The SysAdmin Network

No more hiding in the server room

Tsahy Shapsa

Are you SICK of trying to figure out “Whose Data Is It Anyway?”

The other day I met with Anthony Nogueira, President & CEO of SafeSideCompliance . I was introduced to Anthony via one of our customers and in our meeting we discussed what he does to help his customers protect their business sensitive data stored on their file servers.

Anthony has many years of experience with technology solutions and is now working with large customers around securing their environments. Since launching SafeSideCompliance, Anthony has been focused on helping companies deal with different compliance regulations.

He shared with me that when it comes to data governance, he’s all about helping his customers move from being sick to SICK. Going from
“sick” – trying to figure out “Whose Data Is It Anyway?” ( Who has
access to what data, What data is accessible to who, and how data is
being used) to SICK: Surround, Identify, Contain and Keep.

  • Surround the shares and folders on your file servers containing PII (Personal Identifiable information) with the appropriate access controls, implementing a ‘Least Privileged’
    methodology
  • Identify which folders are exposed to EVERYONE in your domain, what areas on your file servers are overly permissive by seeing beyond groups showing in file system ACLs (Access Control Lists)
    and go as granular as the user level
  • Contain Access Rights policies by revoking un-necessary access to folders containing sensitive information
  • Keep repeating the above process in an automated manner

If you're job relies on making sure your organization's data is protected and you worry about preventing data breaches - It's good to know what needs to be done in order to not feel sick!..

Views: 7

Wesley "Nonapeptide" Comment by Wesley "Nonapeptide" on April 16, 2010 at 1:58am
Super. But what tools are available that can BARF?
Be aware of who has access to each resource?
Alert me when changes to ACLs are made?
Report when those objects are being accessed?
Fire off notifications when people try to access things they shouldn't?

Seriously though, tools are needed that can keep track of who has access to each resource, when resources are being accessed and send notifications for a variety of alert conditions. Do you know of any tools like that?
Jason Short Comment by Jason Short on April 16, 2010 at 4:58am
Assuming you're on Windows, AR and F sounds like a job for auditing object access, along with something like GFI Events Manager to notify you when something interesting happens. (I'm not associated with GFI, other than using their software at work and having relatively few complaints)

I have yet to find a good tool for "B" - the problem for me isn't discovery, it's putting all the information in a meaningful and easy to digest form.
Wesley "Nonapeptide" Comment by Wesley "Nonapeptide" on April 16, 2010 at 5:12am
I didn't think Windows could do the "A" (I'm thinking sendin me emails when things change). The R is paultry, IMO. I don't like sifting through event logs. I didn't think Windows natively did the "F" either.

I know there are products our there that do this sort of thing, I've just never had to get one of them and didn't pay enough attention when I heard people talking about them.

I can see the product's marketing line now: "If you're SICK you need to BARF!"
Rodd Young Comment by Rodd Young on April 20, 2010 at 11:15pm
Hi All,

We went through some major changes to our data structure fairly recently and decided on the following:

Corp Level
+ Deparrtment Level
+ Group
+ Management
+ Public

This was set as the base level structure for all Corp Data. AD Groups were created based off the Org Chart and users assigned to those groups based. No one else from the organisation can access the Data unless a request comes from the Manager of department responsible for the data.

The idea behind it was to place the responsibility back on the Managers of the Department to be responsible for their Data and who has access to it. Under the the Group area only people within that group have access, this is like a group workspace. Under the Management Area only the Managers have access to the data, they create and store confidential reports, personell reports etc. The public was created to be able to share data between departments/ sections within the Organisation.

There was a bit of time involved in setting up AD groups and assigning permissions, however the benefits outway any time in setting up as Managers and users are confident that there data is secure and only those with permissions to access the data can access it.

Cheers
Tsahy Shapsa Comment by Tsahy Shapsa on April 20, 2010 at 11:53pm
Putting the house in order is a great start. However, when dealing with unstructured data, every end-user is a 'cook in the kitchen'. As you point out, in your case the managers of the departments (non IT I take it) are responsible for their data access controls. Over time, it's likely that data vulnerabilities will 'introduce themselves' to the environment. The question then, how can you validate that there are no policy violations?
1. How easy is it for you to make sure no folders are exposed to the 'Everyone' / 'domain users' group?
2. Can you tell where explicit permissions have been set on folders? that would totally break your system which relies on AD group membership.
These example can be caused, if nothing else, by mistake, multiplied by inheritance and the sheer amount of data in the environment.
Elizabeth Ayer Comment by Elizabeth Ayer on April 21, 2010 at 5:33pm
Has anyone tried any of Stealthbits' stuff for this?

Comment

You need to be a member of The SysAdmin Network to add comments!

Join The SysAdmin Network

© 2012   Created by Elizabeth Ayer and Michael Francis.   Powered by .

Badges  |  Report an Issue  |  Terms of Service

Sign in to chat!