by Brian Vecci
(This one entry in a series of posts about the Varonis Operational Plan – a clear path to data governance. You can find the whole series here.)
One of my first jobs in IT was on the help desk for a medium-sized company. A big part of my job was provisioning access. If your company has shared data (and what organization doesn’t?), the words “I need access to this folder” are probably very familiar to you.
There are countless reasons for modifying access controls: new hires, consultants, role changes, temporary projects, cross-functional teams, terminations, department restructuring, M&A – the list goes on. Coordinating who has access to which data has—detrimentally—became a core responsibility of IT.
Let’s peak inside a typical permissions conversation between an end-user and the help desk:
User (to the Help Desk): I need access to a folder in the S: drive, can you help?
Help Desk: Of course. Can you tell me which folder?
User: The folder is called FYQ3-docs. I need access for the next few weeks.
Help Desk: Do you know who manages the folder? To make this change we need an approval.
User: My boss asked me to get access. I can forward you the email?
Help Desk: Sure, that will be good enough.
In some organizations, this process may be a little more complicated, a little more automated, or both, but in general the process follows this workflow: access is requested by a user, approved by that user’s manager, and provisioned by someone in IT.
That’s the way it’s been done for years, and it works great, right? Well, not really. This ostensibly innocent access provisioning workflow can be the seed for the most costly data breaches an organization will ever face.
The wrong people
In this example, the user’s manager is the one providing the approval. That person may not be, and in fact usually isn’t, the person who should be making this decision. The data itself is a businessasset, so access to that data is a business decision. That means that the owner of that asset—i.e., the data owner—should be the one making the decision.
Imagine if access to a financial account worked the same way as access to a shared folder—managers would be able to get access for their team without the actual budget owner having any idea about it. Madness!
Organizations that have an excellent grasp on data ownership and information governance have not only figured out a way to ensure approval is granted by the right person, but they’ve factored the help desk out of the equation completely, freeing up precious resources.
A recent article on the Harvard Business Review blog states:
“Different kinds of assets, people, capital, technology, and data demand different kinds of management. You don’t manage people assets the same way you manage capital assets. Nor should you manage data assets in the same way you manage technology assets. This may be the most fundamental reason for moving responsibility for data out of IT.”
Let’s now re-envision the access provisioning scenario:
- User fills out a web form describing which data she needs access to, why, and for how long.
- Request gets automatically routed to the business person in the organization who is best equipped to approve the request – i.e., the data owner.
- Data owner approves or denies the request by clicking a button.
Much better! The access request is fulfilled by the correct person without involved the requestor’s manager or IT.
Easier said than done
The hard part here, and the reason things have traditionally worked this way, is that when it comes to shared data, we don’t have a good way of figuring out who the actual owner is. IT may have some idea based on group access—if there’s a single group that grants access to a folder, you may be able to figure out the director or manager of that group, for instance. But what happens if data is open to two or three different teams? What about data open to everyone? Identifying and aligning owners is extraordinarily difficult if you rely on traditional methods.
With Varonis, there’s a much better way. Because DatAdvantage is constantly gathering a complete audit record, we can use aggregate access activity to identify likely owners. If the three or four most active users of a folder all report to the same person, it’s highly likely that person is the true data owner. At worst, you’re one phone call away from knowing.
By identifying business owners of data, IT can take the first step toward shifting the burden to the teams who have the right context (and often authority) to be making decisions about access. One challenge with this approach is figuring out which folders actually need owners, something I’ll talk about in the next post.