With businesses running out of skilled IT personnel to deal with the oncoming tsunami of data, it is time to take stock and examine how the average organisation can prevent a data catastrophe, says David Gibson.
The more technology makes our working lives easier, the more it seems technology complicates our lives by making it easier for insiders with malicious intent and outsiders bent on stealing our secrets to steal our data. Whether you have done it recently or sometime in the past you will have locked down and secured your corporate data and make sure that your organisation cannot be breached.
However, it seems that the inevitable consequence of our technological advances is a well-trained, determined phalanx of hackers who are an increasing threat to all organisations. If you add to this the bring your own device problem, where consumer devices are entering the enterprise by the back door and causing havoc, then you will have to be vigilant 24 hours a day seven days a week. Here I provide some guidance on how to do that without turning your office into your bedroom. Here are my top 10 tips to prevent a data catastrophe.
Firstly, let's just look at how much data you have to store and how fast it's growing. The 2011 IDC Digital Universe study estimated that in 2011 alone 1.8 zettabytes (or 1.8 trillion gigabytes) of data would be created. This is the equivalent of every US citizen writing 3 tweets per minute for 26,976 years. The report states that over the next decade, the number of servers managing the world's data centers will grow tenfold and the world's data will grow by a factor of 50.
The study goes on to say that “While 75% of the information in the digital universe is generated by individuals, enterprises have some liability for 80% of information in the digital universe at some point in its digital life,” and, “Less than a third of the information in the digital universe can be said to have at least minimal security or protection; only about half the information that should be protected is protected.
In order to assess your data protection capabilities, you first need to determine if you can answer basic questions about data. You may assume you can answer these questions, but as I mentioned before, an assumption can be your first mistake. Can you answer for any data set, “who has access to it, who is accessing it, who should have access to it, who owns it, when was the last time access was reviewed, which data is critical, and where is critical data overexposed?” For any individual, you need to be able to answer similar questions, like, “what data do they have access to and what data have they accessed over the last 30 days?” Each question you can’t answer represents an opportunity to improve your security.
The uncomfortable fact is that the complexity of managing the data is growing faster than the resources available within the vast majority of organisations. With another uncomfortable problem coming down the road towards us — the fact that we are also running out of skilled IT personnel to deal with this tsunami of data — it is time to take stock and examine how the average organisation can prevent a data catastrophe.
With over 23 million records containing personally identifiable information (PII) leaked in 2011 alone (source: privacyrights.org), it is more important than ever for organisations to ensure sensitive data is secure. In many organizations, keeping up with data growth and preventing a data catastrophe seems insurmountable with existing IT resources - imagine how it is going to be in a few years without additional skilled staff to help you.
With recent advancements in data governance software automation, IT can now easily implement 10 simple steps to prevent data from being misused or stolen:
1. Audit data access
The first step towards getting your data under control and averting disaster is to properly audit all data access activity. Once your data touches are being audited, you can easily determine who is doing what with your data. This opens the door to answering questions IT is often stumped by, like “who deleted my files”, “what data is someone using”, or “which data is stale”. Auditing also provides the necessary data to allow IT to start to determine who owns a data set so they can be involved in deciding out who should have access to their data. More on that later…
2. Inventory permissions and group memberships
Once you are tracking what people are doing with your data, you need to look at who has access to what data. All too often people gain access to more and more data over time, but that access is rarely, if ever, revoked – even as changing roles obviate the need for that access. A full inventory of permissions for all of your data stores and the folders within them can take time, especially if you’re creating it manually. Thankfully you can now automate all of this. By combining the permissions data with group memberships, you can start to see who has permission to access each file or folder. With this data IT can quickly answer fundamental data protection questions like “Who has access to a data set” and “Which data sets does a user or group have access to”. This forms the foundation for cleaning up permissions.
3. Prioritise at-risk data
While all data needs to be protected, not all data is created equal. Some files contain confidential corporate information; other files contain customer or partner data; maybe you keep credit cards on file; perhaps you’re storing social security numbers. Regardless of what it is, some data is sensitive and needs extra protection. By using tools that analyze your data to identify sensitive content and combining that data with other relevant metadata you will be able to locate files and folders where such data is overexposed. A good tool will enable you to prioritize data that is most at risk, so you can remediate that first.
