5 Steps to Get Data Owners Started : What to do with my data

April 8, 2013

During a recent conversation a customer asked if we had a Getting Started Guide for Data Owners. After using Varonis to identify and assign owners, one of the new data owners asked, “What am I supposed to do now? What do data owners do?”  In order to help him—and anyone else in this situation—I created 5 high-level steps business users can follow to get started as a data owner.

Step 1: Take inventory of your data and confirm ownership

One of the first things data owners should do is review the data for which they are responsible; IT should provide them a report listing all the folders, SharePoint sites, etc. that they own. Owners should carefully review this report and confirm with IT that they are, in fact, the correct owners of this data. It is also important that they understand which, if any, of these folders contain sensitive data, which folders are open to other groups in the organization, and which teams they expect to collaborating with.

Once they have reviewed their data assets, they will be able to start governing and protecting their data effectively. In addition, they should determine if other users will need to be involved in the authorization process (delegated “authorizers” for specific folders), and coordinate with them on how access requests will be processed.

Step 2: Review permissions/users with access

Once they’ve confirmed ownership and they understand the types of data contained in these folders, the next step would be to perform an initial Entitlement Review.  These can either be done manually with IT provided lists of people to review, or with automated solutions, like Varonis DatAdvantage and DataPrivilege.

During an initial entitlement review, data owners will review which users have access to which data and make decisions about which users should be removed or added. Solutions that provide automated entitlement reviews, like DataPrivilege, automate this task end to end, providing actionable information to data owners, (e.g. recommendations based on access activity and cluster analysis) and effect changes to the appropriate ACL’s and groups without IT intervention.

It is important that this step be carefully performed, whether manual or automated, as this will be the first step in cleaning up excess access and ensuring that only the right people have access to data.

Step 3: Ensure all requests are processed for the appropriate reasons

Once owners have performed their initial review, they should now be in “maintenance mode” and ongoing data ownership activities shouldn’t take much time– they’ll mostly need to approve/decline access requests as they come up, either with an automated solution (like DataPrivilege) or through a manual process. As a best practice, every access request should ask the requestor to enter a reason for requesting access, either selected from a menu of legitimate reasons, or manually entered.

Data owners should consider access requests carefully, especially when the data they’re managing is sensitive:

  • What data are they requesting access to?
  • If I grant access, is there anything in that folder that they should treat as confidential?
  • Should access be granted permanently, or temporarily?
  • If access should be granted temporarily, how will we remember to revoke it? (Manual process or with automation like DataPrivilege)

Step 4: Do periodic entitlement reviews

On a regular basis—once a quarter, every 6 months, etc.—IT should require owners to complete an attestation, or entitlement review. This will ensure data owners review any changes or new recommendations made since their last review and ensure that organizational changes have not granted unwarranted access. Owners should have the option to specify where access should be restricted or stay the same, and a record of their decisions should be kept. Entitlement reviews help organizations efficiently maintain a least privilege model.

Step 5: Review access statistics on your data

If available, data owners should have the ability to access a dashboard which includes permissions and access activity relevant to their data, as with DataPrivilege’s Self-Service Portal. Data owners can make better decisions if they are able to see who is accessing their data, which folders are most accessed, least accessed, or stale, and who is accessing folders that hold sensitive data.

Conclusion

While there are a lot more details on data ownership, we hope this list provides a starting point for Data Owners on how to govern their data effectively. For more information you can visit our collection of blogs on data ownership or download our whitepapers from our resource center.

Leave a Comment » | Managed Service Hosting, Marketing, Retail IT Solutions | Tagged: , , , , , , , , , , , , , , , | Permalink
Posted by david ricketts

A hacker’s dream: two-thirds of SharePoint users have no security policy

February 28, 2013

Even though Microsoft SharePoint is widely deployed throughout enterprises and SMBs as a collaboration platform, a shocking two-thirds of SharePoint-using companies in a recent survey have admitted to having ‘no active security policy’ in place for the application.

The situation translates to a smorgasbord of opportunity for a hungry information-hijacker, but one which could soon turn into an all-you-can-eat buffet. The study, carried out by Emedia and provided to Infosecurity on an exclusive basis, investigated a wide range of businesses from 25 through to 5000+ PC users. The study found that while about half (52%) of those surveyed were currently using SharePoint, the other half planned to adopt the application once its social networking enhancements were live.

