Organizations continue to collect and generate data faster each year, and it’s also easier than ever to move data around. The adoption of cloud services has enabled more users to access, copy, and move data to different locations with just a few clicks. Since data is constantly moving, however, it often ends up where it’s not supposed to be.
The reality is even teams with the best intentions and data governance processes deal with misplaced data. If a certain type of data is in the wrong environment or geographical location, this introduces security and privacy issues that impact the business.
In this article, we’ll discuss what misplaced data is and why it matters for organizations. We’ll also cover how a modern data security platform can prevent misplaced data.
What Is Misplaced Data?
Misplaced data occurs when any data moves from an approved environment to an unapproved environment. If unauthorized data is stored in an environment not designed for that type of data, this can lead to data leaks, security breaches, compliance violations, and other negative outcomes.
An easy way to understand misplaced data is to compare it to residential and commercial property zoning. There are strict rules about how different properties can be used based on how they’re classified to maintain overall order and efficiency. Similarly, data zoning defines the types of data that can be stored in certain locations to meet optimal data security and privacy goals.
The issue of misplaced data is becoming more prevalent as companies adopt more cloud services and fail to properly manage the subsequent data sprawl. If organizations aren’t proactively preventing misplaced data, they could face security, privacy, and compliance issues.
Why Managing Misplaced Data Matters
Here are some situations where it’s important to prevent misplaced data.
1. Keeping production data separate from non-production environments
The situation: Sensitive production data should not be stored in non-production environments — such as different development, testing and staging environments — but misplacing data in this way can happen often. For example, engineering teams might fully replicate production data stores for testing and research purposes, inadvertently misplacing sensitive data in non-production environments.
The consequences: Non-production environments are inherently less secure and less monitored than production environments. They might also be accessible internally by unauthorized employees, exposing the misplaced data to additional risks.
2. Adhering to PCI compliance requirements for sensitive data
The situation: According to PCI DSS requirement 3.2, sensitive authentication data (SAD) should not be stored after authorization, even if the data is encrypted. Any pin codes, magnetic stripe data, CCVs, and other data related to the authorization process should be immediately discarded unless there is a legitimate business need to store it. In addition, PCI data that can be retained should only be stored in a dedicated PCI environment.
The consequences: PCI compliance, especially the requirements related to the storage of sensitive data, is important for maintaining credibility. If card information is accidentally stored during the payment authorization process, this misplaced data can violate PCI data storage rules. Failure to adhere to PCI requirements can lead to loss of reputation and fines.
3. Ensuring data is stored in appropriate geographical location
The situation: There are many regional data privacy laws with data sovereignty clauses. Some have restrictions in place that do not allow a citizen’s data to cross borders. Other laws allow for cross-border data transfers, but only if the receiving country has similar protections in place for the data.
Here are three examples of regional privacy laws with data sovereignty clauses:
- China Cybersecurity Law Article 37 requires important data and personal information collected from users to be stored within the country’s mainland territory.
- General Data Protection Regulation (GDPR) Article 45 only allows personal data to be transferred from the European Union (EU) to third countries, territories, or international organizations with adequate protection.
- Personal Information Protection & Electronic Documents Act (PIPEDA) permits data transfers to third parties outside of Canada only if the receiving country, such as the US, has equivalent data security measures in place.
The consequences: When data moves outside the appropriate geographical location, the business might violate regional data privacy laws. The consequences for violating these laws range from warnings or fines to large penalties and revoked business licenses.
Preventing Misplaced Data with Cyera
Cyera is a data security platform that provides deep context on your data, applying correct, continuous controls to assure cyber-resilience and compliance. Here’s how the platform can prevent misplaced data.
Classifying data based on sensitivity level and potential risk
Cyera provides context on the identifiability of data, telling us that the data is linkable to a specific individual. Data classification also helps determine the sensitivity level of data and whether there’s a mismatch between the type of data and where it’s stored.
The platform generates contextual information about the data, such as the use of encryption (data-level encryption) and what obfuscation methods were applied– for example–truncated, tokenized, or some other format.
Identifying overly permissive access
Cyera flags when access changes are made to a data store, such as when a non-production environment meant for specific employees becomes accessible to all internal employees. By raising this issue, Cyera helps prevent engineers from inadvertently leaking sensitive data that might have been copied from production into non-production environments.
When identifying overly permissive access, Cyera provides information about the impacted data store, sensitivity of the data in the data store, and remediation guidance to resolve the issue. This helps organizations understand and remediate misplaced data issues before they lead to a security incident.
Detecting the presence of credentials in a data store
Cyera flags when credentials like passwords and encryption keys are stored in plaintext.
An environment may have a security policy that specifies that credentials be protected via encryption methods. By leveraging Cyera to identify policy violations, you can ensure the correct obfuscation methods are applied to credentials.
Preventing resident data from crossing borders
Cyera can help customers understand when data has been inadvertently transferred outside of China’s borders to meet the requirements of China Cybersecurity Law Article 37. This becomes an issue of misplaced data that can be addressed with effective zoning policies.
When data is hosted in another country such as in the US, Cyera can identify the data as personal information, determine the jurisdiction of that data (such as China), and flag that the data has drifted outside of its permitted zone. These capabilities can help ensure compliance with data sovereignty clauses found in GDPR, PIPEDA, and other regional data privacy laws.
Stopping misplaced data in real time
Cyera can catch data as it leaves an approved environment in real time.
For example, when EU resident data leaves a repository hosted in the EU, Cyera triggers an alert and assigns it a severity score for quick remediation. This allows you to discover and stop misplaced data violations in its tracks.
Let Cyera Keep Your Data Where It Belongs
Data is constantly moving and changing, and this often leads to data in the wrong places. Misplaced data can introduce security, privacy, and compliance risks if organizations aren’t proactively preventing it.
Cyera’s data security platform provides deep context on your data, applying correct, continuous controls to assure cyber-resilience and compliance.
Cyera takes a data-centric approach to security, assessing the exposure to your data at rest and in use and applying multiple layers of defense. Because Cyera applies deep data context holistically across your data landscape, we are the only solution that can empower security teams to know where their data is, what exposes it to risk, and take immediate action to remediate exposures and assure compliance without disrupting the business.
To learn more about how Cyera can help you prevent misplaced data, schedule a demo today.