DATA SECURITY GLOSSARY
access control
An intelligent system that grants and denies permissions to access data, and continuously reviews whether existing permissions are appropriate.
active data collection
Collecting data about a person or organization with their knowledge, such as making them fill out a form emblazoned with your logo.
Compare with passive data collection, which happens without the entity’s knowledge.
adequate level of protection
An organization’s overall security posture, including its choices of security solutions, that demonstrate whether its commitment to security is commensurate with the risk and magnitude of harm resulting from loss, unauthorized access, or mutation of the data. Falling below an adequate level of protection might give grounds to a lawsuit alleging negligence.
The GDPR narrowly defines “adequate level of protection” as a European Commission decision that a non-EU country offers a similar level of protection for personal data as the EU for the purposes of cross-border data transfers.
anomaly
A mismatch between routine and expected behavior of a user or organization, and the observed actual behavior. An anomaly could be a signature of an attack.
anonymization
The process of removing personally identifiable information (PII) from data so that the data can no longer identify its source.
anonymous data
Data that does not contain any personally identifiable information (PII).
The GDPR does not apply to anonymous data.
appropriate safeguards
The collection of security products, people, and techniques that reduce a system’s vulnerability to threats, which is commensurate with the risk and magnitude of harm resulting from loss, unauthorized access, or mutation of the data.
The GDPR narrowly defines “appropriate safeguards” as one of several written legal terms (such as standard contractual clauses) required to perform cross-border transfers of personal data.
audit trail
A continuous record of events (such as API calls) that answers questions such as what data was attempted to be accessed when, and by whom.
auditing
A manual or automated examination of records for a specific purpose.
Examples of audits include access audits, which determine whether users and third parties have appropriate permissions, and certification audits, which determine whether an organization's employees follow its written procedures.
authentication
The process of verifying the user is who they purport to be.
Compare with authorization, which is the process of verifying what data the user may access.
automated processing
Using computers to analyze data and make decisions.
The GDPR restricts the use of purely automated processing from making important decisions about people’s rights and freedoms.
A common paradigm is having a “human in the loop” to review the results of automated processing.
availability
Timely and reliable access to data by those authorized to access it.
brazil general data protection law
A Brazilian law similar to the GDPR that applies to data processing taking place in Brazil or targeting its people.
Organizations must report incidents within 2 working days. Fines can reach up to 2% of an organization's revenue, with a limit of 50 million reals per violation.
Official text: LEI Nº 13.709, DE 14 DE AGOSTO DE 2018
casb
Software that enforces security policies across hybrid and multi-cloud environments.
ccpa
An acronym for the California Consumer Privacy Act, which applies to businesses operating in California that control the personal information of California consumers.
Breach fines are up to $2,500 per accidental violation per consumer, $7,5000 per intentional violation per consumer, and there is a private right for consumers to sue separately.
The CCPA was amended by the California Privacy Rights Act (CRPA), which added a notification requirement. Notification of an incident must take place “without unreasonable delay.”
Official summary: California Office of the Attorney General
Official text: California Civil Code Title 1.81.5.1798.100
cdo
An acronym for the Chief Data Officer, the senior executive responsible for their organization's data strategy.
A data strategy might include its policies on data sources, quality, business value, and lifecycle.
ciso
An acronym for the Chief Information Security Officer, the senior executive responsible for their organization's information security strategy.
An information security strategy might include identifying all the data and assets of the organization, creating and practicing strategies to protect it, detecting vulnerabilities and potentially malicious activity, and responding to threats.
cpo
An acronym for the Chief Privacy Officer, the senior executive responsible for their organization's compliance with privacy laws and programs.
csp
An acronym for cloud service provider, the largest of which are AWS, Microsoft Azure, and Google Cloud Platform.
More than 90% of enterprise organizations store data in one or more clouds. For those organizations, a frictionless cybersecurity strategy requires real-time, multi-cloud visibility and response.
certification
A declaration by an independent, third-party auditor that it has reviewed the organization's records and determined that the organization meets certification standards such as SOC 2 or ISO 27001.
cloud native database
A database managed by a cloud service provider.
Examples offered by AWS include Amazon Aurora, Amazon Relational Database Service, Amazon Neptune, and Amazon Timestream.
confidentiality
Preserving and enforcing restrictions on data access and disclosure.
consent
Consent is one of six legal bases for an organization to process someone’s personal data under the GDPR.
However, under the GDPR, consent may be revoked at any time.
Therefore, organizations that prefer consistent access to personal data should rely on the other legal bases.
cross border data transfer
The transfer of data across national borders.