“This is a data leakage time bomb,” said security specialist and UK Accounting Standards Board member Steve Bailey. “SharePoint is a very widely-used medium, and it’s growing fast, so it is remarkable that IT-savvy users are disregarding the security implications. This could be down to complacency, confusion as to where the responsibility for developing such a policy lies, or simply lack of awareness.”

Whatever the root cause, he noted that in many organizations, SharePoint use has grown organically to “become part of the fabric of the business without being subject to mainstream security controls.”

The employees themselves are part of the problem, but how to implement an IT policy that makes sense is a conundrum for many IT professionals – contributing to the lack of IT policy.

“Banning data sharing is not the solution – that’s both impractical and undesirable,” said Martin Sugden, CEO at Boldon James, which sponsored the study. “In fact, refusing to share data is inefficient and potentially dangerous. What’s important is striking the balance between the need to protect information and the need to share it.”

The survey concluded that a protective marking solution for labeling the data’s level of sensitivity needs to be implemented. Many government agencies use protective marking to minimize inadvertent disclosure of confidential information, while commercial organizations employ protective marking to control intellectual property or information containing customer data.

By clearly identifying sensitive information using a classification solution, it becomes easier to ensure that access control methodology is correctly connecting the right users to the right data, Sugden noted.

Yet the study discovered that 65% of respondents are not yet marking any of their data. A very low 9% of respondents said they protectively mark all emails, and the same percentage said they do the same for all documents. Only 17% of respondents said they mark all email and documents.

“When you consider that hundreds – and even thousands – of users could be accessing your SharePoint server, it makes sense to have a solid SharePoint security policy in place,” added Sugden. “[SharePoint] is a superb tool for creating routes into your data, but you can’t let your user group have unfettered access to data without giving them some method of understanding how sensitive it is – that’s why you have to label.

Steve Bailey warned, “Any business that relies on SharePoint to store sensitive or confidential data should always ensure that its users understand their responsibilities for the safe handling of that information. With the advent of BYOD this extends to employees and associates.”

He cautioned that recent high-profile breaches should serve as object lessons. “Otherwise we’ll have more examples such as the Police email that, according to the [UK's] Information Commissioner’s Office (ICO) ‘contained 863 pieces of personal information’. Police accidentally sent the email containing the results of 10,000 checks with the Criminal Records Bureau (CRB) to a reporter when a staff member copied the wrong person into a message.”

Thanks to http://www.thethreatvector.wordpress.com

Leave a Comment » | Managed Service Hosting, Marketing, Retail IT Solutions | Tagged: , , , , , , , , , , , | Permalink
Posted by david ricketts

Start Sweating the Small Stuff

February 27, 2013

In his recent New York Times article, “That Daily Shower Can Be a Killer,” renowned geographer Jared Diamond observes how Americans tend to greatly exaggerate risks that are sensational and beyond our control—like plane crashes and nuclear radiation—yet underestimate the mundane, but more common risks that we can control—like slipping in the shower or falling from a ladder.

In my geek-centric mind, I immediately drew a corollary to computer security.   We’ve all met the engineer who will spend weeks obsessing over which password hashing algorithm to use, but fail to implement a solid password policy.

If you find yourself being hyper-paranoid about dangerous, but implausible attacks…stop!  Do a quick risk/frequency gut-check to determine whether you’re wasting time.  You shouldn’t be debating the strength of SHA-256 while your employees are emailing trade secrets to a Nigerian Prince.

XKCD: Security

What are some of the fall-in-the-shower type risks when it comes to data protection?  Our State of Data Protection Report from last year highlights a few:

  • Only 26% of companies are very confident their data is protected
  • 18% weren’t confident at all
  • 23% of companies were not confident or unsure where their critical business data resides
  • 27% of companies did not monitor any access activity on file servers and SharePoint sites
  • 13% of companies never revoke access to data when an employee leaves the organization
  • 61% do not scan their environment for sensitive data

Based on our results, there’s clearly a lot of room to tighten up these fundamental areas of day-to-day risk.  Just as Mr. Diamond’s goal is to reduce life’s common accidents to 1 in 1,000, we should strive to minimize common data security risks, like insider theft, by implementing soundsecurity programs.

