Top 5 Things IT Should Be Doing, But Isn’t

December 7, 2012

Posted on December 5, 2012 by 

A clear path to effective information governance.

1. Audit Data Access

Effective management of any data set is impossible without a record of access. Unless one can reliably observe data use, one cannot observe its non-use, misuse, or abuse. Without a record of data usage, one cannot answer critical questions—from the most basic ones, like “who deleted my files, what data does this person or people use, and what data isn’t used?” to more complex questions, “like who owns a data set, which data sets support this business unit, and how can I lock down data without disrupting workflows?”

2. Inventory Permissions and Directory Services Group Objects

Effective management of any data set is also impossible without understanding who has access to it. Access controls lists and groups (in Active Directory, LDAP, etc.) are the fundamental protective control mechanism for all unstructured and semi structured data platforms, yet too often IT cannot easily answer fundamental data protection questions like, “Who has access to a data set?” and “What data sets does a user or group have access to?” Answers to these questions must be accurate and accessible for data protection and management projects to succeed.

3. Prioritize Which Data Should Be Addressed

While all data should be protected, some data needs to be protected much more urgently than other data. Some data sets have well known owners and well defined processes and controls for their protection, but many others are less understood. With an audit trail, data classification technology, and access control information, organizations can identify active and stale data, data that is considered sensitive, confidential, or internal, and data that is accessible to many people. These data sets should be reviewed and addressed quickly to reduce risk.

Access our FREE Full Report, including the complete list of IT Must Do’s.

4. Remove Global Access Groups from ACLs (like “Everyone”) – especially where sensitive data is located

It is not uncommon for folders on file shares to have access control permissions allowing “Everyone,” or all “domain users” (nearly Everyone) to access the data contained therein. SharePoint has the same problem ( especially with authenticated users). Exchange has these, as well as “Anonymous User” access. This creates a significant security risk; for any data placed in that folder will inherit those “exposed” permissions, and those who place data in these wide-open folders may not be aware of the lax access settings. When sensitive data, like PII, credit card information, intellectual property, or HR information are in these folders, the risks can become very significant. Global access to folders, SharePoint sites, and mailboxes should be removed and replaced with rules that give access to the explicit groups that need it.

5. Identify Data Owners

IT should keep track of data business owners and the folders and SharePoint sites under their responsibility. By involving data owners, IT can expedite a number of the previously identified tasks, including verifying permissions revocation and review, and identifying data for archival. The net effect is a marked increase in the accuracy of data entitlement permissions and, therefore, data protection.

Access our FREE Full Report including the complete list of IT Must Do’s.

Related articles

1 Comment | Application Hosting, Managed Service Hosting | Tagged: , , , , , , , , , | Permalink
Posted by david ricketts

At-Risk Exchange Data

November 12, 2012

One of the more interesting benefits of last year’s launch of DatAdvantage for Exchange was the opportunities it presented to talk with different sets of people in our customers’ organizations. Where traditionally we’d worked mostly with security, storage, Windows or Active Directory teams, DatAdvantage for Exchange spurred meetings with messaging, e-Discovery and legal folks as well.

E-mail is a business-critical system, period. From an IT perspective, it may be the most critical system—most companies would rather lose their phones for a day than their e-mail. What that has meant for the Messaging folks in charge of Exchange is that simply keeping the lights on—making sure that emails are being delivered promptly and that the repository of stored data is available—has been far and away more important than access control. However, the consequence of focusing on availability rather than confidentiality or integrity has meant that a lot of the controls and auditing that should be in place are sorely lacking.

Data Governance and Exchange

Exchange is an interesting repository from a data governance perspective. The last time I wrote about using Varonis, I talked about how we can combine data classification with permissions exposure to identify the data that’s most at-risk on a file system or SharePoint site. Unlike a file share, the hierarchy is flat—everyone’s got their own mailbox, and it’s very easy to share out access rights to it. You can, for instance, give someone access to your inbox or calendar. With IT’s help, you can give them the ability to send email on your behalf, or even “as” you. Exchange is exactly like file shares in that mailbox access is reviewed periodically, mailboxes stay shared and users have send-as or send-on-behalf-of privileges for a long, long time.

