Hean Tech

View Original

Handling Sensitive Information

Robert Hean

Modern knowledge bases like Confluence are great things. They let us store and track information, share it with our teams, and make it incredibly easy to share information. While Confluence makes this process easy, sometimes it can make it TOO easy, allowing someone to accidentally share sensitive information.

We’ll dig into this problem, as well as how tools like SecurEnvoy (learn more here, and get a free trial) can help organizations mitigate the risk of sensitive information getting out.

The Problem

We’re in the information age - and information is everywhere. Fortunately tools like Confluence help us focus that into usable formats.  While this is a great thing, it can end up hurting us if sensitive information gets shared to folks who shouldn’t have it. This information can run the gamut from things like business plans and project documents, to personally-sensitive things like Personally Identifiable Information (PII), health records, immigration information and more.


Tools like Confluence can also surface information to individuals outside your organization in the form of help center articles, product updates and more. This presents the possibility of sensitive information being exposed publicly, which is substantially worse than if it was only exposed to an internal audience.


Many modern systems do not have built-in systems or tools to help either prevent this information from being added to a system, or identify it if it’s in there. This creates a massive headache for groups that use these systems - how do you ensure your system does NOT contain sensitive information?

Solutions

There are several ways this problem can be addressed

Manual reviews

Get a group of people, teach them what to look for, and let them loose. After a time (typically determined by the size of your database) they’ll come back with their results.

  1. Advantages

    1. Anyone can do this - Just get some folks and train them on what to look for, and what to do when they find it

  2. Disadvantages

    1. Cost - This requires a large amount of person-hours to perform. You’ll either be pulling resources from other, more important, tasks, or hiring outside help to do it.

    2. Risk - Even the best-trained individual can miss things, so you are exposing yourself to the risk they’ll miss something. In the realm of compliance this can be an incredibly costly mistake.

    3. Continual effort - Your knowledge base is constantly changing, and these types of audits are only helpful for a point-in-time. By the time the audit is done, you may have to run another one.


Policy

Set clear policies and expectations so your team knows what information can be stored where.

  1. Advantages

    1. Compliance - Typically this type of policy is needed to ensure various compliance requirements (e.g. GDPR, SOX, etc) are met. Since you’ll need to be doing this anyway, make sure folks know about it.

    2. Deflection - Many times people make an honest mistake and include sensitive information somewhere they shouldn’t. Educating them on what is OK to post helps avoid those mistakes.

  2. Disadvantages

    1. It’s passive - A policy can help prevent sensitive information from being posted, but it can’t actively stop it, or find violations.

    2. Ignorance - Individuals may be unaware of the policy and violate it accidentally


Active Scanning

Use a tool, like SecurEnvoy, to actively scan your knowledge base, file servers, etc for potentially sensitive information.

  1. Advantages

    1. 24/7 scanning - SecurEnvoy provides real-time scanning that identifies and helps mitigate sensitive information in a range of places (Confluence knowledge bases, end points, file servers, etc). And it doesn’t sleep….

    2. Active mitigation - SecurEnvoy can take actions to help mitigate the risk, including tagging resources for followup action, emailing individuals and more

    3. Cost savings - Automated tools have a significant cost saving over manual audits (check out this case-study of how a bank reduced scanning costs by over 93% by using SecurEnvoy). 

    4. Accuracy - Scanning software won’t misread numbers or make similar mistakes. Once you’ve setup your rules (e.g. find Credit Card numbers) it will find them. Every time.

    5. Flexibility - SecurEnvoy lets you setup your own rules, for example searching for a project name, or unique character string. This allows you to define what is considered sensitive instead of being stuck with a set list.

  2. Disadvantages

    1. Setup cost - Active scanning tools have some type of setup cost (in time and dollars), however, they pay that back by 

    2. Administration - Someone needs to administer the tool (e.g. set it up, followup on alerts). Some, like SecurEnvoy, however, are mainly “set-and-forget” - once you’ve setup the scanning jobs just sit back and wait for alerts.

Path Forward

Focusing on a combination of Policies and Active Scanning is the best way to help ensure your systems don’t accidentally let sensitive information get exposed. Policies help reduce the chance sensitive information gets introduced to your systems, while tools like SecurEnvoy help catch it if some sensitive info gets out.

Curious to learn more? Check out SecurEnvoy here (and get a free trial)