Want to learn more about risk analysis?

Here are some good resources:

Leave a Comment » | Application Hosting, Marketing, Retail IT Solutions | Tagged: , , , , , , , , , , , | Permalink
Posted by david ricketts

Top 3 SharePoint Security Challenges

December 14, 2012

The rapid adoption of SharePoint has outpaced the ability of organizations to control its growth and enforce consistent policies for security and access control. The ease with which SharePoint sites can be created means that SharePoint use is decentralized and often outside the purview of IT departments, security personnel and even dedicated SharePoint administrators.

So what are the top 3 SharePoint security challenges?

1 – Organic and chaotic deployment of SharePoint sites

Pervasive departmental use of SharePoint means that all types of data makes its way into SharePoint repositories. This can range in sensitivity and importance and may easily include human resources or product information. So, now the problem for organizations becomes not only identifying sensitive data but locating all SharePoint sites, existing and emerging.

2 – Ad hoc, complex permissions administration

The levels and types of permissions available with SharePoint are more complex than their NTFS counterparts, and the additional granularity and inheritance complexity creates more access levels and a high probability for erroneous or overly permissive access.

While access control decisions may be (rightly) left to the data owners through SharePoint’s permissions workflow, the complexity of its implementation often leads to inconsistency in ACL configuration and group assignment. Without strict auditing and oversight, permissions may be set in conflict with enterprise-level access policies, and may not include key business intelligence about why the access should be limited (e.g., content might be regulated or copyright protected).

3 – Limited, resource-intense auditing

Key to maintaining good access control over data is continuous monitoring of how data is being used. This is another challenge with a SharePoint environment. Microsoft SharePoint audit detail is geared toward helping site administrators manage content, not toward refining access policy. Consequently there is no way for SharePoint administrators to easily establish which users took what action on data.

The native auditing capabilities are also limited in terms of scalability across sites. “Normalizing” the data, i.e., creating a unified and accurate view of data use and access across sites and locations, is challenging and time-intensive. Exacerbating the problem is that files on SharePoint often make their way to other platforms like file shares and email – without a unified audit trail of activity, understanding how and by whom data is accessed in the collaborative environment can be a significant challenge.

Download our FREE guide to learn how to make sense of SharePoint permissions & lock down and monitor your sensitive data.

Related articles

1 Comment | Application Hosting, Marketing, Retail IT Solutions | Tagged: , , , , , , , , , | Permalink
Posted by david ricketts

Top 5 Things IT Should Be Doing, But Isn’t

December 7, 2012

Posted on December 5, 2012 by 

A clear path to effective information governance.

1. Audit Data Access

Effective management of any data set is impossible without a record of access. Unless one can reliably observe data use, one cannot observe its non-use, misuse, or abuse. Without a record of data usage, one cannot answer critical questions—from the most basic ones, like “who deleted my files, what data does this person or people use, and what data isn’t used?” to more complex questions, “like who owns a data set, which data sets support this business unit, and how can I lock down data without disrupting workflows?”

2. Inventory Permissions and Directory Services Group Objects

Effective management of any data set is also impossible without understanding who has access to it. Access controls lists and groups (in Active Directory, LDAP, etc.) are the fundamental protective control mechanism for all unstructured and semi structured data platforms, yet too often IT cannot easily answer fundamental data protection questions like, “Who has access to a data set?” and “What data sets does a user or group have access to?” Answers to these questions must be accurate and accessible for data protection and management projects to succeed.

3. Prioritize Which Data Should Be Addressed

While all data should be protected, some data needs to be protected much more urgently than other data. Some data sets have well known owners and well defined processes and controls for their protection, but many others are less understood. With an audit trail, data classification technology, and access control information, organizations can identify active and stale data, data that is considered sensitive, confidential, or internal, and data that is accessible to many people. These data sets should be reviewed and addressed quickly to reduce risk.

Access our FREE Full Report, including the complete list of IT Must Do’s.