Cross-border data transfers might be governed by data localization and data protection and privacy laws, depending on the origin, destination, and type of data being transferred.
cybersecurity
Prevention of damage to IT systems and data stored on those systems, to ensure the data’s availability, integrity, and confidentiality.
ddr
Any acronym for data detection and response.
DDR continuously analyzes data activities within an organization's multi-cloud environment to detect anomalies, unauthorized access, and potential vulnerabilities in real time.
DDR is the evolution of antivirus software (which only scans for virus signatures) and DLP software (which only enforces data limited policies in certain environments).
DDR functionality is an essential component of a DSPM solution.
dlp
An acronym for data loss prevention.
DLP solutions have been superseded by DSPM solutions.
An example of a DLP rule provided by a solution is: “If a Microsoft Excel spreadsheet contains US Social Security numbers, users will not be able to attach that spreadsheet file to a Microsoft Outlook email.”
DLP is limited by the number of environments supported, the up-front labor required to identify and tag sensitive data, and the types of actions it can prevent.
dpa
An acronym for data processing agreement.
A DPA is a written contract between a data controller and a data processor that it hires to process data it controls.
If data is protected by the GDPR, then a DPA is required to hire the data processor.
dpo
An acronym for Data Protection Officer, a role that is required by the GDPR for organizations that process data of people in the EU on a large scale.
drm
An acronym for digital rights management.
DRM is the management of access to mass-distributed digital content, such as software, using encryption.
data bill of materials (DBOM)
A DBOM provides a clear and concise record of all the data that has been used in the creation and operation of your Generative AI models.
data breach
The unauthorized disclosure, theft, loss, mutilation, or destruction of data.
data breach notification
A legal requirement that organizations notify government authorities and affected persons of a data breach, often within a limited period of time that begins when the breach or cybersecurity incident was discovered.
data broker
An organization that engages in the collection of other people’s data for resale and profit.
data catalog
A universal, deduplicated list of every data class an organization intends to store (such as employee names and employee addresses), and where the organization intends to store it.
A frictionless data security solution quickly builds and updates data inventories, which are lists of what data the organization actually has. Data inventories verify the accuracy of and compliance with the overall data catalog
data categorization
Identification of data based on its attributes and properties.
For example, assuming there are no dashes, the data categorization of a 9-digit number could be either a US Social Security number, a US mailing Zip+4 code, or none of the above, depending on its context. If the context of the data is a list of addresses, the data is likely to be Zip+4. However, if the context of data is non-US addresses, then the data classification is some other data class.
Legacy data discovery and classification solutions rely on regular expressions that categorize 9-digit numbers as Social Security numbers. Therefore, they are unable to perform data categorization with accuracy, leading to many false positives, which makes them difficult and time-consuming to use.
A frictionless data discovery and classification solution uses automated reasoning to perform data categorization efficiently and accurately.
data class
A description of a type of data.
Examples of data classes might include “employee Zip codes” and “employee mailing addresses.”
data classification
Identification of how sensitive the data is.
Data classification informs a data security team of how to prioritize their data security efforts across their organization. Examples of how sensitive data is can include severity ratings such as low, medium, and high.
Data classification is nuanced. For example, a number that resembles a US Social Security number might not be sensitive if it is test data, because it is of no value, and needs minimal security. However, intellectual property might be critically sensitive, even if it is unique to a single organization, and requires the greatest attention from the security team.
Legacy data discovery and classification tools rely on predefined regular expressions that are unable to understand the nuances above. Therefore, they often arrive at incorrect sensitivity ratings. A fictionless data discovery and classification solution uses automated reasoning to categorize data accurately, using its business context.
data controller
A GDPR term that refers to a person or organization that determines the purposes and means of processing (from collecting to storing) personal data.
data flow
The movement of data throughout its lifecycle, from collection to use to archival storage and, in some cases, deletion.
data flow diagram
A visual representation of data flow through one or more IT systems throughout the data’s lifecycle.
There are two types of diagrams. The first is how the data should flow, which is used to define a data lifecycle policy. The second is how the data actually flows, which is used for detecting potential vulnerabilities such as inappropriate permissions and attacks such as data exfiltration.
Frictionless data security solutions provide real-time data flow diagrams, which help security teams quickly understand potentially problematic data flows.
data inventory
One of potentially many lists of data within a boundary (such as an Amazon S3 bucket, an IT environment, or a cloud region).