What’s at Risk?

One of the first things we do when we spin up DatAdvantage for Exchange for a customer is to run a report that shows them everywhere someone in the organization has access to a mailbox that isn’t their own.

Everyone has access to their own mailbox by default. It takes some sort of permissions change, though, either on the client (Outlook) side, or by the admin on the Exchange server, to grant someone access to another mailbox. One of things we’re seeing when we do this, by the way, it that the mailboxes that are without question most likely to have been shared are those that are probably considered the most valuable—those of the CEO and other high-level management. While native tools might let you manually (and somewhat painfully) check permissions on a mailbox-by-mailbox basis, Varonis gives you the ability to see where anyone has access to an object that’s not part of their own mailbox.

We take that risk assessment a step further, too, with another report that will show you where people are actually accessing data in mailboxes that don’t belong to them. For good or ill, these are probably the permissions you want to take a look at first from a governance perspective.

1 Comment | Application Hosting, Managed Service Hosting, Retail IT Solutions | Tagged: , , , , , , , , , | Permalink
Posted by david ricketts

12 Tips to Prevent your Sensitive Data Becoming a Wikileaks Headline

October 19, 2012

By David Ricketts Head of Marketing C24

 

Recent worldwide controversies surrounding confidential material being supplied to unauthorized people and sites such as Wiki Leaks by anonymous whistle-blowers should act as a catalyst for organisations across the globe to take control of data governance and offer a guarantee that employees have access to only the information they need.

 

In our experience we have found that employees responsible for the IT function are finding it increasingly difficult, and in some cases impossible, to manage many elements of data governance within their organisation.  Below are some tips that explain the steps that organisations in charge of permission management of employee data access need to take to safeguard their data. By taking these steps, the IT function will be able to understand who can access, who is accessing, who shouldn’t have access, and who owns the data, and remediate risk faster than traditional data governance and classification methods.

 

At present, IT professionals – rather than the people that create the data (be it a spreadsheet, PowerPoint presentation or company report) – are the ones making many of the decisions about permissions, acceptable use, and acceptable access review. However, as IT personnel aren’t equipped with adequate business context around the growing volumes of data, they’re only able to make a best effort guess as to how to manage and protect each data set.

 

Until organisations start to shift the decision making responsibility to business data owners, it is IT that has to enforce rules for who can access what on shared file systems, and keep those structures current through data growth and user role changes. IT needs to determine who can access data, who is accessing it, who should have access, and what is likely to be sensitive.

 

Here are the top must-do actions for the IT team’s ‘to do’ list, to carry out as part of a daily data management routine for senior executives, to create a bench mark for data governance:

 

1          Identify Data Owners

The IT department should keep a current list of data business owners (e.g. those who have created original data) and the folders and sites under their responsibility. By having this list “at the ready,” they can expedite a number of the data governance tasks, including access authorisation, revocation and review, and identifying data for archival. The net effect of this simple process is a marked increase in the accuracy of data access entitlement and, therefore, data protection.

 

2          Remove global groups and perform data entitlement reviews

It is not uncommon for folders on file shares to have access control permissions allowing “everyone,” or all “domain users” (nearly everyone) to access the data contained. This creates a significant security risk, for any data placed in that folder will inherit those “exposed” permissions, and those who place data in these wide-open folders may not be aware of the lax access settings. Global access to folders should be removed and replaced with rules that give access to the explicit groups that need it.

 

3          Audit Permissions Changes

Access Control Lists are the fundamental preventive control mechanism in place to protect data from loss, tampering, and exposure. IT requires the ability to capture and report on access control changes to data – especially for highly sensitive folders. If access is incorrectly assigned or changed to a more permissive state without good business reason, IT and the data business owner must be quickly alerted, and able to remediate the situation.

