Securing sensitive information is an important concern for any enterprise or organization. The sensitive information may be scattered in different data stores across the enterprise, such as databases, flat files, directories, unstructured data stores, and semi-structured data stores. As a result of the distributed nature of data within an enterprise, it is difficult to identify which data stores contain sensitive information and what measures have been employed to protect this sensitive information.
It is imperative that a user have an aggregate view of the presence and security of the sensitive information across an enterprise. This aggregate view needs to be tied to business attributes within the enterprise, for easy classification, analysis, and remediation. Example business attributes may be regions where the enterprise operates, departments such as Engineering, Human Resources, and Finance, or divisions based on product areas. The enterprise-wide aggregate view needs to be further augmented with details that go deeper into where the sensitive information was found, what the nature of the sensitive information was, and what actions were taken to secure it.
There are many methods that can be adopted to protect sensitive information in an enterprise. For example, certain transformations can be applied to particular data types within databases. Other transformations or permissions controls may be applied for flat files. In order to have uniform corporate level conformance, it is important that a single set of policies be applied for each type of data that needs to be protected.
Therefore, there is a need for a method and system for providing a global view of sensitive information across an enterprise. Also, there is a need for a method and system for reporting on sensitive information along with business attributes associated with the sensitive information. There is also a need for a global method of setting policies for protecting different types of sensitive data.