Internal Data Loss is Riskier Than You Think

April 19, 2013

In an excellent blog post, Gartner research director Anton Chuvakin poses the question: is an Excel spreadsheet full of credit card numbers on a poorly permissioned internal file share considered a data breach?

Many information security pros and even some DLP vendors would answer “no” because the risk of data loss is implied, not actual.  But I think that is an overly optimistic stance.  To me, this is equivalent to saying, “I know there’s a hole in my roof, but it hasn’t rained in a month, so it’s only an implied risk.”

Anton astutely points out that, in every large organization, you can bet your mortgage on there being unauthorized access to your environment, facilitated by any number of factors including, but not limited to: subpar authentication, BYOD, infected endpoints, or an Active Directory that looks like a rats nest.

Chuvakin says:

 ”The phenomenon of “internally lost data” is way more pervasive than most people think. I’d bet if you think that it is pretty pervasive, then it is EVEN MORE pervasive. Confidential, regulated and “merely” sensitive data on “all access” internal file shares, SharePoint boxes, team web servers, internal blogs, etc is literally all over the place.”

We can confirm this phenomenon as it’s one of the main reasons organizations evaluate Varonis.  We’ve written extensively on the Everyone Problem.  Trust us, this is actual risk.  So what do we do about it?

The Sniff → Scan Approach

Dr. Chuvakin talks about how well the Sniff → Scan approach has worked for some organizations: sniff the network to see what’s leaking and then scan your storage environment to figure out where that data lives:

“[Organizations] first saw *it* on the wire, got mad – and then got curious: just where exactly is it stored internally? “Oh, in 537 different places!”  Next they fought the battle for reducing the internal exposure and then – surprise! – the occurrences of that piece of data being seen on the wire decreased as well…”

The trouble with most DLP solutions that help with data discovery is that, once the data of interest is found, you’re on your own.  There’s no operator’s manual for reducing the exposure in a safe, methodical way without doing collateral damage to the business.  Once you’ve pinpointed where leaky data lives, wouldn’t you love to know: Who can access it? Who’s using it? Who is responsible/is the data owner? How to reduce access down to a least privilege model without cutting off people who need the data to do their jobs?

The only way to answer these questions is to combine other metadata streams with the classification information.  If you’re in the information security space, you’ll start to hear the term Context-Aware Data Loss Prevention, if you haven’t already.  Analysts have begun putting a lot of weight on the ability to determine the context of data and its usage in order to make intelligent decisions about protecting it.

Anton concludes:

“So, if you got [sic] a DLP tool, plan for using its discovery capabilities. Hit those shares, SharePoints, team servers, intranet web sites, etc, etc.  And, yes, you need a process, not just a tool!”

For an in-depth look at the Varonis process for preventing internal data loss, check out ouroperational plan blog series (which starts with data classification).  And if you’re interested to see how the Varonis Data Governance Suite brings context to DLP, let us show you!

Also, have a look at Anton Chuvakin’s blogs here and here.  He’s one of the most entertaining and prolific writers on data protection.

Leave a Comment » | Application Hosting, Managed Service Hosting, Marketing, Retail IT Solutions | Tagged: , , , , , , , , , , , , | Permalink
Posted by david ricketts

5 Steps to Get Data Owners Started : What to do with my data

April 8, 2013

During a recent conversation a customer asked if we had a Getting Started Guide for Data Owners. After using Varonis to identify and assign owners, one of the new data owners asked, “What am I supposed to do now? What do data owners do?”  In order to help him—and anyone else in this situation—I created 5 high-level steps business users can follow to get started as a data owner.

Step 1: Take inventory of your data and confirm ownership

One of the first things data owners should do is review the data for which they are responsible; IT should provide them a report listing all the folders, SharePoint sites, etc. that they own. Owners should carefully review this report and confirm with IT that they are, in fact, the correct owners of this data. It is also important that they understand which, if any, of these folders contain sensitive data, which folders are open to other groups in the organization, and which teams they expect to collaborating with.

Once they have reviewed their data assets, they will be able to start governing and protecting their data effectively. In addition, they should determine if other users will need to be involved in the authorization process (delegated “authorizers” for specific folders), and coordinate with them on how access requests will be processed.

Step 2: Review permissions/users with access

Once they’ve confirmed ownership and they understand the types of data contained in these folders, the next step would be to perform an initial Entitlement Review.  These can either be done manually with IT provided lists of people to review, or with automated solutions, like Varonis DatAdvantage and DataPrivilege.

During an initial entitlement review, data owners will review which users have access to which data and make decisions about which users should be removed or added. Solutions that provide automated entitlement reviews, like DataPrivilege, automate this task end to end, providing actionable information to data owners, (e.g. recommendations based on access activity and cluster analysis) and effect changes to the appropriate ACL’s and groups without IT intervention.

It is important that this step be carefully performed, whether manual or automated, as this will be the first step in cleaning up excess access and ensuring that only the right people have access to data.

Step 3: Ensure all requests are processed for the appropriate reasons

Once owners have performed their initial review, they should now be in “maintenance mode” and ongoing data ownership activities shouldn’t take much time– they’ll mostly need to approve/decline access requests as they come up, either with an automated solution (like DataPrivilege) or through a manual process. As a best practice, every access request should ask the requestor to enter a reason for requesting access, either selected from a menu of legitimate reasons, or manually entered.

