Determining the Root Cause of a Data Breach With “The 5 Whys”

February 5, 2013

The jarring sound of an iPhone vibrating against a mahogany nightstand at 3:15am.  This can’t be good.  Server down?  Much worse: 50,000 sensitive files have been stolen from a poorly permissioned file server.  First, damage control.  Next, investigation.

Problem: 50,000 files were stolen.

Why?  The files were accessible to everyone in the company, even guests.

Why?  The folder’s access control list was configured incorrectly.

Why?  Chuck the intern configured that file server in 2007 and it hasn’t been reviewed since.

Why?  We don’t have a process to review file system permissions.

Why?  Because manually reviewing every folder’s ACL for problems is like searching for a needle in a haystack…and THERE’S ONLY THREE OF US AND A THOUSAND FILE SERVERS! SHEESH!

This fun little question-asking technique is called The 5 Whys.  It was developed by Sakichi Toyoda at Toyota to determine the root cause—and solution—to any given problem in the manufacturing process.  The technique has been borrowed by coders, sysadmins, and startup founders alike.

See, behind every technical problem is usually a human problem.

On the surface, it seems like the above fictional security incident was technical in nature – the ACL was configured incorrectly.  Deep down, however, the problem was the company’s non-existent entitlement review policy.

The 5 Whys technique encourages us to address the problem on multiple levels: fix the ACL, stop letting interns configure important systems by themselves, and institute a system for performing periodic entitlement reviews.

Sometimes it’s not feasible to immediately address every single problem uncovered, but 5 Whys suggests that if you make a proportional investment in the solution every time an incident occurs, you’ll eventually get to a point where you have an optimal level of protection against a given problem.  In our example, maybe you’d start by piloting entitlement reviews with a small business unit, or review just the super sensitive data sets.

The 5 Whys is an excellent technique for determining root cause so you can take reactive steps to ensure a problem doesn’t happen twice.  In my next post I’m going to talk about a new model for holistically evaluating your company’s risk profile so you can make proactive improvements.

Leave a Comment » | Application Hosting, Managed Service Hosting, Marketing | Tagged: , , , , , , , , , , , , , , | Permalink
Posted by david ricketts

Determining the Root Cause of a Data Breach With “The 5 Whys”

January 29, 2013

The jarring sound of an iPhone vibrating against a mahogany nightstand at 3:15am.  This can’t be good.  Server down?  Much worse: 50,000 sensitive files have been stolen from a poorly permissioned file server.  First, damage control.  Next, investigation.

Problem: 50,000 files were stolen.

Why?  The files were accessible to everyone in the company, even guests.

Why?  The folder’s access control list was configured incorrectly.

Why?  Chuck the intern configured that file server in 2007 and it hasn’t been reviewed since.

Why?  We don’t have a process to review file system permissions.

Why?  Because manually reviewing every folder’s ACL for problems is like searching for a needle in a haystack…and THERE’S ONLY THREE OF US AND A THOUSAND FILE SERVERS! SHEESH!

This fun little question-asking technique is called The 5 Whys.  It was developed by Sakichi Toyoda at Toyota to determine the root cause—and solution—to any given problem in the manufacturing process.  The technique has been borrowed by coders, sysadmins, and startup founders alike.

See, behind every technical problem is usually a human problem.

On the surface, it seems like the above fictional security incident was technical in nature – the ACL was configured incorrectly.  Deep down, however, the problem was the company’s non-existent entitlement review policy.

The 5 Whys technique encourages us to address the problem on multiple levels: fix the ACL, stop letting interns configure important systems by themselves, and institute a system for performing periodic entitlement reviews.

Sometimes it’s not feasible to immediately address every single problem uncovered, but 5 Whys suggests that if you make a proportional investment in the solution every time an incident occurs, you’ll eventually get to a point where you have an optimal level of protection against a given problem.  In our example, maybe you’d start by piloting entitlement reviews with a small business unit, or review just the super sensitive data sets.

The 5 Whys is an excellent technique for determining root cause so you can take reactive steps to ensure a problem doesn’t happen twice.  In my next post I’m going to talk about a new model for holistically evaluating your company’s risk profile so you can make proactive improvements.

