Technology is getting more complex, data volumes are rising and users want more access. So how do you cope? David Gibson, VP of strategy at Varonis, offers his top ten tips to prevent data loss, protect your career and keep data breaches at bay.
To assess your data protection capabilities, you first need to answer some basic questions about data without making any assumptions. For any data set, do you know who has access to it, who is accessing it, who should have access to it, who owns it, when was the last time access was reviewed, which data is critical and where is critical data overexposed?
For any individual in the organisation, you need to be able to answer questions like, what data do they have access to and what data have they accessed over the last 30 days? Each question you can’t answer represents an opportunity to improve your security.
The uncomfortable fact is that the complexity of managing data is growing faster than the resources available within the vast majority of organisations. Combined with the fact that we are running out of skilled IT personnel to deal with this tsunami of data, it is time to take stock and examine how the average organisation can prevent a data catastrophe.
With over 23 million records containing personally identifiable information (PII) leaked in 2011 alone (source: privacyrights.org), it is more important than ever for organisations to ensure sensitive data is secure. If keeping up seems insurmountable with existing IT resources, imagine how it is going to be in a few years without additional skilled staff to help you.
With recent advancements in data governance software automation, IT can now easily implement ten simple steps to prevent data from being misused or stolen:
1. Audit data access
The first step towards getting your data under control and averting disaster is to properly audit all data access activity. Once your data touches are being audited, you can easily determine who is doing what with your data. This opens the door to answering questions IT is often stumped by, like, “who deleted my files?”, “what data is someone using?”, or “which data is stale?”. Auditing also provides the necessary information to allow IT to determine who owns a data set so they can be involved in deciding who should have access to it.
2. Inventory permissions and group memberships
All too often people gain access to more data over time which is rarely, if ever, revoked, even as changing roles obviate the need for that access. A full inventory of permissions for data stores and folders can take time, especially if you’re creating it manually. Thankfully, you can now automate all of this. By combining the permissions data with group memberships, you can start to see who has permission to access each file or folder.
3. Prioritise at-risk data
Not all data is created equal. Some files contain confidential corporate information, others customer or partner data. Maybe you keep credit cards on file, perhaps you’re storing social security numbers. Regardless of what it is, some data is sensitive and needs extra protection. By using tools that analyse your data to identify sensitive content and combining that data with other relevant metadata, you will be able to locate files and folders where such data is overexposed. A good tool will enable you to prioritise data that is most at-risk, so you can remediate that first.
4. Remove global access groups and broad access rights
In many organisations, access controls have been in place for years and much of the data is open to global access groups. Even if this exposed data isn’t sensitive or confidential, excessively broad access controls like this invite trouble. Removing global access groups is a good step towards ensuring that only the right people can get to your data. However, it may be unwise to remove these groups without first having a plan for restoring access to those who may require it for their jobs. The right technologies will allow you to “sandbox” your changes to see what the impact will be on business processes before effecting them in your production environment.
5. Identify data owners
The appropriate owner (or custodian) will often be one of the active users of that data or their immediate supervisor. Automation can significantly reduce the time it takes by analysing access activity over time and indicating who the likely owners are. Ideally, only the data owner should decide who to allow access to this data with IT only acting as a facilitator. As an added bonus, data owners are often well qualified to review stale data that can be archived to free up storage space.
6. Perform entitlement reviews
As the organisation changes and new data sets are created, it is imperative to review access to ensure that permissions are aligned to business needs. Data owners are best qualified to determine which users no longer need (or should) have access to their data. Time-consuming manual parts of the entitlement review process can be automated and data owners can be automatically prompted to conduct reviews at pre-defined intervals, with recommendations about which users look like they no longer require access to their data.
7. Align security groups with data
Where access to data is controlled by security groups, it’s critical that the groups themselves are properly aligned with the data sets they’re meant to protect. Often this is easier said than done - roles change, groups are created for special circumstances but not reviewed, and pretty soon the whole system is a mess. Cleaning this up requires complete visibility into which data sets can be accessed by which groups.
8. Audit permissions and group membership changes
Cleaning-up permissions and group memberships is critical, but keeping everything in order is impossible without an audit trail of changes over time. Only through tracking can you be sure that the right people continue to have access to your data sets. Enforcing access controls is simply impossible without a record of all the daily changes. If inappropriate access or group membership is granted, an audit trail of who made the change and when can help ensure that it doesn’t happen again.
9. Lock down, delete or archive stale data
Stale data clogs up storage space and makes it harder to manage. In addition to the cost of storing it, keeping it on your active servers also increases the risk of it being misused. Automation can analyse access activity and identify any data that is not being used. Once the data owner confirms that the data is indeed stale and no longer needed, it may be archived or deleted.
10. Clean up stale groups and access control lists
Unnecessary complexity slows performance and makes mistakes more likely. Organisations often have as many groups as they do users - many are empty, unused or redundant. Some groups contain other groups, which contain other groups, and so on. In some cases, these nested groups end up creating a circular reference where the group ultimately contains itself. Also, access control lists often contain references to previously deleted users and groups (also known as “Orphaned SIDS”). These legacy groups and misconfigured access control objects should be identified and remediated to improve both performance and security.