Metadata tells us vital information about a document like who authored it, when it was edited and when it was created. But, asks GARETH TUDOR, could metadata pose a security risk?
Metadata is data about data. It tells us who authored a document, when, what the document contains and where the file ‘fits’ in relation to other data. Metadata is important because it is a key enabler of data storage, retrieval and/or restoration – a vital requirement for any business in this era of exponential data growth. However, could metadata also be a security risk, giving hosted and outsourced storage providers inappropriate access to sensitive data?
Metadata is generated automatically by the applications used to create documents and files. These applications use standard protocols and data policies to generate basic information about the data. The created data files are then stored within the data structure of an organisation, and structural metadata is created. Whether the data is stored in-house, offsite or in the cloud, metadata is what allows stored data to be classified and identified. It’s a unique set of data that indicates where the data comes from and where it must go, and how it should be ordered, labelled and sorted. It also facilitates backup and restoration of files. Clearly it’s vital information to have to successfully manage data. The question asked repeatedly, however, is whether this information – on its own – poses a security risk.
The short answer is ‘no’. Just because the metadata can be read does not mean that the underlying data is available for reading. Any simple encryption tool should protect the underlying data. Furthermore, when data is backed up, it should be done over a secure connection with the data itself being encrypted and compressed before being stored on appliances or in a database. The metadata is used by the backend system to catalogue the backup, identifying and classifying the information being backed up. Like the ISBN number of a book which may tell us about the book but it does not expose the contents of the book, metadata acts as a list of contents (file and directory names, file sizes and file types) for the storage solution or service provider – it is not the actual data itself.
There are also many layers of security around backed up company data. It is usually stored within an environment accessible only to the customer organisation. Metadata may be requested by a client organisation user, but is usually only made available once the user has been authenticated and the connection (usually a Secure Socket Layer or SSL connection) is verified to be from a legitimate user. SSL provides protection against masquerading and eavesdropping. If data packets are sent to the user, they are likely to be encrypted, with SSL ensuring that no data modification occurs.
So is metadata a security risk? Metadata is useful. It is important and it needs to be safeguarded. However, it is merely an identifier. The right authorisation and security clearance is needed to access the data itself. While general users are unlikely to ever have to deal with metadata outside of a search for documents, it is beneficial to be aware of how important this data can be for backup and retrieval of files.
* Gareth Tudor, CEO of Altonet
* Follow Gadget on Twitter on @GadgetZA