Leave a Comment » | Application Hosting, Marketing, Retail IT Solutions | Tagged: , , , , , , , , , , , | Permalink
Posted by david ricketts

Top 3 SharePoint Security Challenges

December 14, 2012

The rapid adoption of SharePoint has outpaced the ability of organizations to control its growth and enforce consistent policies for security and access control. The ease with which SharePoint sites can be created means that SharePoint use is decentralized and often outside the purview of IT departments, security personnel and even dedicated SharePoint administrators.

So what are the top 3 SharePoint security challenges?

1 – Organic and chaotic deployment of SharePoint sites

Pervasive departmental use of SharePoint means that all types of data makes its way into SharePoint repositories. This can range in sensitivity and importance and may easily include human resources or product information. So, now the problem for organizations becomes not only identifying sensitive data but locating all SharePoint sites, existing and emerging.

2 – Ad hoc, complex permissions administration

The levels and types of permissions available with SharePoint are more complex than their NTFS counterparts, and the additional granularity and inheritance complexity creates more access levels and a high probability for erroneous or overly permissive access.

While access control decisions may be (rightly) left to the data owners through SharePoint’s permissions workflow, the complexity of its implementation often leads to inconsistency in ACL configuration and group assignment. Without strict auditing and oversight, permissions may be set in conflict with enterprise-level access policies, and may not include key business intelligence about why the access should be limited (e.g., content might be regulated or copyright protected).

3 – Limited, resource-intense auditing

Key to maintaining good access control over data is continuous monitoring of how data is being used. This is another challenge with a SharePoint environment. Microsoft SharePoint audit detail is geared toward helping site administrators manage content, not toward refining access policy. Consequently there is no way for SharePoint administrators to easily establish which users took what action on data.

The native auditing capabilities are also limited in terms of scalability across sites. “Normalizing” the data, i.e., creating a unified and accurate view of data use and access across sites and locations, is challenging and time-intensive. Exacerbating the problem is that files on SharePoint often make their way to other platforms like file shares and email – without a unified audit trail of activity, understanding how and by whom data is accessed in the collaborative environment can be a significant challenge.

Download our FREE guide to learn how to make sense of SharePoint permissions & lock down and monitor your sensitive data.

Related articles

1 Comment | Application Hosting, Marketing, Retail IT Solutions | Tagged: , , , , , , , , , | Permalink
Posted by david ricketts

Using Varonis: Who Owns What?

December 13, 2012

(This one entry in a series of posts about the Varonis Operational Plan – a clear path to data governance.  You can find the whole series here.)

All organizational data needs an owner. It’s that simple, right? I think most of us would be hard pressed to argue against that as a principle—the data itself is an organizational asset, so of course it’s not the Help Desk or AD Admin folks who own it, it’s the users or business units that should own it. Of course, that’s great in theory, but with 1, 5, 10, or even 20 years’ worth of shared, unstructured data, figuring out who owns data is far from simple, let alone involving those owners in any meaningful way.

Before we get into using Varonis to locate owners, I want to talk about why finding a single data owner can be such a problem. IT probably knows who owns the Finance folder.  It’s the CFO or a delegated steward. Same with HR, Marketing or Legal—these tend to be clearly-delineated departmental shares and it’s not hard to figure out whom to go to if we need an informed decision. (Regularly involving those owners in data governance is a different problem, and one I will cover in future posts.)  The identification for these folders is relatively straightforward.

But what happens if you need to find the owner of a folder that has a less obvious name? What if the folder’s name is a project ID, or an acronym of some kind? In my experience, a majority of unstructured data resides in folders that aren’t obviously owned by anyone.