 

4          Audit Group Membership Changes

Directory Groups are the primary entities on Access Control Lists (Active Directory, LDAP, NIS, etc.); membership grants access to unstructured data (as well as many applications, network gateways, etc.). Users are added to existing and newly created groups on a daily basis.

 

5          Audit Data Access

Effective management of any data set is impossible without a record of access. Unless you can reliably observe data use you cannot observe its misuse, abuse, or non-use. Even if an IT department could ask its organisation’s users if they used each data set, the end users would be unlikely to be able to answer accurately—the scope of a typical user’s access activity is far beyond what humans can recall.

 

6          Prioritise Data

While all data should be protected, some data needs to be protected much more urgently than others. Using data owners, data access patterns, and data classification technology, data that is considered sensitive, confidential, or internal should be tagged accordingly, protected and reviewed frequently.

 

7          Align Security Groups to Data

Whenever someone is placed in a group, they get file system access to all folders that list the group on its ACL. Unfortunately, organisations have completely lost track of what data folders contain which Active Directory, SharePoint or NIS groups. It is impossible to align the role with the right data if the organisation cannot verify what data a group provides access to.

 

8          Lock Down, Delete, or Archive Stale, Unused Data

Not all of the data contained on shared file servers, and network attached storage devices are in active use. By archiving stale or unused data to offline storage or deleting it, IT makes the job of managing the remainder simpler and easier, while freeing up expensive resources. At the very least, access to inactive data should be tightly restricted to reduce the risk of loss, tampering, or theft.

 

By automating and conducting the ten management tasks outlined above frequently, organisations will gain the visibility and auditing required that determines who can access the data, who is accessing it and who should have access.

 

9     Review data entitlement (ACL)

Every file and folder in a file system system has access controls assigned to it which determine which users can access the data and how (i.e. read, write, execute, list). These controls need to be reviewed on a regular basis and the settings documented so that they can be verified as accurate by data business owners and security policy auditors.

 

10  Revoke unused and unwarranted permissions

Users with access to data that is not material to their jobs constitutes a security risk for organisations. Most users only need access to a small fraction of the data that resides on file servers. It is important to review and then remove or revoke permissions that are unused. IT should have the ability to capture and report on access control changes to data – especially for highly sensitive folders. If access is incorrectly assigned or changed to a more permissive state without good business reason, the data business owner will be able to quickly identify and mitigate the situation by reporting the inconsistency to IT.

 

 

11          Delete unused user accounts

Directories may at times contain user accounts for individuals that are no longer with the company or group. These accounts constitute a security hole. Those with a working knowledge and access to user directories may retrieve information under someone else’s name. Organisations should routinely identify inactive users and verify that the need for the account is still there.

 

12          Preserve all user access events in a searchable archive

Even for environments where the user-to-data permissions are current and accurate, it is important to maintain a searchable archive of all user access events. This will help organisations with triage and forensic analysis should data misuse or loss occur. IT should be able to search on a username, filename as well as date of interest and any combination thereof to ascertain who accessed what and how. This information can also help expedite helpdesk call resolution.

 

 

What Are You Waiting For?

The biggest hurdle to overcome with this ‘to do’ list is the amount of time conducting these checks on a daily basis requires, if it is even possible! It is imperative that businesses support their internal IT function by allowing them to utilise tools such as Varonis so as to enable them to adopt best practice techniques so that they can manage the business critical areas highlighted in this report.

 

If you would like further information about any of the areas highlighted in this report please do not hesitate to call C24 or visit http://www.c24.co.uk

4 Comments | Managed Service Hosting, Marketing, Retail IT Solutions | Tagged: , , , , , , , , , , , | Permalink
Posted by david ricketts

The Challenges of Metadata Collection

May 1, 2012

by Brian Vecci

In my recent post, Improving Authorization with Metadata, we talked about what kinds of information we need in order to start cleaning up access control. This time I want to talk a little bit about how we’ll actually get that metadata and what it will take to use it to do anything useful.

If you recall, the metadata streams we’re going to be primarily concerned with are user and group information, permissions from the ACLs and user access activity. In addition, data classification can help us prioritize the work by finding important data (and when combined with the other metadata streams) that are located and might have excessive or broken permissions. So where does all this metadata come from?