4. Remove global access groups and revoke broad access rights
In many organizations today, access controls have been in place for years and often much of the data is open to global access groups like the “Everyone” group. Even if this exposed data isn’t sensitive or confidential in nature, excessively broad access controls like this invite trouble. Removing global access groups is a good step towards ensuring that only the right people can get to your data. Once these permissions have been revoked, aligning data to the right users becomes much easier. However, it may be unwise to remove these groups without first having a plan for restoring access to those who may require it for their jobs. The right technologies will allow you to ‘sandbox’ your changes to see what the impact will be on business processes before committing the changes to your production environment.
5. Identify data owners
Once you’ve done these general ‘housekeeping’ tasks it is time to look at individual datasets to figure out who is qualified to make access decisions, and designate a data owner. The appropriate owner (or custodian) will often be one of the active users of that data, or their immediate supervisor. Automation can significantly reduce the time it takes to identify data owners, by analysing access activity over time and indicate who the likely owners are. Ideally only the data owner should decide who should be allowed to access their data, and IT should only act as a facilitator. As an added bonus, the data owners are often well qualified to review stale data that can be archived to free up storage space (and by auditing access activity stale data is much easier to identify).
6. Perform entitlement reviews
Regular entitlement reviews, or attestations, provide an effective way to make sure that data access permissions are always buttoned up. As the organization changes and new data sets are created, it is imperative to review who has access to ensure that permissions are always aligned to business needs. Data owners should be a part of this process as they are the best qualified to determine which users no longer need (or should) have access to their data. Again, with the right technologies, time-consuming manual parts of the entitlement review process can be automated and data owners can be automatically prompted to conduct reviews at pre-defined intervals, and provided with recommendations about which users look like they no longer require access to their data.
7. Align security groups with data
In organisations where access to data is controlled by security groups, it’s critical that the groups themselves are properly aligned with the data sets they’re meant to protect. Often this is easier said than done – roles change, groups are created for special circumstances but not reviewed, and pretty soon the whole system is a mess. Cleaning this up requires complete visibility into which data sets can be accessed by which groups. Automation is best suited to provide this visibility, and to programmatically create new groups and re-permission the data sets if necessary.
8. Audit permissions and group membership changes
Cleaning up permissions and group memberships is critical, but keeping everything in order is impossible without an audit trail of changes over time. Only by tracking all permissions and group membership changes can you be sure that only the right people continue to have access to your data sets. Enforcing access controls is simply impossible without a record of all the daily changes. If inappropriate access or group membership is granted, an audit trail of who made the change and when can help ensure that it doesn’t happen again.
9. Lock down, delete or archive stale data
In many organizations stale data is clogging up vast amounts of storage space and making it harder to manage. In addition to the cost of storing all of this stale data, keeping it on your active servers also increases the risk of it being misused. Automation can analyse access activity and identify any data that is not being used. Once the data owner confirms that he data is indeed stale and no longer needed, data may be archived or deleted.
10. Clean up stale groups and access control lists
Unneeded complexity slows performance and makes mistakes more likely. Organisations often have as many groups as they do users – many are empty, unused or redundant. Some groups contain other groups, which contain other groups, and so on. In some cases, these nested groups end up creating a circular reference where group ultimately contains itself. Also, access control lists often contain references to previously deleted users and groups (also known as “Orphaned SIDS”). These legacy groups and misconfigured access control objects should be identified and remediated to improve both performance and security.
Constant vigilance and automation are going to have to be your watchwords given the myriad number of threats which are now part of the IT security landscape. Automation will also have to be part of your armoury and, of course, you will have to keep up-to-date with all the new relevant threats. However, if you keep these top 10 tips that the head of your agenda you will be making your organisation a safer place to do business and are less obvious targets for hackers or insiders bent on stealing your secrets.
David Gibson is VP of strategy at Varonis.