Featured content

In our “Tips from the Pros” series, we’ll be the presenting interviews we’ve conducted with working IT professionals. These are the admins and managers responsible for security, access, and control of human-generated data—the fast growing digital element in organizations today. In this inaugural post, we spoke recently with one of our customers about managing large file shares and permissions.

One of the important points we make in our recently published Information Entry

Any seasoned IT pro will tell you: auditing file and email activity is hard. You’ve got a production Exchange or SharePoint server being pounded on relentlessly by users all day long and now you want to turn on auditing to capture crucial metadata, but you’re worried about taxing the box and running out of disk space storing all the audit data. Dilemma.

Unlike business application data, like a billing database or CRM system, or machine-generated data, such as the log files that servers generate, human-generated data is comprised of the emails, Word documents, spreadsheets, presentations, images, audio, and video files that we create and share with other people every day.

After finishing up some research on personally identifiable information I thought, mistakenly, that I was familiar with the most exotic forms of PII uncovered in recent years, including zip code-birth date, movie ratings and other consumer preference information, social network relationships, and facial images. And then I came across an article in Forbes that forced me to add one more to the list: pictures of automobile license plate numbers.

To my mind, HIPAA has the most sophisticated view of PII of all the US laws on the books. Their working definition encompasses vanilla identifiers: social security and credit card numbers, and all the other usual suspects. With the additional words “reasonable basis to believe that the information can be used to identify the individual”, HIPAA’s definition takes in digital handles such as emails, IP addresses and even facial imagery. But there’s a little more to HIPAA’s PII definition, and it applies specifically to free form text (commonly found in word processing documents, spreadsheets, presentations, etc.)

Personally identifiable information or PII is pretty intuitive. If you know someone’s phone, social security, or credit card number, you have a direct link to their identity. Hackers use these identifiers, along with a few more personal details, as keys to unlock data, steal identities, and ultimately take your money. In some of my recent blogging, I’ve referred to the blurring of lines between PII and non-PII data. Case in point: it’s been known for at least 10 years that there are specific pieces of data, which in isolation may appear anonymous, but when taken together they’re just as effective at identifying a person as traditional PII.

Biometric data is at the limits of what current personal data privacy laws consider worthy of protection. This type of identifier covers fingerprints, voiceprints, and facial images. While the risk factors are not nearly as threatening to consumers as more traditional PII, they do exist. Until recently, the dangers of biometric identification using DNA were more theoretical than real. That has suddenly changed. An article in The New York Times last month put a spotlight on research that proved the feasibility of identifying a person—getting a specific name and address—all from a DNA sequence posted online.

While I was conducting some research on compliance laws for a customer, I found myself reviewing the penalties written into the 1996 Health Information Portability and Accountability Act, otherwise known as HIPAA. The act calls for health organizations “to maintain reasonable and appropriate administrative, physical, and technical safeguards to ensure the integrity and confidentiality of the information”. So far so good. But what happens when a hospital doesn’t comply with implementing these safeguards, or if a medical worker makes a wrongful disclosure by obtaining “individually identifiable health information relating to an individual”?

(This one entry in a series of posts about the Varonis Operational Plan – a clear path to data governance. You can find the whole series here.)

The mandate to every IT department these days seems to be: “do more with less.” The basic economic concept of scarcity is hitting home for many IT teams, not only in terms of headcount, but storage capacity as well. Teams are being asked to fit a constantly growing stockpile of data into an often-fixed storage infrastructure.