Light Dark
June 2, 2014 By Jonathan Sander 7 min read
Identity & Access

If you are like me, there are many little things you check off your to-do list every day. However, if you are really like me, then there are some things that seem to lurk on the outside of your productive daily routines. These items are not always little matters, either; some are big things like data access governance (DAG). Sometimes they get forced out of view specifically because they are enormous, time-consuming tasks that are much less satisfying to work on than knocking over whole armies of short-term goals. The way to tackle these daunting tasks is to break them down into more manageable pieces.

DAG is security’s big unaddressed to-do item. There are huge piles of data on file systems, file shares and collaboration systems like SharePoint that are all but unknown to the security world. Every time I ask about DAG, however, every single security professional — and everyone else in IT for that matter — will freely admit that they knew there was a problem there. DAG has been a to-do item for IT security for years, but it has been repeatedly pushed aside in favor of other goals. Today, there are strategies that can make DAG more approachable. We are going to break DAG down into three steps that you can use to finally check this big to-do item off your list.

How Big Is Your DAG Challenge?

Some questions in IT will get predictable responses. When the manager asks, “How fast will it go?” you can be sure someone will at least think, “How long is a piece of string?” Understanding how much unstructured data exists on your network is something that can only be ascertained by measuring. However, there are ways to understand the scale of the problem and communicate it with executives.

First, let’s define unstructured data. We are talking about human-generated files: All the spreadsheets, presentations and other files people create in the course of day-to-day work. How much data is that? Gartner asserts that 80 percent of all data is unstructured — that’s one statistic that opens eyes. To translate: Take the size of your application database and multiply it by four; that gives you a general idea of how much unstructured data you have. Another statistic you should know is Computer Science Corporation’s (CSC) 2012 prediction that unstructured data would grow by 650 percent by 2017. Thus, take your calculated amount of unstructured data and now multiply it by 650 — you now have a growth curve.

The quantity of data is only one dimension of the data access governance challenge; the other major factor is how spread out this data is. Unstructured data can hide in all sorts of dark corners. Businesspeople routinely set up rogue file shares and SharePoint sites and even put their data out on the cloud via services like Dropbox. Therefore, this data is:

  • On your network where your security model may effect it (e.g., being controlled by your AD authorizations on a file share you may or may not know about);
  • On your network where it may be isolated from your security model (e.g., using internal SharePoint security on a SharePoint site that no one told IT about); or
  • Off your network altogether.

So even when you decide to tackle this beast, you have to chase it down through mazes just to figure out how big it really is.

Three Things You Can Do to Tackle DAG

If the description of how big this problem can be didn’t send you off screaming, congratulations on having the fortitude to make it this far. We will now attempt to get a real understanding of how the DAG problem can in part be solved — I say “in part” because we are going to discuss part of the DAG healthy breakfast. These are technology approaches that can help you get the problem under control. However, like every real security issue, a whole healthy meal would include process reform, new controls and other business-side reforms to ensure that the problem does not get out of hand again.

You can consider this a great starting point that will help you clean and organize the current environment. It is also worthwhile to note that I cannot claim this advice as my own: We at STEALTHbits have learned this from our clients. While we have been providing the technology to make things work, they have been the ones who taught us how they realistically approached these problems and achieved measurable success. The three steps that they have shown us are:

  1. Get open shares under control.
  2. Figure out where your sensitive data is and who owns it.
  3. Run an access certification program to align access to business needs.

1. Get Open Shares Under Control

Open shares are like kryptonite for security models. Even the best security is powerless in the face of a file share that anyone can write to. The worst part is that an open share sometimes does make sense: There are some files that everyone needs access to — materials distributed by HR about benefits, for example. Does everyone really need write access to that sort of share? Maybe you have people taking interactive PDF files, filling them out and then saving them back to the share; so your answer would be, “Yes, they do need write access.” (This goes back to that “business process” part of the healthy breakfast.)

If your network is like so many others we have seen, then there are likely numerous shares with access granted to high-risk trustees like AD’s “Authenticated Users.” How did they get that way? At some point in time, someone with enough clout asked someone in IT with just enough privilege to do it, and they did; that is the most common scenario. The last effect is a conduit for data of all kinds that needs to be either shut down or at least locked down more effectively. Luckily, this is an easy problem to address once you have the will; shares can be scanned, the people who have access analyzed, ownership determined through heuristics and then the access can be decreased to a scope that makes sense.