What IT tends to do then is a few different things:

  • Check the ACL and see which groups have access. If it’s a single group with an obvious owner, that’s a likely candidate. If the ACL contains many different groups or a global access group like Domain Users, though, this tactic tends to fail.
  • Check the Windows owner under Special Permissions. This metadata can be helpful, but can also be a red herring since it’s often just set to the local Administrator of the server. Even if there’s actually a human user there (who likely created the folder), that value may be outdated or inaccurate.
Special Permissions Dialog
  • Check the owner of files within the folder. Same problems as above.
File Properties Dialog
  • Enable operating system auditing to identify the most active user. Anyone out there excited about turning on file level auditing in Windows? I have yet to talk to anyone who answers yes to this question because of the performance hit on the server as well as the storage required and expertise to parse the logs effectively.
  • Turn off access and see who complains. Not an optimal strategy when it comes to critical data.
  • Email the world and hope for a response. In general, people don’t want to take ownership of something without good reason, since it may mean more work. How confident are you that the proper owners (who may be at a management or director level) are going to know exactly which data sets their teams are using regularly? If they’re not sure, are they going to jump to take responsibility?

So finding owners is hard, let alone finding owners at scale. If you’ve got thousands of unique ACLs and you want owners for all of them (or at least the ones that make sense) you’re going to have to go through some version of this process for each one. It’s no wonder we haven’t done a good job of this over time. Thankfully, there’s a better way.

Step 4: Identify Data Owners

The key difference between attempting to solve this problem manually and attacking it intelligently with Varonis is the DatAdvantage audit trail. A normalized, continuous, non-intrusive audit record of all data access is a key piece of DatAdvantage, and it allows us to actually identify data owners at scale without having to hunt and peck. Once you start gathering usage data and rolling it up into high level stats you can start to see the likely owners of any data set, not just the obvious ones.

DatAdvantage gives you two straightforward ways to get this information: First, we can quickly take a look at a high-level view of a single folder within the Statistics pane of the DatAdvantage GUI. This will show us the most active users of a particular folder. We like to say that at most, you’re one phone call away, since if the most active user isn’t the data owner, they almost certainly know who is.

You can operationalize this process even further by creating a statistics report, which can be run on an entire tree or even a server. A single report can show the top users of every unique ACL, and it’s possible to set up advanced filters to make this even more useful—showing only users outside of IT or in a specific OU, for example. You can even add additional properties from AD to the report, showing each user’s department or line manager, if available. None of this is possible without constantly gathering access activity and providing an interface to combine it with other available metadata.

Identifying owners is useful, but actually involving them is where IT can really start to make headway when it comes to ongoing governance. We’ll tackle that next.

Leave a Comment » | Application Hosting, Managed Service Hosting, Retail IT Solutions | Tagged: , , , , , , , , , | Permalink
Posted by david ricketts

Top 5 Things IT Should Be Doing, But Isn’t

December 7, 2012

Posted on December 5, 2012 by 

A clear path to effective information governance.

1. Audit Data Access

Effective management of any data set is impossible without a record of access. Unless one can reliably observe data use, one cannot observe its non-use, misuse, or abuse. Without a record of data usage, one cannot answer critical questions—from the most basic ones, like “who deleted my files, what data does this person or people use, and what data isn’t used?” to more complex questions, “like who owns a data set, which data sets support this business unit, and how can I lock down data without disrupting workflows?”

2. Inventory Permissions and Directory Services Group Objects

Effective management of any data set is also impossible without understanding who has access to it. Access controls lists and groups (in Active Directory, LDAP, etc.) are the fundamental protective control mechanism for all unstructured and semi structured data platforms, yet too often IT cannot easily answer fundamental data protection questions like, “Who has access to a data set?” and “What data sets does a user or group have access to?” Answers to these questions must be accurate and accessible for data protection and management projects to succeed.

3. Prioritize Which Data Should Be Addressed

While all data should be protected, some data needs to be protected much more urgently than other data. Some data sets have well known owners and well defined processes and controls for their protection, but many others are less understood. With an audit trail, data classification technology, and access control information, organizations can identify active and stale data, data that is considered sensitive, confidential, or internal, and data that is accessible to many people. These data sets should be reviewed and addressed quickly to reduce risk.

Access our FREE Full Report, including the complete list of IT Must Do’s.

4. Remove Global Access Groups from ACLs (like “Everyone”) – especially where sensitive data is located

It is not uncommon for folders on file shares to have access control permissions allowing “Everyone,” or all “domain users” (nearly Everyone) to access the data contained therein. SharePoint has the same problem ( especially with authenticated users). Exchange has these, as well as “Anonymous User” access. This creates a significant security risk; for any data placed in that folder will inherit those “exposed” permissions, and those who place data in these wide-open folders may not be aware of the lax access settings. When sensitive data, like PII, credit card information, intellectual property, or HR information are in these folders, the risks can become very significant. Global access to folders, SharePoint sites, and mailboxes should be removed and replaced with rules that give access to the explicit groups that need it.

