11 things IT should be doing (but isn’t)
Article by Varonis vice president of sales for APAC, Scott Leach.
When protecting data on cloud and on-premise file servers, most organisations readily admit that their current processes are less than ideal.
Unfortunately, IT personnel – rather than the people who own the data – are making many decisions about permissions, acceptable use, and access reviews. Since IT personnel do not have the business context behind the growing volumes of data, they can only make an educated guess on how to manage each data set.
Until organisations start shifting the decision-making responsibility to data owners, IT will continue to struggle to keep file permissions current as data grows and user roles change. The principle of least privilege is a well-accepted guideline for managing access controls — only those that need to access information should be allowed to do so.
However, for most organisations, achieving a least privilege model is almost impossible because data is generated far too quickly, and personnel changes are too numerous.
Ideally, all organisations should automate the 11 management tasks below so their access control processes can scale to their needs.
1. Audit data access
Effective management of data is impossible without a record of access. Unless IT staff can reliably monitor data use, they can’t spot misuse or even abuse. Without a data usage record, it’s difficult to answer critical questions like ‘what data does this person or people use, and what data isn’t used?’.
2. Inventory permissions and directory services group objects
Effective management of data is also impossible without understanding who has access to it. Access control lists and groups (in Active Directory, LDAP, etc.) are the fundamental protective control mechanism for all unstructured and semi-structured data platforms.
Yet too often, IT can’t easily answer fundamental data protection questions, like ‘what data sets does a user or group have access to?’. Answers to these questions must be accurate and accessible for data protection to be successful.
3. Prioritise which data should be addressed
All data should be protected. But for a quick win, IT should focus initially on what might be considered ‘sensitive data.’ Using audit trails, data classification technology, and access control information, organisations can identify sensitive data and data that is accessible to too many people. These data sets should be reviewed and addressed first to reduce risk.
4. Remove global access groups from ACLS
It is not uncommon for folders on file shares to have access control permissions allowing ‘everyone’ or all ‘domain users’ to access the data contained therein. This creates a significant security risk: lax directory access settings mean any data placed in a folder will also inherit those ‘exposed’ permissions by default. This becomes problematic when considering sensitive data like PII, credit card information, intellectual property, or HR information.
Global access to folders, SharePoint sites, and mailboxes should be removed and replaced with rules that give access only to those who need it.
5. Identify data owners
IT should keep a current list of data business owners and the folders and SharePoint sites under their responsibility. By having this list at the ready, IT can expedite a number of the previously identified tasks, including verifying permissions revocation and review.
6. Perform regular data entitlement reviews and revoke unused permissions
Every file on a Windows or Unix file system, every SharePoint site, and every public folder has access controls that determine which users can access the data and how. These controls need to be reviewed regularly, as users with access to data that is not material to their jobs constitute a security risk for organisations.
7. Align security groups to data
Whenever someone is placed in a group, they get file system access to all folders that list the group on its ACL. Unfortunately, many organisations completely lose track of what data folders contain which Active Directory, LDAP, SharePoint or NIS groups.
This uncertainty undermines any access control review project and role-based access control (RBAC) initiatives.
8. Audit permissions and group membership changes
Access control lists are the fundamental preventive control mechanism to protect data from loss, tampering, and exposure. If access is incorrectly assigned without a good business reason, IT and the data business owner must be quickly alerted of any changes.
With users added to groups daily, it is challenging to enforce access control processes without an accurate audit trail of who is being added and removed.
9. Lock down, delete, or archive stale, unused data
Much of the data contained on unstructured and semi-structured platforms is stale. By archiving unused data to offline storage, IT reduces the risk that it will be accessed by inappropriate parties and makes managing the remainder easier.
10. Clean up legacy groups and access control artefacts
Organisations often create as many groups as there are users, resulting in unnecessary groups that are empty, unused or redundant. Furthermore, access control lists often contain references to previously deleted users and groups (also known as ‘Orphaned SIDS’).
This unneeded complexity slows down performance, so legacy groups and misconfigured access control objects should be remediated wherever possible.
11. Get control of public cloud services
With millions of users accessing Dropbox and other public cloud services, organisations cannot have data stored in repositories without oversight, as they run the risk of losing their data entirely.
Organisations either need to choose a private cloud service that meets security requirements or provide the public cloud experience so that users are no longer tempted to bypass IT policies.
By following these 11 easy steps, IT can streamline and improve data management and protection processes while reducing risk.