The simple answer is that there’s no simple answer. Each platform is going to have its own interfaces and challenges when it comes to gathering this data. In the Windows world, for instance, in order to see who has access to a folder, or what folders a user has access to you’ll need to traverse each file system to get the permissions—every folder might have a unique ACL. In order to interpret the ACL’s, you’ll need to grab the users and groups from Active Directory, as well as the local groups on the servers, some of which will contain groups in AD. And that’s just NTFS Permissions—you also need to consider Windows Share Permissions, and the effective permissions a user might have based on both.

SharePoint permissions are complex, too. SharePoint objects have access control lists that refer to Active Directory users and groups and SharePoint groups, and each group is assigned one or more permission levels on the object, and each permission level is comprised of some combination of 33 individual permissions.

That’s interesting to compare with permissions on an Exchange mailbox, where access can be set at the server (mailbox permissions) and by the client through Outlook (sharing permissions). On top of that, think of all the actions you can perform within Exchange once you factor in message flagging and attachments.

UNIX file systems have NFS style permissions as well as POSIX ACLS, all of which can refer to local groups and users, and those in LDAP, NIS, or even Active Directory groups if you’re using an AD integration product like Centrify. NAS devices often have CIFS/NTFS style permissions, NFS permissions, and hybrid permissions modes to serve both CIFS and NFS clients on the same share.

As you can see, each of these platforms has its own idiosyncrasies, and we haven’t yet mentioned symbolic links, junction points, or DFS. And… this is just to see who has access. Who is actually accessing data is even trickier—we’ll talk about that in a future post.

On top of all that, think about the sheer amount of metadata you may be collecting—thousands of users in thousands of groups across hundreds of thousands of ACLs, that must be gathered carefully enough so it won’t significantly impact the environment, otherwise what’s the point? If monitoring the box is going to break the box, no one will do it. What this all means is that gathering up all of the relevant information across all the platforms you want to properly govern is no simple task, and analyzing and making sense of all the metadata is even harder—it requires a lot of platform expertise, and technology that is flexible and robust enough to handle the deep waters of today’s diverse file systems.

For further information please contact C24 at http://www.c24.co.uk

1 Comment | Application Hosting, Managed Service Hosting, Retail IT Solutions, Uncategorized | Tagged: , , , , , , , | Permalink
Posted by david ricketts

Great video for Varonis and Data-advantage for Microsoft Exchange

May 16, 2011

The Challenge

Microsoft Exchange installations containing huge amounts of semi-structured data can present immense protection and management challenges:

  • Permissions: Determining who has access to Exchange mailboxes and public folders, including shared and delegated mailbox permissions.
  • Access Auditing: IT can’t answer pressing questions like, “Who accessed my email or calendar?” or “Who sent email on my behalf?”
  • Data Ownership: IT can’t reliably identify business owners of public folder data, and even some mailboxes.
  • Operational: Manual permissions and group changes are untested and unreliable.
  • High Risk: Stale, excess permissions are rarely revoked. Data open to the Anonymous group can be difficult to identify and remediate. Critical data is exposed.

The Varonis Solution

Varonis® DatAdvantage® addresses these challenges by aggregating Active Directory user and group details, ACL information and all data access events—without requiring native OS auditing—to build a complete picture of who can and who is accessing data, and who should have their access revoked. It also leads IT to rightful data owners, so the right people can ensure appropriate access and usage.

“With Varonis® DatAdvantage® for Exchange, we have significantly reduced our Exchange access and data management workload for tasks that we do many times every day. We now have a single console with a complete map to our ever-growing Exchange environment that has enabled our staff to identify and proactively manage and protect Exchange data.” – Bernard Besohe
Publications Office of the European Union

Leave a Comment » | Managed Service Hosting, Marketing, Retail IT Solutions | Tagged: , , , , , , , , , , , | Permalink
Posted by david ricketts

Follow

Get every new post delivered to your Inbox.

Join 753 other followers