4. Remove Global Access Groups from ACLs (like “Everyone”) – especially where sensitive data is located

It is not uncommon for folders on file shares to have access control permissions allowing “Everyone,” or all “domain users” (nearly Everyone) to access the data contained therein. SharePoint has the same problem ( especially with authenticated users). Exchange has these, as well as “Anonymous User” access. This creates a significant security risk; for any data placed in that folder will inherit those “exposed” permissions, and those who place data in these wide-open folders may not be aware of the lax access settings. When sensitive data, like PII, credit card information, intellectual property, or HR information are in these folders, the risks can become very significant. Global access to folders, SharePoint sites, and mailboxes should be removed and replaced with rules that give access to the explicit groups that need it.

5. Identify Data Owners

IT should keep track of data business owners and the folders and SharePoint sites under their responsibility. By involving data owners, IT can expedite a number of the previously identified tasks, including verifying permissions revocation and review, and identifying data for archival. The net effect is a marked increase in the accuracy of data entitlement permissions and, therefore, data protection.

Access our FREE Full Report including the complete list of IT Must Do’s.

Related articles

1 Comment | Application Hosting, Managed Service Hosting | Tagged: , , , , , , , , , | Permalink
Posted by david ricketts

7 Recommendations for Data Protection by Forrester’s Andras Cser

November 27, 2012

by David Gibson

Last week Varonis hosted a webinar on using strong identify context to help protect data, where I was joined by Andras Cser of Forrester. Andras shared really interesting insights on the impact of data breaches, what got stolen, how they happened, and what you can do to better protect yourself.

On topic of entitlement reviews, Andras shared, “You have to get into a fairly rigid and rigorous structure of attestations, and basically that means you would want to have a campaign that runs every quarter, clearly understand the mappings between people, groups and resources that they’re accessing, and have managers look at their employees’ access rights, data elements, data access, and also application users should be granted some way of overseeing who has access to the data their application actually generates.”

Andras also shared illuminating key case studies from organizations that are protecting hundreds of terabytes to petabytes of data that are growing at 1-2.5% per week. It was fun for me to hear a fresh perspective on what works and what doesn’t when you’re trying to manage and protect data at scale.

Some of Andras’ recommendations were:

To see all seven of Andras’ recommendations, register to download and watch the full data protection webinar here.

1 Comment | Application Hosting, Managed Service Hosting | Tagged: , , , , , , , | Permalink
Posted by david ricketts

Using Varonis: Fixing the Biggest Problems

November 26, 2012

Now that we have a pretty good idea where the highest-risk data is, the question naturally turns to reducing that risk. Fixing permissions problems on Windows, SharePoint or Exchange has always been a significant operational challenge. I’ve been in plenty of situations as an admin where I know something is broken—a SharePoint site open to Authenticated Users for instance—but I’ve felt powerless to actually address the problem since any permissions change carries the risk of denying access to a user (or process) who needs it. Mistakes can have significant business impact depending on whose access you broke and on what data. Since we’re defining “at-risk” as being valuable data that’s over-exposed, that means that any accessibility problems we create will impact valuable data, and that can create more problems than we started with.

Step 3: Remediate High-Risk Data

The goal is to reduce risk by reducing permissions for those users or processes that don’t require access to the data in question.

The next step in the Varonis Operational Plan is fixing those high-risk access control issues that we’ve identified: data open to global access groups as well as concentrations of sensitive information open to either global groups or groups with many users. Since simply reducing access without any context can cause problems, we need to leverage metadata and automation through DatAdvantage.

Let’s tackle global access first. When everyone can access data, it’s very difficult to know who among the large set of potential users actually needs that access. If we know exactly who’s touching the data, we can be surgical about reducing access without causing any headaches.

DatAdvantage analyzes the data’s audit record over time in conjunction with access controls, showing folders, SharePoint sites, and other repositories that are accessible by global access groups, and those users who have been accessing that data who wouldn’t have had access without a global access group. In effect, it’s doing an environment-wide simulation to answer the question, “What if I removed every global access group off every ACL tomorrow. Who would be affected?” This report gives you some key information:

  • Which data is open to global access groups
  • Which part of that data is being accessed by users who wouldn’t otherwise be able to access

And it’s not just global groups that DatAdvantage lets you do this with. Because every data touch by every user on every monitored server is logged, Varonis lets you do this kind of analysis for any user, in any group, on any file or folder. That means you can safely remediate access to all of the high-risk data without risking productivity. You can actually fix the problem without getting in anyone’s way.