2. Figure Out Where Your Sensitive Data Is and Who Owns It

The open shares are a burning fire, which is why you go after them first. When the smoke clears, there will still be a lot of data that needs your attention. The key question is where to start, which is why the next step is figuring out where your sensitive data lives. But what data is sensitive? The answer to this question will vary for everyone reading this.

  • Is your organization regulated?
  • Do you handle credit card data and need to worry about PCI?
  • Are you publicly traded and under SOX controls?
  • Do you need to worry about ITAR because you are in the military supply chain?
  • All of the above?

It may seem impossible to answer “yes” to all of the above, but we’ve seen it. The definition of sensitive data will vary according to your answers to these questions. However, that list is just the tip of the iceberg. Maybe your organization has intellectual property in forms that can live in unstructured data (e.g., chemical formulas or complex processes) that you wish to protect from the eyes of your competition; that’s sensitive data. Returning to the question of where to start, the answer is clear: Start where your sensitive data lives.

The first part of getting sensitive data under control is knowing what the sensitive data looks like. Sometimes that’s easy: If you are worried about HIPAA or PCI compliance, the rules are clear. You are looking for things like credit card numbers, social security numbers and personal details. These pieces of data are well understood, and there are many proven ways to go out and find them in data. Things get a bit more complex with something like ITAR. ITAR requires that you control anything that may be used in the military supply chain — but how do you identify things like that? Most people go after part numbers and other identifying data. That means understanding those, locking down ways to find them and also knowing which ones you need to look for.

The most complex step is finding data that is sensitive from a pure business standpoint — your “secret formulas.” Those are usually difficult to pin down to a stable pattern to look for and are more likely to be in many places you would not expect. Luckily, the easy part these days — once you know what you need to look for — is the scanning. Solutions come ready right out of the box to handle the major regulatory conditions and give you flexible ways to create your own search criteria. When you have things to look for, set the technology loose on your network and let it find the places where you need to address security concerns the most. As you find the places where your sensitive data is hiding, you should also have these scans sort out who owns the data. You’ll need to have those folks answer some questions for you to ensure that access to this data is best aligned with the business needs — the next step.

3. Run an Access Certification Program to Align Access with Business Needs

The sensitive data tells you where to start; but what are you starting? What ought to happen is a meeting at which you gather only the people who actually understand all this data to find out who should be able to access it. Who understands who should have access? Is it the guy at the help desk who has usually been asked to make these choices? No; the only people who understand who should have access to the data are the people who created it in the first place: The business users. What you need to do now is get them into the game. They created all this data, and now it is time for them to sort it out. Before this becomes too much of an IT vs. the end user session, though, it is worthwhile to note that it was not all the end user’s fault. For a long time, there was no good way to get them into the game; we certainly didn’t want to give them administrative rights to go and change the security on files and files shares, did we?

Certification, also called attestation, has emerged as the security governance standard to draw the end user into the game. We are going to take everything we have learned through our analysis of all the unstructured data — which we did to find the open shares — and the analysis of the data content and ownership — which we did to find where the sensitive data lives — and use it to ask the organization who ought to have access to what. We will start the process with the sensitive data so that we know it is properly locked down. However, we will eventually run through the majority of our data. Maybe we will skip things like those open-share HR uses because we already know the answer. With this process running, we are ensuring that the rules of the game are being minded by the people really playing that game. Security and IT can just be the referees — as they should be.

What to Do After Data Access Governance Fixes Everything

Of course, data access governance will not fix everything; it will always be just one part of that healthy security breakfast. However, there are certainly organizations using it to keep things well under control: Without controls to prevent more open shares from popping up, they simply keep scans running on a regular basis and play the classic security game of whack-a-mole. As new open shares pop up, they are discovered and handled. You can do similar things for sensitive data propagating on the network and also keep running certifications to guarantee that the access stays in line with business expectations. If the worst thing that happens is that you supply a secure environment through reactive, risk-adjusted controls like these, I’m betting you’ll still sleep pretty well at night.

 | 
Jonathan Sander

More from Identity & Access
April 16, 2024

Obtaining security clearance: Hurdles and requirements

3 min read - As security moves closer to the top of the operational priority list for private and public organizations, needing to obtain a security clearance for jobs is more commonplace. Security clearance is a prerequisite for a wide range of roles, especially those related to national security and defense.Obtaining that clearance, however, is far from simple. The process often involves scrutinizing one’s background, financial history and even personal character. Let’s briefly explore some of the hurdles, expectations and requirements of obtaining a…

March 5, 2024

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

February 21, 2024

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature