The recent worldwide controversy surrounding confidential material being supplied to Wiki Leaks by anonymous whistle-blowers – leading to the publishing of tens of thousands of secret US military documents in the likes of The New York Times and The Guardian – should act as a catalyst for IT departments across the globe to take control of company data governance and offer a guarantee that employees have access to only the information they need.
At present, IT professionals – rather than the people that create the data (be it a spreadsheet, PowerPoint presentation or company report) – are the ones making many of the decisions about permissions, acceptable use, and acceptable access review. However, as IT personnel aren’t equipped with adequate business context around the growing volumes of data, they’re only able to make a best effort guess as to how to manage and protect each data set.
Until organisations start to shift the decision making responsibility to business data owners, it is IT that has to enforce rules for who can access what on shared file systems, and keep those structures current through data growth and user role changes. IT needs to determine who can access data, who is accessing it, who should have access, and what is likely to be sensitive.
Here are some must-do actions for the IT team’s ‘to do’ list, to carry out as part of a daily data management routine, to create a bench mark for data governance:
Identify Data Owners
The IT department should keep a current list of data business owners (e.g. those who have created original data) and the folders and SharePoint sites under their responsibility. By having this list “at the ready,” IT can expedite a number of the data governance tasks, including access authorisation, revocation and review, and identifying data for archival. The net effect of this simple process is a marked increase in the accuracy of data access entitlement and, therefore, data protection.
Remove global groups from ACLs and perform data entitlement reviews
It is not uncommon for folders on file shares to have access control permissions allowing “everyone,” or all “domain users” (nearly everyone) to access the data contained. This creates a significant security risk, for any data placed in that folder will inherit those “exposed” permissions, and those who place data in these wide-open folders may not be aware of the lax access settings. Global access to folders should be removed and replaced with rules that give access to the explicit groups that need it.
Also every file and folder on a Windows or Unix file system has access controls assigned to it which determine which users can access the data and how (i.e. read, write, execute, list). These controls need to be reviewed on a regular basis and the settings documented so that they can be verified as accurate by data business owners and security policy auditors.
Audit Permissions Changes
Access Control Lists are the fundamental preventive control mechanism in place to protect data from loss, tampering, and exposure. IT requires the ability to capture and report on access control changes to data – especially for highly sensitive folders. If access is incorrectly assigned or changed to a more permissive state without good business reason, IT and the data business owner must be quickly alerted, and able to remediate the situation.
Audit Group Membership Changes
Directory Groups are the primary entities on Access Control Lists (Active Directory, LDAP, NIS, etc.); membership grants access to unstructured data (as well as many applications, VPN gateways, etc.). Users are added to existing and newly created groups on a daily basis. Without an audit trail of who is being added and removed from these groups, enforcing access control processes is impossible. Ideally group membership should be authorised and reviewed by the owner of the data or resource to which the group provides access.
Audit Data Access
Effective management of any data set is impossible without a record of access. Unless you can reliably observe data use you cannot observe its misuse, abuse, or non-use. Even if an IT department could ask its organisation’s users if they used each data set, the end users would unlikely be able to answer accurately—the scope of a typical user’s access activity is far beyond what humans can recall. Without a record of data usage, you cannot determine the proper organisational owner for a data set, and neither the unfound owner nor IT can make informed decisions about protecting it, archiving it, or deleting it.
While all data should be protected, some data needs to be protected much more urgently than others. Using data owners, data access patterns, and data classification technology, data that is considered sensitive, confidential, or internal should be tagged accordingly, protected and reviewed frequently.
Align Security Groups to Data
Whenever someone is placed in a group, they get file system access to all folders that list the group on its ACL. Unfortunately, organisations have completely lost track of what data folders contain which Active Directory, LDAP, SharePoint or NIS groups. This uncertainty undermines any access control review project and any Role Based Access Control (RBAC) initiative. In Role Based Access Control methodology, each role has a list of associated groups, into which the user is placed when they are assigned that role. It is impossible to align the role with the right data if the organisation cannot verify what data a group provides access to.
Lock Down, Delete, or Archive Stale, Unused Data
Not all of the data contained on shared file servers, and network attached storage devices are in active use. By archiving stale or unused data to offline storage or deleting it, IT makes the job of managing the remainder simpler and easier, while freeing up expensive resources. At the very least, access to inactive data should be tightly restricted to reduce the risk of loss, tampering, or theft.
The principal of least privilege is a well-accepted guideline for managing access controls—only those that have an organisational need to access information should be able to do so. However, for most organisations, achieving a least-privilege model is almost impossible because data is being generated far too quickly and personnel changes are numerous. Even in small organisations the growing data set and pace of organisational changes exceed the IT department’s ability to keep up with access control lists and group memberships.
By automating and conducting the ten management tasks outlined above frequently, organisations will gain the visibility and auditing required that determines who can access the data, who is accessing it and who should have access. This detailed data access behaviour will benefit organisations in a plethora of different ways, most significantly securing their data, ensuring compliance demands are met and freeing up expensive storage resources.