Ten things IT should be doing to protect your data: but probably isn’t
By Rob Sobers
A tidal wave of structured and semi-structured data is drowning the enterprise – documents, video and audio – and to get value from this data, and turn it into an asset, people across many teams need to be able to collaborate and share that data. However, if the wrong people access the data, it can seriously damage the business.
In order to manage and protect that data, businesses need to have systems and structures in place to manage it, and to understand how the data is being used, who has access to it and, more importantly, who shouldn’t have access to it.
Businesses today are struggling with proper data protection. IT is tasked with protecting an organization’s data, but often without the business-context needed to do this effectively. When considering how valuable an organization’s data is, a ‘best guess’ scenario is not enough. There are certain steps IT should take to keep data properly protected and managed, while still ensuring the right people have the access to that data.
A company’s data is usually protected by access control lists containing security groups. Users are slotted into these groups dependent on their role in the company or organizational need. Once these users are put into the appropriate groups, and these groups are placed in the proper access control lists, then only the right users will have access to the data in that folder.
In practice, however, it is a different story. Technical departments face enormous challenges in keeping the correct users in the correct groups, and then mapping these groups to the right folders. Users move within organizations, change roles, join different teams, and tend to require access to more information as they do this.
Access control lists rarely reflect the true needs of the business. More often than not, users have access to far more information than they need to do their jobs effectively, greatly increasing the risk of theft, data loss or misuse. At the same time, IT is not able to reduce access without having a negative impact on organizational activity.
There are several steps that must be taken to adequately protect a businesses’ data:
Audit data access
A comprehensive record of access is vital to the effective management of any data set. Unless a business can reliably monitor data use, it cannot hope to pick up on its non-use, misuse or abuse. A proper record of data use, will allow an organization to answer critical questions, such as who deleted particular files, what data specific individuals use and what is not being used. It will also allow a business to answer more complicated questions such as who owns a particular data set, which data sets support a particular business unit and how can data be locked down without disrupting workflows.
It is also impossible to effectively manage any data set without understanding who can and can’t access it. Access controls lists and groups are the basic and most fundamental protective control mechanism for all unstructured and semi structured data platforms. However, too often IT cannot quickly and easily answer data protection questions such as who has access to a particular data set? Or what data set a user or group does have access to? IT must be able to answer these questions accurately and quickly for data protection and management projects to work.
Some data is more sensitive than other data. While all a company’s information needs to be protected, some information needs that protection more urgently. In addition, while certain data sets have well known owners and well defined processes and controls for their protection, many are not so well understood. Audit trails, data classification technology and access control information help businesses to identify active and stale data, as well as data that is sensitive, classified or internal, and data that is accessible to many people. These data sets should be examined and addressed quickly to lower risk.
Remove global access groups
Sometimes folders on file shares have access control permissions allowing ‘everyone’ or ‘all domain users’ to access the data they contain. SharePoint shares this problem, as does Exchange, which also has ‘Anonymous User’ access. This is a significant potential risk, as any information housed in that folder will inherit those permissions, and those who place information in these wide-open folders may be unaware of the unsecured settings. Sensitive data, such as PII, credit card information, intellectual property or HR information can lead to enormous security problems. Global access to folders, SharePoint sites and mailboxes should be removed and replaced with rules that give access to the explicit groups that need it.
Identify data owners
An organization’s technical department should maintain a list of data business owners and the folders and SharePoint sites under their responsibility. Through this list, IT can expedite many of the previously identified tasks, such as verifying permissions revocation and review and identifying data for archival. Ultimately, being able to identify the data owners will lead to a marked increase in the accuracy of data entitlement permissions and, in turn, data protection.
Perform entitlement reviews
When an individual within a company changes their role, that user should more than likely no longer have access to data resources that they no longer need. In order to ensure that access entitlements accurately reflect organizational need, they need to be reviewed on a regular basis. In order to do this successfully, the business must know at the very minimum what data and which security groups require review, which groups grant access to which data and who owns a particular data set. Performing these reviews will make sure that can only be accessed by individuals who strictly need it.
Align security groups to data
When data access is controlled by security groups, it is vital that the groups are properly aligned with the data sets they are in place to protect. A group should have the ability to grant access to the data sets that are required and nothing else. To do this requires complete visibility into who can access a data set, and which data sets can be accessed by which groups. If the groups do not align with data, they must be adjusted or new groups must be created
Audit permissions and group changes
Access control lists play a vital role in protecting data from loss, tampering or exposure. Technical must be able to capture and report on access control changes to data, particularly for highly sensitive data. If access is assigned to the wrong people, or altered to a more permissive state with no good business reason, both IT and the data owner must be quickly notified and be able to remediate at once.
Directory groups are the primary entities on access control lists - membership gives access to unstructured data. Servers also have their own local groups that need to be audited. Users are added to current and new groups on a daily basis. If a company is unaware of who is being added and removed from these groups, enforcing access control processes is impossible. Group membership should be authorised and reviewed by the owner of the data or resource to which the group provides access.
Lock down, delete or archive stale, unused data
A lot of data housed on unstructured and semi-structured platforms is stale. By archiving stale or unused data to offline storage or deleting it, IT makes the job of managing the remainder simpler and easier, while freeing up an expensive resource.
Clean up legacy groups and artefacts
Unneeded complexity hampers performance and makes mistakes more likely to occur. Businesses create so many groups that they often have as many as they do users and many of these groups are likely to be empty, unused or redundant. Some groups contain sub groups, which contain other groups, with so many levels of nesting. Access control lists often contain references to previously deleted users and groups and these groups must be identified and remediated.
Author: Rob Sobers, director at data governance specialist Varonis.
•Date: 29th August 2013 • World •Type: Article • Topic: ISM