The next step is to start shifting decision making from your IT staff to the people who actually should be making choices about who gets access to data: data owners.

Related articles

2 Comments | Application Hosting, Managed Service Hosting, Marketing | Tagged: , , , , , , , , , , | Permalink
Posted by david ricketts

At-Risk Exchange Data

November 12, 2012

One of the more interesting benefits of last year’s launch of DatAdvantage for Exchange was the opportunities it presented to talk with different sets of people in our customers’ organizations. Where traditionally we’d worked mostly with security, storage, Windows or Active Directory teams, DatAdvantage for Exchange spurred meetings with messaging, e-Discovery and legal folks as well.

E-mail is a business-critical system, period. From an IT perspective, it may be the most critical system—most companies would rather lose their phones for a day than their e-mail. What that has meant for the Messaging folks in charge of Exchange is that simply keeping the lights on—making sure that emails are being delivered promptly and that the repository of stored data is available—has been far and away more important than access control. However, the consequence of focusing on availability rather than confidentiality or integrity has meant that a lot of the controls and auditing that should be in place are sorely lacking.

Data Governance and Exchange

Exchange is an interesting repository from a data governance perspective. The last time I wrote about using Varonis, I talked about how we can combine data classification with permissions exposure to identify the data that’s most at-risk on a file system or SharePoint site. Unlike a file share, the hierarchy is flat—everyone’s got their own mailbox, and it’s very easy to share out access rights to it. You can, for instance, give someone access to your inbox or calendar. With IT’s help, you can give them the ability to send email on your behalf, or even “as” you. Exchange is exactly like file shares in that mailbox access is reviewed periodically, mailboxes stay shared and users have send-as or send-on-behalf-of privileges for a long, long time.

What’s at Risk?

One of the first things we do when we spin up DatAdvantage for Exchange for a customer is to run a report that shows them everywhere someone in the organization has access to a mailbox that isn’t their own.

Everyone has access to their own mailbox by default. It takes some sort of permissions change, though, either on the client (Outlook) side, or by the admin on the Exchange server, to grant someone access to another mailbox. One of things we’re seeing when we do this, by the way, it that the mailboxes that are without question most likely to have been shared are those that are probably considered the most valuable—those of the CEO and other high-level management. While native tools might let you manually (and somewhat painfully) check permissions on a mailbox-by-mailbox basis, Varonis gives you the ability to see where anyone has access to an object that’s not part of their own mailbox.

We take that risk assessment a step further, too, with another report that will show you where people are actually accessing data in mailboxes that don’t belong to them. For good or ill, these are probably the permissions you want to take a look at first from a governance perspective.

1 Comment | Application Hosting, Managed Service Hosting, Retail IT Solutions | Tagged: , , , , , , , , , | Permalink
Posted by david ricketts

12 Tips to Prevent your Sensitive Data Becoming a Wikileaks Headline

October 19, 2012

By David Ricketts Head of Marketing C24

 

Recent worldwide controversies surrounding confidential material being supplied to unauthorized people and sites such as Wiki Leaks by anonymous whistle-blowers should act as a catalyst for organisations across the globe to take control of data governance and offer a guarantee that employees have access to only the information they need.

 

In our experience we have found that employees responsible for the IT function are finding it increasingly difficult, and in some cases impossible, to manage many elements of data governance within their organisation.  Below are some tips that explain the steps that organisations in charge of permission management of employee data access need to take to safeguard their data. By taking these steps, the IT function will be able to understand who can access, who is accessing, who shouldn’t have access, and who owns the data, and remediate risk faster than traditional data governance and classification methods.

 

At present, IT professionals – rather than the people that create the data (be it a spreadsheet, PowerPoint presentation or company report) – are the ones making many of the decisions about permissions, acceptable use, and acceptable access review. However, as IT personnel aren’t equipped with adequate business context around the growing volumes of data, they’re only able to make a best effort guess as to how to manage and protect each data set.