5. Identify Data Owners

IT should keep track of data business owners and the folders and SharePoint sites under their responsibility. By involving data owners, IT can expedite a number of the previously identified tasks, including verifying permissions revocation and review, and identifying data for archival. The net effect is a marked increase in the accuracy of data entitlement permissions and, therefore, data protection.

Access our FREE Full Report including the complete list of IT Must Do’s.

Related articles

1 Comment | Application Hosting, Managed Service Hosting | Tagged: , , , , , , , , , | Permalink
Posted by david ricketts

7 Recommendations for Data Protection by Forrester’s Andras Cser

November 27, 2012

by David Gibson

Last week Varonis hosted a webinar on using strong identify context to help protect data, where I was joined by Andras Cser of Forrester. Andras shared really interesting insights on the impact of data breaches, what got stolen, how they happened, and what you can do to better protect yourself.

On topic of entitlement reviews, Andras shared, “You have to get into a fairly rigid and rigorous structure of attestations, and basically that means you would want to have a campaign that runs every quarter, clearly understand the mappings between people, groups and resources that they’re accessing, and have managers look at their employees’ access rights, data elements, data access, and also application users should be granted some way of overseeing who has access to the data their application actually generates.”

Andras also shared illuminating key case studies from organizations that are protecting hundreds of terabytes to petabytes of data that are growing at 1-2.5% per week. It was fun for me to hear a fresh perspective on what works and what doesn’t when you’re trying to manage and protect data at scale.

Some of Andras’ recommendations were:

To see all seven of Andras’ recommendations, register to download and watch the full data protection webinar here.

1 Comment | Application Hosting, Managed Service Hosting | Tagged: , , , , , , , | Permalink
Posted by david ricketts

Using Varonis: Fixing the Biggest Problems

November 26, 2012

Now that we have a pretty good idea where the highest-risk data is, the question naturally turns to reducing that risk. Fixing permissions problems on Windows, SharePoint or Exchange has always been a significant operational challenge. I’ve been in plenty of situations as an admin where I know something is broken—a SharePoint site open to Authenticated Users for instance—but I’ve felt powerless to actually address the problem since any permissions change carries the risk of denying access to a user (or process) who needs it. Mistakes can have significant business impact depending on whose access you broke and on what data. Since we’re defining “at-risk” as being valuable data that’s over-exposed, that means that any accessibility problems we create will impact valuable data, and that can create more problems than we started with.

Step 3: Remediate High-Risk Data

The goal is to reduce risk by reducing permissions for those users or processes that don’t require access to the data in question.

The next step in the Varonis Operational Plan is fixing those high-risk access control issues that we’ve identified: data open to global access groups as well as concentrations of sensitive information open to either global groups or groups with many users. Since simply reducing access without any context can cause problems, we need to leverage metadata and automation through DatAdvantage.

Let’s tackle global access first. When everyone can access data, it’s very difficult to know who among the large set of potential users actually needs that access. If we know exactly who’s touching the data, we can be surgical about reducing access without causing any headaches.

DatAdvantage analyzes the data’s audit record over time in conjunction with access controls, showing folders, SharePoint sites, and other repositories that are accessible by global access groups, and those users who have been accessing that data who wouldn’t have had access without a global access group. In effect, it’s doing an environment-wide simulation to answer the question, “What if I removed every global access group off every ACL tomorrow. Who would be affected?” This report gives you some key information:

  • Which data is open to global access groups
  • Which part of that data is being accessed by users who wouldn’t otherwise be able to access

And it’s not just global groups that DatAdvantage lets you do this with. Because every data touch by every user on every monitored server is logged, Varonis lets you do this kind of analysis for any user, in any group, on any file or folder. That means you can safely remediate access to all of the high-risk data without risking productivity. You can actually fix the problem without getting in anyone’s way.

