 2020. Survey respondents were required to have some role in information governance, risk, and/or compliance, and the organizations must have adopted cloud solutions as part of their IT infrastructure strategy. Eighty-five percent of the respondents held director-level or above roles.
however, data lifecycle management is not a top priority until after an organization suffers security or compliance failures.
Even for leadership teams wanting to be more proactive, a lack of accessible and affordable data management solutions has made it difficult to manage the entire data life cycle. Fortunately, the emergence of comprehensive, automated, and intelligent data governance and DLP offerings is helping to reduce the burden on IT and close security and compliance gaps that organizations may not even realize they have.
Organizations attempting to get better control over their data often lack a unified way to do so. On average, each company surveyed by IDG uses between four and five different data management systems.
Such fragmented and often disjointed solutions can prove unwieldy and difficult to integrate. But this doesn’t represent the most significant records management hurdle. The top challenge, not surprisingly, is the sheer volume of records and the variety of data platforms organizations confront.
Despite the range of challenges they face — and the fact that only one-quarter characterized their data governance and compliance operations as “highly efficient” — most survey respondents expressed some confidence in their compliance team’s ability to execute a number of data management and protection tasks.
However, fewer than half of the respondents were “totally confident” in their team’s ability to perform any of the critical tasks required. Again, being “generally” or “somewhat” confident about your organization’s ability to, say, classify, label, and protect sensitive data, is insufficient in a data-dependent world rife with cyber threats and risks.
Confidence in the governance and compliance team for data management activities
Two other areas of potential data management pitfalls involve unstructured data and dark data. Unstructured data includes everything from documents to email to spreadsheets to chat messages. Dark data, for the purposes of the IDG survey, was defined as the information assets organizations collect, process, and store during regular business activities, but generally fail to use for other purposes. Dark data can be either structured or unstructured.
In the case of unstructured data, a core problem may be failing to recognize just how much of this material exists. Survey respondents estimate that 38% of their records are unstructured. However, other estimates of the typical digital data breakdown usually place the unstructured portion in the 80-90% range –
indicating that many survey respondents don’t have a good grasp of the amount of unstructured data in their organizations.
Another sign of uncertainty or indifference: Nearly two-thirds of those surveyed had “no strong opinion” about how to treat their unstructured data.
Dark data poses its own set of challenges. Organizations estimate that 38% of their data is dark but show little unanimity in how to handle this data. Respondents estimate that they retain just one-third of their dark data for compliance purposes; the remainder is kept simply because they lack the expertise or technology to properly classify and, if appropriate, delete it.
BIGGEST CHALLENGES IN RECORDS MANAGEMENT BY LEVEL OF AUTOMATION
Overall, over one-third of organizations keep all of their data, regardless of type. More than half (55%) implement simple, time-based retention schedules, while only 9% say they have established more comprehensive retention policies.
Clearly, there’s a lot of data residing in organizations that serves no useful purpose and may not even be recognized. This data may pose security or compliance risks if not well managed and, ideally, deleted when appropriate.
PERCENTAGE OF ‘DARK DATA’ RETAINED FOR COMPLIANCE VS OTHER REASONS
For example, the biggest challenge for less automated organizations is, not surprisingly, the manual and time-consuming nature of data management tasks. By comparison, time constraints for more automated organizations lean toward learning to use data management solutions — which is understandable if they’re adding newly automated processes. Increasing volumes of information is a shared concern across all organizations.
A shift to the cloud could help to ease some of these data management challenges: 84% of survey respondents say cloud-based data is generally or very easy to locate and classify. More than one-third (38%) currently store sensitive data in the cloud.
Microsoft integrates information management technologies across its broad portfolio of software products and cloud-based services. As part of its efforts, the company has continually enhanced and extended the reach of its core Microsoft Information Protection (MIP) and Microsoft Information Governance (MIG) solutions.
MIP has long protected sensitive enterprise data across Microsoft 365 applications and services. MIP integrates a consistent data classification scheme and DLP capabilities across a variety of Microsoft products, including OneDrive, SharePoint, Office 365, and Teams. These solutions can be collectively managed in the Microsoft 365 Compliance Center as a single DLP solution.
MICROSOFT’S INTEGRATED INFORMATION MANAGEMENT SOLUTIONS
To enable end-to-end data management, Microsoft has added Microsoft Endpoint Data Loss Prevention to extend its native DLP capabilities to Windows 10 desktops, Office apps, and the network edge. Organizations can now deploy an intelligent, unified, built-in, and extensible information management and DLP solution that builds upon the broad and familiar portfolio of Microsoft products and services.
MIG helps organizations manage information lifecycle and business-critical records with built-in, intelligent, and defensible capabilities that help to reduce liability and risk. It includes capabilities for records management, data retention and deletion, and other critical governance tasks. A core element of MIG is Microsoft 365 records management, which helps organizations monitor and control both their structured and unstructured data.
Learn more about how Microsoft can help your organization address its data lifecycle management, protection, and governance needs.