A frictionless data security solution builds and updates data inventories in real time, and enriches them with details such as the data’s overall sensitivity, importance of the organization's business importance, regulations that might apply to the data, and other details.
data localization
A legal requirement that organizations must locate certain data in a specific geopolitical location (often called “data sovereignty”) and, if transferred or copied outside of that location, the organization must adhere to certain rules.
75% of all countries have some data localization laws.
data loss
The exposure of data, whether sensitive or not, through either data theft or other means.
data minimization
A principle from GDPR Article 5.
Data minimization means that processing of personal data shall be adequate, relevant, and limited to what is necessary in relation to the purpose of the processing.
data processing
Under the GDPR, data processing is any operation performed on personal data, including collection, storage, use, or disclosure.
A data controller (for example, an organization) determines the purposes and means of processing personal data.
data processor
Under the GDPR, an organization may hire a third party to help it process data. The organization that possesses the data is called the data controller. The third party hired is called the data processor.
data protection
In North America, data protection ordinarily refers to data security: protecting the confidentiality, integrity, and availability of data.
In the EU, data protection ordinarily refers to what North Americans call data privacy: the rights of people whose data is processed by organizations.
data protection impact assessment
A DPIA is a written document that describes how data will be processed, for what reasons, the risks to the rights and freedoms of people whose data is processed, and the security measures to mitigate those risks.
DPIAs might be required under the GDPR, CPRA, or other applicable data protection laws.
data protection principles
A set of principles that govern the use of personal data set forth in GDPR Article 5.
data residency
The physical and geopolitical location where data is stored, which might be a strategic decision.
For example, data residency in some countries might benefit from their financial secrecy laws, whereas data residency in other countries might give that country’s government access to the data.
Data residency can be informed by data localization laws.
data security posture management (dspm)
Software that shows where sensitive data is, who has access to it, how it is being used, and how sensitive it is.
Due to data sprawl in multi-cloud environments, not all DSPM software can keep pace with data sprawl and constant changes to access management, leading to blind spots. Frictionless DSPM software can analyze changes to data in real time.
data sprawl
An exponential and often uncontrolled increase in the amount of data that organizations create and store.
For example, 90% of all data was generated in the last two years.
data store
Any data repository, whether object, block, or file storage, or a database, data warehouse, or data lake, that allows for the retention of and access to data.
data subject
A natural person who is identified or is identifiable, directly or indirectly, by reference to some data.
data theft
Data loss that occurs due to a malicious actor, as opposed to data loss that occurs due to a non-malicious misconfiguration or mistake.
eu us data privacy framework
A data transfer framework that replaces the EU-US Privacy Shield.
The European Commission declared that the EU-US Data Privacy Framework provided adequate protection for cross-border transfers in 2023.
encrypted data
Cryptographic transformation of data in plaintext into ciphertext to prevent the data from being read by anyone but intended recipients. Those possessing the encryption can decrypt and read the data.
european data protection board
A board composed of the heads of Europe’s national data protection bodies, it enforces data protection law at the national and cross-border levels.
european data protection supervisor
An authority that monitors EU institutions’ compliance with the GDPR.
exact matching
A 100% similarity between the data class being sought and the data scanned.
exfiltration
The unauthorized transfer of data from an IT system.
finra
An acronym for the US Financial Industry Regulatory Authority, which regulates brokers.
FINRA has breach notification rules and enforcement powers related to cybersecurity incidents.
false positive
An erroneous result. For example, a discovery and classification tool using regular expressions might mark every 9-digit sequence as a US Social Security number. However, US mailing ZIP+4 codes are also represented as 9-digit numbers. The solution might erroneously classify all ZIP+4 codes as Social Security numbers. All those classifications are false positives.
The opposite of a false positive is a false negative. An example of a false negative is a US Social Security number that was not detected by the solution, even though it was a 9-digit sequence.
fuzzy matching
A less-than-100% similarity between a data class sought and the data scanned.
gdpr
An abbreviation for the EU’s General Data Protection Regulation, which was the first law to enumerate the rights of “data subjects” – natural persons in the EU whose data was collected and processed by organizations.
The GDPR also imposes rules on “data controllers and processors” – the organizations with other people’s personal data.
The GDPR requires organizations to notify their national data protection authority within 72 hours of a breach.
Each violation can be punishable by fines of up to 10 million Euros or 2% of an organization’s entire annual global turnover (revenue), whichever is higher.
Full text: General Data Protection Regulation (GDPR)
glba
An abbreviation for the US Gramm-Leach-Bliley Act, which protects the nonpublic information on consumers obtained by financial services providers and is enforced by the Federal Trade Commission.