The next step is to start shifting decision making from your IT staff to the people who actually should be making choices about who gets access to data: data owners.

Related articles

2 Comments | Application Hosting, Managed Service Hosting, Marketing | Tagged: , , , , , , , , , , | Permalink
Posted by david ricketts

12 Tips to Prevent your Sensitive Data Becoming a Wikileaks Headline

October 19, 2012

By David Ricketts Head of Marketing C24

 

Recent worldwide controversies surrounding confidential material being supplied to unauthorized people and sites such as Wiki Leaks by anonymous whistle-blowers should act as a catalyst for organisations across the globe to take control of data governance and offer a guarantee that employees have access to only the information they need.

 

In our experience we have found that employees responsible for the IT function are finding it increasingly difficult, and in some cases impossible, to manage many elements of data governance within their organisation.  Below are some tips that explain the steps that organisations in charge of permission management of employee data access need to take to safeguard their data. By taking these steps, the IT function will be able to understand who can access, who is accessing, who shouldn’t have access, and who owns the data, and remediate risk faster than traditional data governance and classification methods.

 

At present, IT professionals – rather than the people that create the data (be it a spreadsheet, PowerPoint presentation or company report) – are the ones making many of the decisions about permissions, acceptable use, and acceptable access review. However, as IT personnel aren’t equipped with adequate business context around the growing volumes of data, they’re only able to make a best effort guess as to how to manage and protect each data set.

 

Until organisations start to shift the decision making responsibility to business data owners, it is IT that has to enforce rules for who can access what on shared file systems, and keep those structures current through data growth and user role changes. IT needs to determine who can access data, who is accessing it, who should have access, and what is likely to be sensitive.

 

Here are the top must-do actions for the IT team’s ‘to do’ list, to carry out as part of a daily data management routine for senior executives, to create a bench mark for data governance:

 

1          Identify Data Owners

The IT department should keep a current list of data business owners (e.g. those who have created original data) and the folders and sites under their responsibility. By having this list “at the ready,” they can expedite a number of the data governance tasks, including access authorisation, revocation and review, and identifying data for archival. The net effect of this simple process is a marked increase in the accuracy of data access entitlement and, therefore, data protection.

 

2          Remove global groups and perform data entitlement reviews

It is not uncommon for folders on file shares to have access control permissions allowing “everyone,” or all “domain users” (nearly everyone) to access the data contained. This creates a significant security risk, for any data placed in that folder will inherit those “exposed” permissions, and those who place data in these wide-open folders may not be aware of the lax access settings. Global access to folders should be removed and replaced with rules that give access to the explicit groups that need it.

 

3          Audit Permissions Changes

Access Control Lists are the fundamental preventive control mechanism in place to protect data from loss, tampering, and exposure. IT requires the ability to capture and report on access control changes to data – especially for highly sensitive folders. If access is incorrectly assigned or changed to a more permissive state without good business reason, IT and the data business owner must be quickly alerted, and able to remediate the situation.

 

4          Audit Group Membership Changes

Directory Groups are the primary entities on Access Control Lists (Active Directory, LDAP, NIS, etc.); membership grants access to unstructured data (as well as many applications, network gateways, etc.). Users are added to existing and newly created groups on a daily basis.

 

5          Audit Data Access

Effective management of any data set is impossible without a record of access. Unless you can reliably observe data use you cannot observe its misuse, abuse, or non-use. Even if an IT department could ask its organisation’s users if they used each data set, the end users would be unlikely to be able to answer accurately—the scope of a typical user’s access activity is far beyond what humans can recall.

 

6          Prioritise Data

While all data should be protected, some data needs to be protected much more urgently than others. Using data owners, data access patterns, and data classification technology, data that is considered sensitive, confidential, or internal should be tagged accordingly, protected and reviewed frequently.

 

7          Align Security Groups to Data

Whenever someone is placed in a group, they get file system access to all folders that list the group on its ACL. Unfortunately, organisations have completely lost track of what data folders contain which Active Directory, SharePoint or NIS groups. It is impossible to align the role with the right data if the organisation cannot verify what data a group provides access to.

