Could your sensitive business data be the next WikiLeaks headline?
The worldwide controversy surrounding confidential material being supplied to WikiLeaks by ‘whistle-blowers’ – in turn leading to the publication of tens of thousands of secret US military documents in the likes of The New York Times and The Guardian – should act as a catalyst for IT Departments across the globe to take control of company data governance and offer a guarantee that employees have access to only the information they need.
What steps, then, ought IT security professionals in charge of permission management of employee data access be taking in order to implement a formal data governance programme?
At present, IT professionals – rather than the people that create the data (be it a spreadsheet, PowerPoint presentation or company report) – are the ones making many of the decisions about permissions, acceptable use and acceptable access review.
However, as IT personnel aren’t equipped with adequate business context around the growing volumes of data, they’re only able to make a best effort guess as to how to manage and protect each data set.
Until organisations start to shift the decision-making responsibility to business data owners, it’s IT that has to enforce rules about who can access what on shared file systems, and keep those structures current through data growth and user role changes.
IT needs to determine who can access data, who is accessing it, who should have access… and what information is likely to be sensitive.
Here are some must-do actions for the IT security team’s ‘To Do’ list, to be carried out as part of a daily data management routine and thus create a benchmark for data governance…
Identify the data owners
The IT Department should keep a current list of data business owners (eg those who have created original data) and the folders and SharePoint sites under their responsibility.
By having this list ‘at the ready’ IT can expedite a number of the data governance tasks (including access authorisation, revocation and review) and identify data for archival.
The net effect of this simple process is a marked increase in the accuracy of data access entitlement and, therefore, data protection.
Remove global groups from ACLs and perform data entitlement reviews
It’s not uncommon for folders on file shares to have access control permissions allowing ‘everyone’ or all ‘domain users’ (nearly everyone) to access the data contained. This creates a significant security risk, for any data placed in that folder will inherit those ‘exposed’ permissions.
Those who place data in these wide open folders may not be aware of the lax access settings.
Global access to folders should be removed and replaced with rules that give access to the explicit groups that need it.
Also every file and folder on a Windows or Unix file system has access controls assigned to it which determine which users can access the data and how (ie read, write, execute, list).
These controls need to be reviewed on a regular basis and the settings documented such that they can be verified as accurate by data business owners and security policy auditors.
Audit permissions changes
Access control lists are the fundamental preventive control mechanism in place to protect data from loss, tampering and exposure.
IT requires the ability to capture and report on access control changes to data (especially for highly sensitive folders).
If access is incorrectly assigned or changed to a more permissive state without good business reason, IT and the data business owner must be quickly alerted and be able to remediate the situation as soon as possible.
Audit group membership changes
Directory groups are the primary entities on access control lists (active directory, LDAP, NIS etc). Membership grants access to unstructured data (as well as many applications, VPN gateways, etc).
Users are added to existing and newly created groups on a daily basis. Without an audit trail of who is being added and removed from these groups, enforcing access control processes is impossible.
Ideally, group membership should be authorised and reviewed by the owner of the data or resource to which the group provides access.
Audit data access
Effective management of any data set is impossible without a record of access. Unless you can reliably observe data use you cannot observe its misuse, abuse or indeed non-use.
Even if an IT Department could ask its organisation’s users if they used each data set, the end users would most likely not be able to answer accurately (on the basis that the scope of a typical user’s access activity is far beyond what humans can recall).
Without a record of data usage, you cannot determine the proper organisational owner for a data set, and neither the unfound owner nor IT can make informed decisions about protecting, archiving or deleting it.
Prioritise data
While all data should be protected, some data needs to be protected much more urgently than others.
Using data owners, data access patterns and data classification technology, data that’s considered sensitive, confidential or internal should be tagged accordingly, protected and reviewed on a frequent basis.
Align security groups to data
Whenever someone is placed in a group, they get file system access to all folders that list the group on its ACL.
Unfortunately, organisations have completely lost track of what data folders contain which active directory, LDAP, SharePoint or NIS groups. This uncertainty undermines any access control review project and any role-based access control initiative.
In role-based access control methodology, each role has a list of associated groups into which the user is placed when they are assigned that role. It’s impossible to align the role with the right data if the organisation cannot verify what data a group provides access to.
Lock down, delete or archive stale, unused data
Not all of the data contained on shared file servers (and network attached storage devices) will be in active use. By archiving stale or unused data to offline storage or deleting it, IT makes the job of managing the remainder simpler and easier, while freeing up expensive resources.
At the very least, access to inactive data should be tightly restricted to reduce the risk of loss, tampering or theft.
The principal of least privilege is a well-accepted guideline for managing access controls: only those that have an organisational need to access information should be able to do so.
However, for most organisations, achieving a least privilege model is almost impossible because data’s being generated far too quickly and personnel changes are numerous. Even in small organisations the growing data set and pace of organisational changes exceed the IT Department’s ability to keep up with access control lists and group memberships.
By automating and conducting the ten management tasks outlined above on a frequent basis, organisations will gain the visibility and auditing required that determines who can access the data, who’s accessing it and who should have access.
This detailed data access behaviour will benefit organisations in a plethora of different ways, most significantly in terms of securing their data, ensuring compliance demands are met and freeing up expensive storage resources.
Wendy Yale is senior director of worldwide marketing at Varonis Systems
Could your sensitive business data be the next WikiLeaks headline?
The worldwide controversy surrounding confidential material being supplied to WikiLeaks by ‘whistle-blowers’ – in turn leading to the publication of […]
IFSEC Insider
IFSEC Insider | Security and Fire News and Resources Related Topics
Firestopping training course launched by ASFP for installers
Two new Experienced Worker Assessment routes approved for fire and security industry
Amthal expands accredited fire and security training to consultant and specifier customers