Data owners should consider access requests carefully, especially when the data they’re managing is sensitive:

  • What data are they requesting access to?
  • If I grant access, is there anything in that folder that they should treat as confidential?
  • Should access be granted permanently, or temporarily?
  • If access should be granted temporarily, how will we remember to revoke it? (Manual process or with automation like DataPrivilege)

Step 4: Do periodic entitlement reviews

On a regular basis—once a quarter, every 6 months, etc.—IT should require owners to complete an attestation, or entitlement review. This will ensure data owners review any changes or new recommendations made since their last review and ensure that organizational changes have not granted unwarranted access. Owners should have the option to specify where access should be restricted or stay the same, and a record of their decisions should be kept. Entitlement reviews help organizations efficiently maintain a least privilege model.

Step 5: Review access statistics on your data

If available, data owners should have the ability to access a dashboard which includes permissions and access activity relevant to their data, as with DataPrivilege’s Self-Service Portal. Data owners can make better decisions if they are able to see who is accessing their data, which folders are most accessed, least accessed, or stale, and who is accessing folders that hold sensitive data.

Conclusion

While there are a lot more details on data ownership, we hope this list provides a starting point for Data Owners on how to govern their data effectively. For more information you can visit our collection of blogs on data ownership or download our whitepapers from our resource center.

Leave a Comment » | Managed Service Hosting, Marketing, Retail IT Solutions | Tagged: , , , , , , , , , , , , , , , | Permalink
Posted by david ricketts

Banks See Social Media as Big Data Opportunity

November 6, 2012

Last month I attended a digital advertising conference here in NYC which was swarming with social media benchmarking vendors. If you wanted to learn more about software that measures how your company or brand is faring on Twitter, Facebook, or Pinterest, then this was the place to be. These buzz-monitoring apps make perfect sense for consumer-focused product companies (sneakers, clothing, soft drinks), but I didn’t necessarily connect the dots between social media content and big data for financial service firms.

That is until I saw this article in American Banker on big data in the banking world. Specifically, BNY Mellon Bank ($1.4 trillion assets) is launching its own big data project, which will involve collecting and aggregating transactional information from customers across many different systems—their web site, ATM network, customer service, trading desks, and any other relevant interaction points.

The goal is to pull these separate data streams into a centralized data store, and then mine it to learn customer behaviors and preferences. The results will be fed back to their marketing department to help pinpoint customers who would most likely be interested in new bank offerings. BNY Mellon will also use this data to gain more complete awareness of customer needs in their future interactions with the bank.

It doesn’t stop there. BNY Mellon has extended the scope of its big data project beyond its own internal IT operations by harvesting content from the social world—blogs, Twitter, LinkedIn, and other online forums.

How much data can be found in Tweets and posts that would be useful for banks and financial companies?

This is hard to gauge. But according to an IDC report referenced in the American Bank piece, 1.8 trillion gigabytes of data was generated in 2012 with the majority of that considered unstructured social data.

These numbers for social data sound about right. Earlier in the year, Twitter reported its users were sending 340 million tweets per day. Doing a quick back of the envelope calculation—340 million x 140 x 365—I come up with at least 10,000 gigabytes of data just from Twitter alone. Then if you start adding Linkedin with its 175 million users and Facebook’s close to 1 billion users and the millions of active blogs out there, it’s easy to see how unstructured text from social begins to reach the volumes in the IDC range.

For large financial firms with millions of their own customers, filtering out, processing, and storing what’s relevant clearly falls in the big data solution space. The larger point is that banks are looking at this public data as an auxiliary treasure trove from which they can supplement their existing records with more granular details about their own customers, and even perhaps find potential new markets. Like everyone else they are also concerned about their brand and the buzz around it.

Lessons learned? Here’s one: even those companies most closely associated with large traditional fixed-field databases —in this case, a financial institution, but also consider, say, insurance, power utilities, and telecom carriers—will by necessity also have to deal with petabytes of content in order to complete the big data puzzle.

1 Comment | Application Hosting, Managed Service Hosting, Marketing | Tagged: , , , , , , , , , , , | Permalink
Posted by david ricketts

8 out of 10 employees turn to ‘stealth cloud’ for quick IT fix, putting company data in danger

November 1, 2012

84 per cent of employees are putting company data at risk as they secretly access consumer cloud solutions such as DropBox and SkyDrive in the workplace, says Computacenter research, Europe’s leading independent provider of IT infrastructure services. With no visibility of files available to IT managers, employees are opening networks up to potential security threats.

The research, conducted amongst 150 IT decision makers highlights that employees are being forced to turn to consumer cloud products to share files as current business systems simply cannot offer the same level of service.

“Stealth cloud is a major issue for organisations,” says Paul Casey, Cloud Practice Leader Computacenter. “These cloud products are very convenient, easy to access, simple to use and perfect for remote working. Unfortunately, most IT departments don’t offer similar file sharing tools which are secure and as a result are losing the battle to keep company data on the office network.

“The second an employee stores files and data using a solution such as DropBox, IT managers lose all visibility of what is going on and potentially confidential information and intellectual property is open to security threats and breaches.”

These threats are understandably keeping IT managers awake at night with 56 per cent worried about possible security breaches and a further half wishing they had full visibility of what data is stored within the cloud.

Casey concludes: “It is imperative that businesses address this problem now. It is clear that everyone knows the risks of consumer cloud products, but until the correct solutions are put in place or alternative sanctioned solutions, employees will continue to turn to consumer clouds to get the job done – no matter what the consequence might be.”

If you would like advice on the creation of private ‘dropbox’ type technology please contact http://www.c24.co.uk for more details

Thanks to http://www.cloudcomputing-365.info/news_full.php?id=23373#

 

 

Leave a Comment » | Managed Service Hosting, Retail IT Solutions | Tagged: , , , , , , , , | Permalink
Posted by david ricketts

Follow

Get every new post delivered to your Inbox.

Join 751 other followers