The Gramm-Leach-Bliley Act applies not only to traditional lenders such as banks, it also applies to retailers, universities, auto dealerships and carmakers, and any other business that lends money to consumers.
Each violation can be punishable by fines up to $100,000 per violation. Individuals in charge might be fined up to $10,000 per violation and subject to criminal prosecution and up to 5 years in prison.
Federal Register: Privacy of Consumer Financial Information Rule Under the Gramm-Leach-Bliley Act (2021)
ghost data
Secondary copies (such as backups or snapshots) of primary resources that no longer exist. The organization’s IT team might have forgotten that the secondary copies still exist. Those secondary copies might no longer be monitored by the IT team, creating unnecessary storage costs and potential vulnerabilities for exploitation.
hipaa
An acronym for the US Health Insurance Portability and Accountability Act, which introduced a Security Rule and a Privacy Rule for health care providers, insurers, and companies doing business with them that access their patient data.
HIPAA protects patient health information, abbreviated PHI.
hitech
An acronym for the US Health Information Technology for Economic and Clinical Health Act, which amended HIPAA by adding the health breach notification rule.
HITECH also added a tiered list of fines and prison sentences for violations of the HIPAA privacy rule. They include up to 10 years of imprisonment for a HIPAA violation with the intent to sell, transfer, or use identifiable health information for commercial advantage, personal gain or malicious harm.
health breach notification rule
A rule in HIPAA, introduced by HITECH, that defines a reportable breach, and when to notify affected individuals, the media, and Health and Human Services.
Breaches are subsequently investigated by the Health and Human Services Office of Civil Rights.
Summary: Health and Human Services Breach Notification Rule
List of: Breaches under investigation
irm
An acronym for information rights management, which is a subset of DRM.
IRM solutions encrypt documents and spreadsheets so that they are generally inaccessible, even if exfiltrated by a threat actor. However, a user specifically authorized by the IRM solution can access the secured document or spreadsheet.
iso 27001
An industry-agnostic security standard that is popular in Europe.
Organizations achieve certification through a third-party audit.
Standards (behind paywall): ISO/IEC 27001:2022
information security policy
A required policy document for multiple compliance certifications (such as SOC 2 and ISO 27001) that defines, at a high level, the who, what, where, why, and how an organization approaches its information security. Other policies are required to document specifics.
insider threat
A cybersecurity risk that has authorized access to data within an organization’s security perimeter.
Examples include an employee, contractor, vendor, or connected third party application.
A frictionless data security solution detects overprovisioned and improperly provisioned access to data, and well as unapproved data movement, in real time.
integrity
Ensuring that the data is authentic, and preventing the unauthorized mutilation or destruction of data.
Integrity can be verified through techniques such as tracing the lineage of the data and identifying whether it was changed at any time, how it changed, and who changed it.
least privilege
A security principle requiring each entity (such as a user or third party application) be granted only the minimum amount of access to data that it needs to perform its function.
Often, least privilege is enforced through quarterly audits, which might not detect a potential issue in time.
A frictionless data security solution can detect a history of unused permissions and propose remediation.
legal basis for processing
A reference to GDPR Article 6, which requires an organization to base its collection and use of data on 1 of 6 legal bases.
The most common legal bases are performance of a contract and legitimate interests of the organization.
mfa
An acronym for multi-factor authentication.
Multi-factor authentication verifies a user is who they say they are by requiring them to provide two or more independent credentials, such as: something they know (such as a password), something they have (such as a security token or authenticator app), and something they are (such as a fingerprint).
malconfiguration
A deliberate misconfiguration made by a malicious actor, as opposed to an ordinary misconfiguration or mistake made by a person without malice.
malware
Software inserted into an IT environment, usually without the IT team’s knowledge, with the purpose of compromising the confidentiality, integrity, or availability of an organization's data or otherwise disrupting the organization.
Ransomware is a type of malware.
managed database
A database service where a third party (such as a public cloud or managed services provider) is responsible for the database’s security, availability, and operation. In exchange for paying a managed service fee, the organization's IT team frees itself from database management tasks to work on driving business outcomes.
Compare with an unmanaged data store.
masked data
Previously sensitive data has been replaced with similar but fictitious data, for example, by using a substitution algorithm.
Masked data is used in environments where data should be realistic but not real.
metadata
A description of data, that does not include the actual contents of the data.
For example, a text file named customer_phone_numbers.txt contains fifty 10-digit phone numbers.
