A few weeks ago, the Okta breach captured the infosec headlines. Okta, the #1 identity and access management company, was breached. In the chain of events that transpired, the hackers found on the network a file containing the passwords of domain administrators. Yes, that’s right: domain administrator passwords — the keys to the kingdom. Yes, keeping such a file on disk is a really bad idea. Yes, it happens. And chances are that among the hundreds of thousands of files on your One Drive or DropBox or Slack, you probably have one, too. In fact, based on our experience, you probably have a bunch of them.
Humans are well … human. Given enough people working with data, sensitive bits will invariably accidentally end up in the wrong place and wrong hands. Sometimes it is a spreadsheet of passwords in a shared drive. Sometimes it is a secret key pasted into Slack. Sometimes it is a spreadsheet containing customer names, phone numbers, and emails shared publicly in Google Drive. And sometimes it is a dump of your entire CRM left lying around in an S3 bucket.
Each of the above represents a significant risk to your company. If you are a regulated business, it could be a business-destroying event. These days, vendors like Google and Microsoft are adding capabilities to help monitor for and protect against such situations. It is a very good idea to use such tooling where available.
But most modern data ecosystems are quite diverse. The misplaced sensitive data — that metaphorical or literal passwords.xls file — might be in an application database, or a warehouse, or an S3 bucket, or in Salesforce, or in JIRA, or one of hundreds of different places. What you really need is a single tool that watches over all these and protects you.
And wouldn’t it be nice if that tool is a SaaS service, works across your complex data ecosystem, and sifts through large volumes of data without driving your AWS bill through the roof and requiring a small team of IT and InfoSec people to keep it running?
We make such a tool. Drop me a quick note if you’d like to continue the discussion.
Any opinions expressed here and statements made are not legal advice, nor representations or warranties, and are intended to promote discussion around technology and data protection.