 

8          Lock Down, Delete, or Archive Stale, Unused Data

Not all of the data contained on shared file servers, and network attached storage devices are in active use. By archiving stale or unused data to offline storage or deleting it, IT makes the job of managing the remainder simpler and easier, while freeing up expensive resources. At the very least, access to inactive data should be tightly restricted to reduce the risk of loss, tampering, or theft.

 

By automating and conducting the ten management tasks outlined above frequently, organisations will gain the visibility and auditing required that determines who can access the data, who is accessing it and who should have access.

 

9     Review data entitlement (ACL)

Every file and folder in a file system system has access controls assigned to it which determine which users can access the data and how (i.e. read, write, execute, list). These controls need to be reviewed on a regular basis and the settings documented so that they can be verified as accurate by data business owners and security policy auditors.

 

10  Revoke unused and unwarranted permissions

Users with access to data that is not material to their jobs constitutes a security risk for organisations. Most users only need access to a small fraction of the data that resides on file servers. It is important to review and then remove or revoke permissions that are unused. IT should have the ability to capture and report on access control changes to data – especially for highly sensitive folders. If access is incorrectly assigned or changed to a more permissive state without good business reason, the data business owner will be able to quickly identify and mitigate the situation by reporting the inconsistency to IT.

 

 

11          Delete unused user accounts

Directories may at times contain user accounts for individuals that are no longer with the company or group. These accounts constitute a security hole. Those with a working knowledge and access to user directories may retrieve information under someone else’s name. Organisations should routinely identify inactive users and verify that the need for the account is still there.

 

12          Preserve all user access events in a searchable archive

Even for environments where the user-to-data permissions are current and accurate, it is important to maintain a searchable archive of all user access events. This will help organisations with triage and forensic analysis should data misuse or loss occur. IT should be able to search on a username, filename as well as date of interest and any combination thereof to ascertain who accessed what and how. This information can also help expedite helpdesk call resolution.

 

 

What Are You Waiting For?

The biggest hurdle to overcome with this ‘to do’ list is the amount of time conducting these checks on a daily basis requires, if it is even possible! It is imperative that businesses support their internal IT function by allowing them to utilise tools such as Varonis so as to enable them to adopt best practice techniques so that they can manage the business critical areas highlighted in this report.

 

If you would like further information about any of the areas highlighted in this report please do not hesitate to call C24 or visit http://www.c24.co.uk

4 Comments | Managed Service Hosting, Marketing, Retail IT Solutions | Tagged: , , , , , , , , , , , | Permalink
Posted by david ricketts

Data Migration a Security Threat: Varonis

October 2, 2012

Image representing Varonis Systems as depicted...

Image via CrunchBase

Organizations are potentially exposing themselves to data breaches during migrations, and many don’t have confidence their data is secure, according to a Varonis survey.While 95 percent of organisations move data at least once per year, 65 percent of companies said they are not confident sensitive data was protected during a migration, according to an August survey of C-Level IT executives conducted by data governance software specialist Varonis Systems. The survey found 96 percent of respondents reported concerns when performing data migrations, with many leaving their data overexposed and vulnerable. The results suggest a growing data security problem that could affect the vast number of businesses performing data migrations and consolidations.

Organizations most commonly move data from one file server to another or to network attached storage (NAS) (80 percent), between domains (44 percent) and from file shares to SharePoint (40 percent). Two-thirds of organizations report that they usually move more than 1TB of data at a time, for a variety of reasons, including infrastructure upgrades and organizational changes–for example, a merger or acquisition. On the security side, 35 percent of those surveyed reported that they were very confident sensitive data would only be accessible to the right people during a migration.

“The survey underscores that maintaining who has access to what is an ongoing problem for organizations. The scale of the problem that organizations face when moving terabytes of data may be surprising, as a typical terabyte contains about 50,000 folders, and of those folders about 5 percent, or 2,500 folders, have unique permissions,” David Gibson, Varonis vice president of strategy, said in a prepared statement. “An average access control list (ACL) contains three to five security groups, and a typical group contains anywhere from five to 50 users, as well as other groups that contain even more users and groups. Let’s say each access control list represents 5 minutes of work to re-create—that’s over 200 hours of work per terabyte of data moved.”