An example of the data is any of the phone numbers.
Examples of the metadata include: the file name, the file type, the file size in bytes, the times when the file was created and last modified, the number of rows in the file, the number of characters in each row, the type of characters in each row, and the fact that all of the rows have a similar set of characters.
misconfiguration
The most common cause of cybersecurity incidents. Misconfiguration involves an IT team or user accidentally selecting a configuration that creates a vulnerability. A common example is an IT team configuring their Amazon S3 bucket to accept public traffic, when it contains sensitive information.
misplaced data
Data that is stored in an unapproved location.
Common examples include: sensitive data stored in publicly accessible locations, sensitive data exfiltrated outside of the company’s data perimeter, and data about residents of one country located in another continent in violation of data localization rules.
A frictionless data security solution can establish and enforce trust boundaries. It not only discovers previously misplaced data, but also detects activity that could potentially create misplaced data in real time.
nist
An abbreviation for the US National Institute of Standards and Technology.
NIST is a government agency that promotes national innovation by advancing technology.
For example, NIST publishes frameworks to help organizations understand and improve their management of cybersecurity risk.
npi
An abbreviation for nonpublic personal information as defined by the GBLA.
NPI is any personally identifiable financial information that a financial institution collects about an individual in connection with providing a financial product or service, unless that information is otherwise publicly available.
nydfs cybersecurity regulation
The New York State Department of Financial Services (NYDFS) Cybersecurity Regulation covers any organization regulated by that department. It requires organizations to follow a regular schedule of reporting and conducting risk assessments, among other requirements.
NYDFS requires notification within 72 hours after an incident. Past settlements for cybersecurity-related violations include fines in the millions of dollars.
Summary: NYDFS Cybersecurity Resource Center
negligence
Grounds for a fine or lawsuit.
A complaint of negligence alleges that an organization had a duty to secure its data or follow relevant laws or industry standards, but failed to do so, and the failure caused harm to a stakeholder (such as customers or citizens whose sensitive data was disclosed, or shareholders who suffered a loss in corporate value).
notice at collection
A CCPA requirement to give notice to consumers that: an organization is collecting information about them, the purposes of that collection, and the retention period.
obfuscated data
Previously sensitive data that has been “de-identified” through techniques such as masking, encryption, and/or tokenization to remove the PII.
Obfuscated data exfiltrated as part of a security incident has no value to a threat actor.
opt in
A demonstration of a user’s affirmative consent, normally through an active choice (such as clicking a button labeled Accept).
opt out
A demonstration of a user’s revocation of their consent, normally through an active choice (such as clicking a button labeled Unsubscribe).
pci dss
An acronym for Payment Card Industry Data Security Standard.
PCI DSS is a set of security standards for organizations handling credit card data. Compliance is required by major credit card brands such as Visa and Mastercard.
Organizations demonstrate compliance by completing third-party audits.
Standards: PCI DSS
phi
An acronym for protected health information, which is protected by HIPAA.
PHI is any information that can identify an individual and was created, used, or disclosed in the course of providing a health care service.
Not all medical data is PHI. For example, an employee file that contains medical data would ordinarily not be PHI, because most employers do not provide healthcare to employees.
pii
An acronym for personally identifiable information, originating from NIST.
PII is any information that can be used to identify a person.
passive data collection
Collecting data about a person or organization without their knowledge, such as crawling their public filings and social media accounts, and purchasing information about them from data brokers.
Compare with activity data collection, which happens with the entity’s knowledge.
purpose limitation
A CCPA requirement that organizations limit their usage of consumer data to the purposes disclosed to the consumer at time of collection (unless the organization provides a subsequent notice to the consumer).
ransomware
A type of malicious attack where threat actors gain access to an organization’s data and exert control over its data in some way (whether via encryption or threatened public release) unless the organization pays a ransom.
Less than 50% of organizations that pay ransoms actually receive their data back. Therefore, organizations must invest in identification, protection, detection, and response solutions to protect their data.
retention
The length of time an organization retains different categories of data, which is often set by a data retention policy.
Some regulations require indefinite retention of certain data (such as SEC Rule 17a-4’s requirement to preserve electronic records in a “non-erasable format”).
