Modern businesses generate, process, store, and analyze huge quantities of data. In fact, many gather more data than they’ll ever use, stashing it in storage services and servers until a rainy day that never comes. Storage is cheap, so why not store as much data as possible? There is nothing wrong with storing data if it is done consciously, strategically, and with careful oversight, but when data is stored accidentally or without due care and attention, it becomes a security, privacy, and compliance liability.
An excellent illustration of the risk of careless data storage hit the headlines this month. Fedex stored 119,000 pieces of identifying data — including passport and driver’s license scans, and full address details — on a publicly accessible cloud storage platform. The data is a potential goldmine for identity thieves.
How did it happen? Fedex bought a company called Bongo, which seems to have stored sensitive data insecurely. Bongo was folded into Fedex and later shut down altogether, but the data archive remained. It’s easy to see how lax controls, staffing changes, and inadequate preparation for the handover could lead to an archive becoming orphaned, disconnected from any oversight and control until, eventually, it’s forgotten altogether.
The cloud encourages this sort of carelessness with data: it’s easy enough to let a cloud storage platform become the company’s data junk drawer, but the risks are enormous. Colocated hardware is more likely to be carefully monitored and deliberately deployed, but companies that own servers and host them in a colocation data center or lease dedicated servers must be just as careful.
Auditing Data
I encourage businesses to audit their infrastructure and data periodically to discover what data they are storing and why they are storing it?
What data is stored on your servers? Discriminating between the type and sensitivity of data is vital, and there’s no way to know what protections are appropriate without an understanding of what is being stored.
Where is the data stored? Many businesses take advantage of a range of infrastructure hosting solutions, from colocated servers to cloud storage platforms, each with characteristic security and privacy concerns. Understanding where data is stored is just as important as knowing what is stored.
What controls are in place? How is access and authentication managed? Who has access to the data and what are they able to do with it? Is access being logged? If so, where are the logs stored and who has access to them? Is the data stored in compliance with relevant regulatory frameworks?
Who is responsible for the data. The easiest way to lose track of data is for no one to be responsible for it. If no one is responsible, the risk of the data going unmonitored and improperly controlled increases.
Data that isn’t understood or used by the business is known as dark data, and it’s a growing problem. The solution is for businesses to be mindful about what they store and why they store it. Store data with a purpose: it’s better to get rid of data you don’t need than to store sensitive data without the proper oversight.