About one-third of respondents described themselves as being very confident that sensitive data will be accessible to the correct people during a move, but only 20 percent reported that maintaining permissions is not an issue. Seventeen percent of respondents reported it as a significant issue, 49 percent reported it as a slight-to-moderate issue and a worrying 14 percent said they are aware of the issue but have not addressed it.

“Data and domain migrations are a big part of IT’s day-to-day activities. Organizations already face challenges maintaining availability, data integrity and confidentiality during a migration, not to mention identifying the data that should be moved and who it belongs to,” the report concluded. “With no slowdown in data growth in sight, IT organizations should anticipate that more migrations and archival projects will need to fit into their already busy schedules.”

Data security fears also are affecting adoption of cloud services, an earlier Varonis report found. That survey revealed that while 80 percent of companies do not allow their employees to use cloud-based file synchronization services, 70 percent of companies would use these services if they were as robust as internal tools. Only 20 percent of survey respondents said they currently allow file synchronization technology services due to fears of data leakage, security breaches and compliance issues.

Thanks to http://www.eweek.com

 

3 Comments | Application Hosting, Managed Service Hosting, Retail IT Solutions | Tagged: , , , , , , , | Permalink
Posted by david ricketts

The Challenges of Metadata Collection

May 1, 2012

by Brian Vecci

In my recent post, Improving Authorization with Metadata, we talked about what kinds of information we need in order to start cleaning up access control. This time I want to talk a little bit about how we’ll actually get that metadata and what it will take to use it to do anything useful.

If you recall, the metadata streams we’re going to be primarily concerned with are user and group information, permissions from the ACLs and user access activity. In addition, data classification can help us prioritize the work by finding important data (and when combined with the other metadata streams) that are located and might have excessive or broken permissions. So where does all this metadata come from?

The simple answer is that there’s no simple answer. Each platform is going to have its own interfaces and challenges when it comes to gathering this data. In the Windows world, for instance, in order to see who has access to a folder, or what folders a user has access to you’ll need to traverse each file system to get the permissions—every folder might have a unique ACL. In order to interpret the ACL’s, you’ll need to grab the users and groups from Active Directory, as well as the local groups on the servers, some of which will contain groups in AD. And that’s just NTFS Permissions—you also need to consider Windows Share Permissions, and the effective permissions a user might have based on both.

SharePoint permissions are complex, too. SharePoint objects have access control lists that refer to Active Directory users and groups and SharePoint groups, and each group is assigned one or more permission levels on the object, and each permission level is comprised of some combination of 33 individual permissions.

That’s interesting to compare with permissions on an Exchange mailbox, where access can be set at the server (mailbox permissions) and by the client through Outlook (sharing permissions). On top of that, think of all the actions you can perform within Exchange once you factor in message flagging and attachments.

UNIX file systems have NFS style permissions as well as POSIX ACLS, all of which can refer to local groups and users, and those in LDAP, NIS, or even Active Directory groups if you’re using an AD integration product like Centrify. NAS devices often have CIFS/NTFS style permissions, NFS permissions, and hybrid permissions modes to serve both CIFS and NFS clients on the same share.

As you can see, each of these platforms has its own idiosyncrasies, and we haven’t yet mentioned symbolic links, junction points, or DFS. And… this is just to see who has access. Who is actually accessing data is even trickier—we’ll talk about that in a future post.

On top of all that, think about the sheer amount of metadata you may be collecting—thousands of users in thousands of groups across hundreds of thousands of ACLs, that must be gathered carefully enough so it won’t significantly impact the environment, otherwise what’s the point? If monitoring the box is going to break the box, no one will do it. What this all means is that gathering up all of the relevant information across all the platforms you want to properly govern is no simple task, and analyzing and making sense of all the metadata is even harder—it requires a lot of platform expertise, and technology that is flexible and robust enough to handle the deep waters of today’s diverse file systems.

For further information please contact C24 at http://www.c24.co.uk

1 Comment | Application Hosting, Managed Service Hosting, Retail IT Solutions, Uncategorized | Tagged: , , , , , , , | Permalink
Posted by david ricketts

Follow

Get every new post delivered to your Inbox.

Join 753 other followers