c24 top 12 tips

12 Tips David Ricketts C24

1

12 Tips to Prevent your Sensitive Data Becoming a Wikileaks Headline

By David Ricketts Head of Marketing C24

Recent worldwide controversies surrounding confidential material being supplied to

unauthorized people and sites such as Wiki Leaks by anonymous whistle-blowers

should act as a catalyst for organisations across the globe to take control of data

governance and offer a guarantee that employees have access to only the information

they need.

In our experience we have found that employees responsible for the IT function are

finding it increasingly difficult, and in some cases impossible, to manage many elements

of data governance within their organisation. Below are some tips that explain the steps

that organisations in charge of permission management of employee data access need

to take to safeguard their data. By taking these steps, the IT function will be able to

understand who can access, who is accessing, who shouldn't have access, and who

owns the data, and remediate risk faster than traditional data governance and

classification methods.

At present, IT professionals – rather than the people that create the data (be it a

spreadsheet, PowerPoint presentation or company report) – are the ones making many

of the decisions about permissions, acceptable use, and acceptable access review.

However, as IT personnel aren‘t equipped with adequate business context around the

growing volumes of data, they‘re only able to make a best effort guess as to how to

manage and protect each data set.

Until organisations start to shift the decision making responsibility to business data

owners, it is IT that has to enforce rules for who can access what on shared file

systems, and keep those structures current through data growth and user role changes.

IT needs to determine who can access data, who is accessing it, who should have


2

access, and what is likely to be sensitive.

Here are the top must-do actions for the IT team‘s ‗to do‘ list, to carry out as part of a

daily data management routine for senior executives, to create a bench mark for data

governance:

1 Identify Data Owners

The IT department should keep a current list of data business owners (e.g. those who

have created original data) and the folders and sites under their responsibility. By

having this list ―at the ready,‖ they can expedite a number of the data governance tasks,

including access authorisation, revocation and review, and identifying data for archival.

The net effect of this simple process is a marked increase in the accuracy of data

access entitlement and, therefore, data protection.

2 Remove global groups and perform data entitlement reviews

It is not uncommon for folders on file shares to have access control permissions

allowing ―everyone,‖ or all ―domain users‖ (nearly everyone) to access the data

contained. This creates a significant security risk, for any data placed in that folder will

inherit those ―exposed‖ permissions, and those who place data in these wide-open

folders may not be aware of the lax access settings. Global access to folders should be

removed and replaced with rules that give access to the explicit groups that need it.

3 Audit Permissions Changes

Access Control Lists are the fundamental preventive control mechanism in place to

protect data from loss, tampering, and exposure. IT requires the ability to capture and

report on access control changes to data – especially for highly sensitive folders. If

access is incorrectly assigned or changed to a more permissive state without good

business reason, IT and the data business owner must be quickly alerted, and able to

remediate the situation.


3

4 Audit Group Membership Changes

Directory Groups are the primary entities on Access Control Lists (Active Directory,

LDAP, NIS, etc.); membership grants access to unstructured data (as well as many

applications, network gateways, etc.). Users are added to existing and newly created

groups on a daily basis.

5 Audit Data Access

Effective management of any data set is impossible without a record of access. Unless

you can reliably observe data use you cannot observe its misuse, abuse, or non-use.

Even if an IT department could ask its organisation‘s users if they used each data set,

the end users would be unlikely to be able to answer accurately—the scope of a typical

user‘s access activity is far beyond what humans can recall.

6 Prioritise Data

While all data should be protected, some data needs to be protected much more

urgently than others. Using data owners, data access patterns, and data classification

technology, data that is considered sensitive, confidential, or internal should be tagged

accordingly, protected and reviewed frequently.

7 Align Security Groups to Data

Whenever someone is placed in a group, they get file system access to all folders that

list the group on its ACL. Unfortunately, organisations have completely lost track of what

data folders contain which Active Directory, SharePoint or NIS groups. It is impossible

to align the role with the right data if the organisation cannot verify what data a group

provides access to.

8 Lock Down, Delete, or Archive Stale, Unused Data

Not all of the data contained on shared file servers, and network attached storage


4

devices are in active use. By archiving stale or unused data to offline storage or deleting

it, IT makes the job of managing the remainder simpler and easier, while freeing up

expensive resources. At the very least, access to inactive data should be tightly

restricted to reduce the risk of loss, tampering, or theft.

By automating and conducting the ten management tasks outlined above frequently,

organisations will gain the visibility and auditing required that determines who can

access the data, who is accessing it and who should have access.

9 Review data entitlement (ACL)

Every file and folder in a file system system has access controls assigned to it which

determine which users can access the data and how (i.e. read, write, execute, list).

These controls need to be reviewed on a regular basis and the settings documented so

that they can be verified as accurate by data business owners and security policy

auditors.

10 Revoke unused and unwarranted permissions

Users with access to data that is not material to their jobs constitutes a security risk for

organisations. Most users only need access to a small fraction of the data that resides

on file servers. It is important to review and then remove or revoke permissions that are

unused. IT should have the ability to capture and report on access control changes to

data - especially for highly sensitive folders. If access is incorrectly assigned or changed

to a more permissive state without good business reason, the data business owner will

be able to quickly identify and mitigate the situation by reporting the inconsistency to IT.

11 Delete unused user accounts

Directories may at times contain user accounts for individuals that are no longer with the

company or group. These accounts constitute a security hole. Those with a working


5

knowledge and access to user directories may retrieve information under someone

else‘s name. Organisations should routinely identify inactive users and verify that the

need for the account is still there.

12 Preserve all user access events in a searchable archive

Even for environments where the user-to-data permissions are current and accurate, it

is important to maintain a searchable archive of all user access events. This will help

organisations with triage and forensic analysis should data misuse or loss occur. IT

should be able to search on a username, filename as well as date of interest and any

combination thereof to ascertain who accessed what and how. This information can also

help expedite helpdesk call resolution.

What Are You Waiting For?

The biggest hurdle to overcome with this ‗to do‘ list is the amount of time conducting

these checks on a daily basis requires, if it is even possible! It is imperative that

businesses support their internal IT function by allowing them to utilise tools such as

Varonis so as to enable them to adopt best practice techniques so that they can

manage the business critical areas highlighted in this report.

If you would like further information about any of the areas highlighted in this report

please do not hesitate to call C24 or visit www.c24.co.uk

c24 top 12 tips

Business