 

Until organisations start to shift the decision making responsibility to business data owners, it is IT that has to enforce rules for who can access what on shared file systems, and keep those structures current through data growth and user role changes. IT needs to determine who can access data, who is accessing it, who should have access, and what is likely to be sensitive.

 

Here are the top must-do actions for the IT team’s ‘to do’ list, to carry out as part of a daily data management routine for senior executives, to create a bench mark for data governance:

 

1          Identify Data Owners

The IT department should keep a current list of data business owners (e.g. those who have created original data) and the folders and sites under their responsibility. By having this list “at the ready,” they can expedite a number of the data governance tasks, including access authorisation, revocation and review, and identifying data for archival. The net effect of this simple process is a marked increase in the accuracy of data access entitlement and, therefore, data protection.

 

2          Remove global groups and perform data entitlement reviews

It is not uncommon for folders on file shares to have access control permissions allowing “everyone,” or all “domain users” (nearly everyone) to access the data contained. This creates a significant security risk, for any data placed in that folder will inherit those “exposed” permissions, and those who place data in these wide-open folders may not be aware of the lax access settings. Global access to folders should be removed and replaced with rules that give access to the explicit groups that need it.

 

3          Audit Permissions Changes

Access Control Lists are the fundamental preventive control mechanism in place to protect data from loss, tampering, and exposure. IT requires the ability to capture and report on access control changes to data – especially for highly sensitive folders. If access is incorrectly assigned or changed to a more permissive state without good business reason, IT and the data business owner must be quickly alerted, and able to remediate the situation.

 

4          Audit Group Membership Changes

Directory Groups are the primary entities on Access Control Lists (Active Directory, LDAP, NIS, etc.); membership grants access to unstructured data (as well as many applications, network gateways, etc.). Users are added to existing and newly created groups on a daily basis.

 

5          Audit Data Access

Effective management of any data set is impossible without a record of access. Unless you can reliably observe data use you cannot observe its misuse, abuse, or non-use. Even if an IT department could ask its organisation’s users if they used each data set, the end users would be unlikely to be able to answer accurately—the scope of a typical user’s access activity is far beyond what humans can recall.

 

6          Prioritise Data

While all data should be protected, some data needs to be protected much more urgently than others. Using data owners, data access patterns, and data classification technology, data that is considered sensitive, confidential, or internal should be tagged accordingly, protected and reviewed frequently.

 

7          Align Security Groups to Data

Whenever someone is placed in a group, they get file system access to all folders that list the group on its ACL. Unfortunately, organisations have completely lost track of what data folders contain which Active Directory, SharePoint or NIS groups. It is impossible to align the role with the right data if the organisation cannot verify what data a group provides access to.

 

8          Lock Down, Delete, or Archive Stale, Unused Data

Not all of the data contained on shared file servers, and network attached storage devices are in active use. By archiving stale or unused data to offline storage or deleting it, IT makes the job of managing the remainder simpler and easier, while freeing up expensive resources. At the very least, access to inactive data should be tightly restricted to reduce the risk of loss, tampering, or theft.

 

By automating and conducting the ten management tasks outlined above frequently, organisations will gain the visibility and auditing required that determines who can access the data, who is accessing it and who should have access.

 

9     Review data entitlement (ACL)

Every file and folder in a file system system has access controls assigned to it which determine which users can access the data and how (i.e. read, write, execute, list). These controls need to be reviewed on a regular basis and the settings documented so that they can be verified as accurate by data business owners and security policy auditors.

 

10  Revoke unused and unwarranted permissions

Users with access to data that is not material to their jobs constitutes a security risk for organisations. Most users only need access to a small fraction of the data that resides on file servers. It is important to review and then remove or revoke permissions that are unused. IT should have the ability to capture and report on access control changes to data – especially for highly sensitive folders. If access is incorrectly assigned or changed to a more permissive state without good business reason, the data business owner will be able to quickly identify and mitigate the situation by reporting the inconsistency to IT.