Other regulations require the deletion of certain data (such as the GDPR’s “right to be forgotten”).
right of access
A right established by GDPR Article 15 for a person in the EU to ask an organization to provide the data they have about them.
right to correct
A reference to the “right to rectification” established by GDPR Article 16 for a person to request an organization to provide a rectification of inaccurate data about them.
right to deletion
A reference to the “right to erasure” established by GDPR Article 17 for a person to erase data about them in certain limited conditions.
right to be forgotten
A reference to the “right to erasure” established by GDPR Article 17 for a person to erase data about them in certain limited conditions.
right to be informed
A legal duty arising from the GDPR, CCPA, and similar laws to inform people approached for data collection with basic information including who is collecting the information and for what purpose.
risk assessment
A cybersecurity risk assessment identifies, estimates, and prioritizes risks to an organization’s IT systems.
Regular risk assessments are required by certain laws and certifications.
soc 2 (service organization control type 2)
A cybersecurity framework developed by the American Institute of Certified Public Accountants (AICPA) to help organizations protect customer data from unauthorized access and other threats. SOC 2 audits are voluntary and assess an organization’s controls around the Trust Services Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy. Achieving SOC 2 compliance demonstrates a company’s commitment to data security and builds trust with customers.
sox
An abbreviation for the Sarbanes-Oxley Act.
sarbanes oxley act
A US law that requires publicly-traded companies to report on material risks enforced by the Securities and Exchange Commission (SEC).
The SEC has increased its attention toward cybersecurity risks, including issuing a rule that material incidents must be disclosed within 4 business days.
sensitive data
See sensitive information.
sensitive data discovery and classification
The automated or manual capability to scan a large volume of data to pinpoint exactly what data is sensitive, and why it is sensitive (e.g., what is its categorization, what is its classification, and which law protects it).
Legacy discovery and classification tools use predefined regular expressions in the form of “nine digits equals a US Social Security number.” These regular expressions create many false positives (for example, many other types of data can be nine digits, including synthetic and test data). The volume of false positives causes many organizations to constantly re-tune their regular expressions before abandoning their discovery and classification efforts.
Frictionless data discovery and classification solutions apply automated reasoning to learn the sensitivity of data as they scan. This means fewer false positives, along with insights that include intellectual property and trade secrets unique to the organization.
Frictionless data discovery and classification is an essential component of a DSPM solution.
sensitive information
Data that, if lost, misused, accessed without proper authorization, or mutilated, could adversely affect an organization’s interests, the conduct of its programs, or the privacy of its stakeholders.
NIST originally defined “sensitive information” to refer to information that, if involved in an incident, could adversely affect the interest of the US or the conduct of its federal programs, or the privacy of federal employees.
sensitive personal information/data
Lists of specific types of personally identifiable information that governments consider more sensitive than normal, and are subject to more restrictions.
Examples of sensitive personal data (SPD) defined by the GDPR include political opinions and trade union membership.
Examples of sensitive personal information (SPI) defined by the CCPA include financial account information and precise geolocation data.
shadow it
Any IT resource not approved by an organization’s IT team that members of the organization use to store or access the organization's data.
An example is an employee uploading the organization’s data to ChatGPT for help preparing a report (when the organization has not approved the use of ChatGPT).
shadow saas
Any software as a service that is not approved by an organization's IT systems, but is connected to the organization's data.
An example is an employee logging onto their personal Microsoft OneDrive from their work laptop, which then automatically backs up data from their work laptop to OneDrive.
stale data
Data that is outdated or otherwise no longer needed by an organization but that continues to reside in storage.
More than 50% of an organization’s data could be stale due to data sprawl. Stale data is expensive to store, and might be less frequently monitored, making it potentially vulnerable. Decisions accidentally based on stale data, particularly security-related data, could introduce additional risks.
structured data
Data in a standardized format.
Each data element has the same or similar characteristics, such as rows in a SQL table.
tokenized data
Previously sensitive data that has been replaced with a unique token value.
The token can be used to securely look up the original, sensitive data at any later time.
Tokenization is a common practice in financial services and health care.
unmanaged data stores
A data store that an organization’s IT team manages itself, and takes on the responsibility for foundational management tasks, including purchasing their own licenses, tuning performance, installing patches, and configuring and testing backups.
An example on AWS would be an organization running their own database on the compute provided by Amazon EC2 and storage provided by Amazon EBS.
unstructured data
Data in an unstructured format, where each data element can have different characteristics the the previous data element.
An example is the contents of an Amazon S3 bucket, where documents, slides, images, and video are stored together.
vulnerability
A weakness in an information system that could be exploited by a malicious actor.
Common vulnerabilities include insecure configuration of cloud resources, over-permissive access granted to users and third party applications, and insecure secrets storage.
A frictionless data security solution can detect and remediate common vulnerabilities including the ones mentioned.