Remediate the gaps in your data access governance system with efficient identity and access management.
Data access governance demystified.
Data access governance (DAG) primarily deals with identifying and controlling access to sensitive data.
The greater the size of an organization, the more employees it will have and, consequently, the more data it will process. With bring your own device (BYOD) policies in place, an organization's data is no longer limited to secure file servers. Sensitive data could trickle down to personal devices, cloud storage solutions, collaboration platforms, and more. Additionally, due to the lack of stringent data access policies in most organizations, employees are usually unaware of who has access to their files and how many open shares they have, among other variables. These circumstances pose a major challenge for IT administrators; how do you make DAG foolproof.
Gaps in your DAG process.
IT admins often fail to realize that DAG solutions don't address some major gaps and that these can bring down the entire organization. Insecure DAG is a ticking time bomb. Imagine what would happen if a disgruntled insider uncovered the personal data of your organization’s top brass. With the stakes so high, it's crucial for IT administrators to identify the loopholes in their DAG system and rectify them.
Enter your details to unlock the full article.
- 1Tangled web of permissions
- 2No automated privilege approval process
- 3Lack of awareness of system-level entitlements
- 4Reduced visibility into file and folder level permissions
- 5No file integrity monitoring
- 6No scope for automated detection of anomalous behavior
- 7No alerting mechanism
Most DAG solutions focus on data classification and are ineffective when it comes to analyzing the permissions of critical resources. While differentiating data based on sensitivity is crucial, defining clear-cut permissions for data across the organization is also equally important. Let’s look at an example:
The Administrators group is provided access to a business-critical resource.
However, a technician, when temporarily added to a group named "Floor admins" who are responsible for administration of resources on a specific floor, automatically gets the access rights of the parent group, which is the Administrators group. Due to this inheritance, the technician now has access to all of the business’ secrets!
As you can see, a DAG system is useless if permissions are mishandled. To effectively manage the permissions of sensitive data:
- Identify the architecture of permissions and group memberships in your organization.
- Agree on a specific permissions model for the entire organization.
- Assess the existing permissions situation of your file servers and determine if it adheres to the permissions model.
- Analyze if open shares are necessary. Educate data owners not to grant access to the "Everyone" group.
- Assign time-bound permissions that expire once the objective is achieved.
- Clean up unnecessary permissions.
In order to assign access to sensitive data, it’s imperative to first understand the type of data and what it’s used for. For this, it's essential to involve the data owner and other stakeholders. For instance, it would be better if a finance manager's approval is obtained before elevating an end user’s Read permissions on financial records to Write. Most popular DAG solutions do not have any approval mechanism in place to validate an access request before assigning the required access to the appropriate user.
While most commercial DAG solutions focus on who has what level of access to shared data, they often forget to identify who has access to the device that stores the critical data. Administrators with access to a critical file server might have full control over all the files on that system, regardless of their shared permissions. For instance, Raymond, a software developer who has access to production servers, can see all the files located on them without actually needing this access. A major share of data breaches are attributed to infiltrators having direct access to the devices that store critical data. It's important to take system-level entitlements into consideration to make your DAG process successful.
It's crucial to assess the existing permissions of important folders and files as well as ascertain if any folder has an open share. However, in the web of tangled permissions, using native tools to manually try to gauge which user has what level of access to which folder can be a cumbersome, error-prone process. What you actually need is a reporting system that periodically scans all your essential folders and displays each privileged user's permissions.
While securing sensitive data is essential, so is continuously monitoring to identify and control security mishaps. Imagine if you had a system in place that could easily record who made changes to your employee database. Proactively identifying if the integrity of a file or folder has been compromised helps prevent a data breach.
Identifying the unusual behavior of users and generating immediate alerts can help you identify a potential or ongoing security breach. Let’s say Susan, an end user, has been spending substantially more time than her typical half an hour viewing files that contain customer details. This is a deviation from her normal behavior and could indicate that she might be copying confidential information. If your organization has a behavior analytics system in place, you can easily identify such anomalies and take the required course of action. Most DAG solutions do not provide behavior analytics and cannot help you with automated detection of bizarre user behavior.
While having proactive measures like file integrity monitoring and user behavior detection mechanisms is useful, these measures are ineffective if an alerting mechanism is not in place. This is because you, as an administrator, cannot sit in front of your monitor all day waiting for an abnormal or unauthorized file access takes place. Obtaining real-time notifications about unusual activities, access permissions, and file changes is vital when overwhelmed with many responsibilities.
For instance, Alex, a new employee who works the night shift, tried multiple times to access a file containing the secret recipe of your famous buffalo sauce! If you have an alerting mechanism set for that file, you will receive notifications on your phone or desktop system about the numerous failed access attempts.
How efficient identity and access management
can help you bridge the gap.
An effective identity and access management solution like ManageEngine AD360 compliments your DAG process by enabling you to proactively stay on top of your storage security management.
Simplified permissions management
AD360 enables you to access permission-specific reports that give you insights on which user has what permission on which folder. Once you've clearly understood the permissions ecosystem, you can also use AD360 to easily assign, elevate, or remove the relevant NTFS and Share permissions of multiple folders at once.
File integrity monitoring
AD360 enables you to track any change made to your files and folders, whether authorized or unauthorized. For instance, you can easily identify the list of files that were created, deleted, moved, renamed, copied and pasted, and more.
Cloud-based file access monitoring
Using AD360, you can easily identify changes made to the public folders of on-premises Exchange and Exchange Online. AD360 also enables you to identify the list of OneDrive for Business files that were uploaded, accessed, modified, renamed, downloaded, and more.
AD360 empowers you to configure real-time alerts for when the permission of a critical file is escalated or unauthorized access takes place. You can also configure the alerts to be sent via email.
Multi-tier approval-based workflow
A general rule of thumb for enhanced security is to submit requests for the elevation ofaccess rights through a streamlined workflow to obtain the necessary approvals before granting access rights. AD360 empowers you to employ a powerful workflow that can be customized to gain multiple approvals and automatically fulfill the request at the end of the workflow. This way, you can easily obtain the data owner's approval before elevating the permissions of any user.
Permissions change monitoring
Using AD360, you can easily track all file or folder permissions and access changes. Furthermore, you can identify all the file server operations performed by a specific user. You can also choose a server and discover all the operations performed on it.
User behavior analytics
Using AD360, you can track the behavior of users and configure alerts to be raised when users exhibit anomalous behavior.
Prepackaged reports for compliance
AD360 offers prepackaged reports that help you prove your compliance with HIPAA, SOX, PCI DSS, FISMA, the GDPR, and other data protection regulations.