The Race is On: Tips for Finding Sensitive Data Before the Hackers Do
With data growing at a rate of 50% per year and the demand for access to data from employees, partners and customers at an all time high, it’s no secret to IT that the complexity of managing and protecting their data is growing faster than their available resources. David Gibson, director of strategy at Varonis www.varonis.com guides us through the growing trend to implement software automation to identify, manage and protect access to sensitive data.
Certainly there is some benefit to “quarantining” some sensitive data—taking it off the network entirely or restricting access to only a very few people. However, there is an enormous amount of data that resides in file servers and other unstructured repositories because it’s needed for execution of business processes, and can’t be quarantined—some level access is required by business units and collaborative teams. Secure collaboration with valuable digital assets requires optimizing and automating authorization, and proactive monitoring of authorized use. New technologies are needed to keep up with the explosive growth of unstructured data and collaboration requirements.
Tools of the Race
While there are a number of software solutions focused on data management and protection, only a select few effectively employ metadata framework technology, which can identify sensitive data 90% faster than traditional classification methods. Data governance software that provides dynamically available metadata allows IT to answer questions like:
- Who has access to a data set?
- Which data is sensitive?
- Where is my sensitive data overexposed, and how do I fix it?
- Who has been accessing it?
- Which folders need an owner?
- Who is the likely data owner?
- Who has unnecessary permissions to each data set?
- What data is unused?
When considering software automation that leverages metadata framework technology, measuring the effectiveness of a solution is simplified by ensuring the following critical data protection features are facilitated by the solution.
Visibility
Any solution for data management and control must provide a clear visual representation of data access controls (permissions) as they are currently defined in the existing file system hierarchy. This visual must show, in an aggregated and searchable fashion:
- All users with access to any folder, SharePoint site, etc., from which groups they derive access, and what level of permissions they have
- Which folders and sub folders within a file server accessible by any selected user or group, as well as the specific permissions for the folder (Microsoft NTFS permissions, share permissions, SharePoint permissions, etc.)
- Filtered views that allow queries based on username, group name or folder/data name
- Automated updating of views to reflect changes or new data within Active Directory (i.e. user to group membership) as well as within the file server (i.e. new data, deleted data, renamed data, access control list changes)
Control
Any solution for unstructured data management must include all mechanisms to define, test, update and reverse file and folder permissions changes. Specifically the system needs to provide:
- The means to “push” or commit changes to access permissions directly onto the file server or directory service (e.g. Active Directory). The mechanism should include an option to push changes explicitly with system administrator intervention or in an automated fashion via a scheduler.
- “What If” capabilities, otherwise known as a sandbox where changes to folder permissions can be carried out in a simulated fashion in order to determine what, if any, the impact to access will be. For instance, the system shall allow the revocation of an entire group’s permissions in a sandbox. The system should indicate clearly which legitimate users will be affected negatively and allow for mitigation of that condition prior to live push.
Paper: Preventing Data Los
Auditing
A detailed audit trail must be provided for all aspects of data use (opens, creates, deletes, moves, email sent, received, etc., modifications to content, permissions, or group membership etc). The presentation of the information should be easily comprehensible, sortable, searchable and available as on-demand and scheduled reports.
Security
A system for unstructured data governance needs to provide an automated means for the revocation of data permissions. Specifically the system should: Identify by name all users whose access to a given data set should be revoked, re-compute revocations as changes to Active Directory and file servers occur, provide the means to test the recommended revocations prior to enacting on the servers for enforcement, provide recommendations with accuracy greater than 3 nines (99.9%).
Performance
Any proposed solution for unstructured data management should not impede the performance of file servers, the user access experience or business traffic flow. Specifically, the system should not require native operating system auditing on traditional distributed systems (Windows auditing, UNIX/Linux auditing) in order to deliver its core functionality for data control.
Scalability
Because most organisations add additional file servers over time and unstructured data grows very rapidly, the system has to provide room for growth. A data governance solution should be able to scale to accommodate unstructured data growing by more than 50% volume every 12 months.
Ease of Installation
A practical data protection solution cannot disrupt business operations or traffic flow. A solution should install quickly (e.g., within 5 business days), without the need for specialized professional services, and without assigning dedicated IT staff.
Ease of Use
A solution should not require specialised off-site training in order to operate. Any necessary training should be simple, and something the vendor can deliver on-site. Of course, the user interface should be intuitive and consistent across each platform. Managing permissions comes down to users, data, and level of access—whether on windows or UNIX file shares, SharePoint sites and libraries, or Exchange mailboxes and public folders—the interface should provide a clear, unified view over all platforms.
Ease of Integration
Data protection solutions need to support a range of file servers and storage devices including Windows Servers, UNIX/Linux servers, SharePoint, Exchange, and network attached storage (NAS) from leading NAS vendors.
Low Total Cost of Ownership
A solution for data protection has to demonstrate quantifiable benefits in time and resource savings. Be sure to look for automation in the following areas, which are often the most manually intensive: Data permission revocations, permissions reporting, data audit report generation, data entitlement review, stale data identification, data business owner identification, data migration.
Winning the Data Security Race
With over 23 million records containing personally identifiable information (PII) (source: privacyrights.org) leaked in 2011 alone, it is more important than ever for organisations to have proactive and repeatable processes in place for identifying and protecting critical data. Leveraging data governance software that employs metadata technology not only secures sensitive data, but it also provides a speed and scale that traditional data protection methods cannot achieve – ensuring organisations are always in the position to win the race against hackers.