 

 

11          Delete unused user accounts

Directories may at times contain user accounts for individuals that are no longer with the company or group. These accounts constitute a security hole. Those with a working knowledge and access to user directories may retrieve information under someone else’s name. Organisations should routinely identify inactive users and verify that the need for the account is still there.

 

12          Preserve all user access events in a searchable archive

Even for environments where the user-to-data permissions are current and accurate, it is important to maintain a searchable archive of all user access events. This will help organisations with triage and forensic analysis should data misuse or loss occur. IT should be able to search on a username, filename as well as date of interest and any combination thereof to ascertain who accessed what and how. This information can also help expedite helpdesk call resolution.

 

 

What Are You Waiting For?

The biggest hurdle to overcome with this ‘to do’ list is the amount of time conducting these checks on a daily basis requires, if it is even possible! It is imperative that businesses support their internal IT function by allowing them to utilise tools such as Varonis so as to enable them to adopt best practice techniques so that they can manage the business critical areas highlighted in this report.

 

If you would like further information about any of the areas highlighted in this report please do not hesitate to call C24 or visit http://www.c24.co.uk

4 Comments | Managed Service Hosting, Marketing, Retail IT Solutions | Tagged: , , , , , , , , , , , | Permalink
Posted by david ricketts

Data Migration a Security Threat: Varonis

October 2, 2012

Image representing Varonis Systems as depicted...

Image via CrunchBase

Organizations are potentially exposing themselves to data breaches during migrations, and many don’t have confidence their data is secure, according to a Varonis survey.While 95 percent of organisations move data at least once per year, 65 percent of companies said they are not confident sensitive data was protected during a migration, according to an August survey of C-Level IT executives conducted by data governance software specialist Varonis Systems. The survey found 96 percent of respondents reported concerns when performing data migrations, with many leaving their data overexposed and vulnerable. The results suggest a growing data security problem that could affect the vast number of businesses performing data migrations and consolidations.

Organizations most commonly move data from one file server to another or to network attached storage (NAS) (80 percent), between domains (44 percent) and from file shares to SharePoint (40 percent). Two-thirds of organizations report that they usually move more than 1TB of data at a time, for a variety of reasons, including infrastructure upgrades and organizational changes–for example, a merger or acquisition. On the security side, 35 percent of those surveyed reported that they were very confident sensitive data would only be accessible to the right people during a migration.

“The survey underscores that maintaining who has access to what is an ongoing problem for organizations. The scale of the problem that organizations face when moving terabytes of data may be surprising, as a typical terabyte contains about 50,000 folders, and of those folders about 5 percent, or 2,500 folders, have unique permissions,” David Gibson, Varonis vice president of strategy, said in a prepared statement. “An average access control list (ACL) contains three to five security groups, and a typical group contains anywhere from five to 50 users, as well as other groups that contain even more users and groups. Let’s say each access control list represents 5 minutes of work to re-create—that’s over 200 hours of work per terabyte of data moved.”

About one-third of respondents described themselves as being very confident that sensitive data will be accessible to the correct people during a move, but only 20 percent reported that maintaining permissions is not an issue. Seventeen percent of respondents reported it as a significant issue, 49 percent reported it as a slight-to-moderate issue and a worrying 14 percent said they are aware of the issue but have not addressed it.

“Data and domain migrations are a big part of IT’s day-to-day activities. Organizations already face challenges maintaining availability, data integrity and confidentiality during a migration, not to mention identifying the data that should be moved and who it belongs to,” the report concluded. “With no slowdown in data growth in sight, IT organizations should anticipate that more migrations and archival projects will need to fit into their already busy schedules.”

Data security fears also are affecting adoption of cloud services, an earlier Varonis report found. That survey revealed that while 80 percent of companies do not allow their employees to use cloud-based file synchronization services, 70 percent of companies would use these services if they were as robust as internal tools. Only 20 percent of survey respondents said they currently allow file synchronization technology services due to fears of data leakage, security breaches and compliance issues.

Thanks to http://www.eweek.com

 

3 Comments | Application Hosting, Managed Service Hosting, Retail IT Solutions | Tagged: , , , , , , , | Permalink
Posted by david ricketts

« Previous Entries
Follow

Get every new post delivered to your Inbox.

Join 752 other followers