In part 1 of this series, we explained that there are 5 key capabilities needed for a successful file cleanup project, and discussed Capability 1 – File Discovery, and 2 – Sensitive data discovery. In this second blog we pick up the discussion with Capability 3 – Activity and File Usage.
Capability 3 – Activity and File Usage
Understanding who is actively using files on file servers can offer tremendous insight into how to approach a cleanup effort. By monitoring activity, it is possible to know what files are heavily used and what files are not used at all. Moreover, the activity also identifies who is using a file server, which can be valuable when determining ownership and getting involvement from the business during the cleanup process.
Understanding activity and file usage can be done in several ways:
- File Attributes – By evaluating the Created, Modified, and Accessed timestamps, it is possible to get useful information on the activity of a file. This can help answer where new files are being created or updated, and quickly identify areas of the file server that have gone dormant. While this can be done quickly without collecting any activity event data, it should only be used for scoping further efforts since it does not provide definitive information on what files are used or being accessed regularly.
- File Handles – Enumerating the open file handles on a server can quickly identify which files are in use at a particular time and by whom. This is something that is easy to do and provides some initial insight into who is interacting with the data on file servers, without performing heavy collections or leveraging activity events.
- Activity Events – Monitoring all activity events is the most informative and useful approach to understanding file activity. This, however, requires ongoing monitoring and analysis of the activity data. If possible, avoid using native event logs as they can be limited in the value they provide and costly to gather.
If done appropriately, activity monitoring data can provide incredible insight into usage patterns and help scope a highly targeted cleanup effort. Knowing what files are used and what files aren’t provides a clear path to remove only what is no longer needed, and to communicate with the users who actively utilize the data so they are informed each step of the way.
Capability 4 – Owner Engagement
No cleanup can be efficient without involving the business and the people who depend on the data to do their jobs. However, this is typically one of the most challenging aspects of any cleanup campaign. It is difficult to find people who can be accountable for the data that needs to be managed, not to mention finding an automated way to gather their feedback and communicate with them.
Some very effective communication mechanisms that can ensure a seamless cleanup campaign are:
- Email Notifications – Before starting to clean up files, it is best to inform the employees that are actively using these files. However, this should be sent only to the necessary people at the right time to avoid causing too much confusion.
- File Certifications – In most cases, the IT personnel tasked with doing the file cleanup do not understand the importance of the files in scope. To make good decisions, it is necessary to engage the business users who have this understanding. Providing a simple process so that owners can review files prior to archiving them is a very effective way to automate the feedback loop and make sure no important files are removed. In many cases determining ownership can be complicated when employees change roles, transfer to other departments, or leave the company. Here, activity monitoring can indicate who is still actively using the files, even when the original file creator and owner is no longer available.
Capability 5 – Cleanup Actions
Eventually, in any cleanup campaign, it is necessary to move or delete the files that are no longer needed. There are some additional measures that should be taken when moving files to make this as seamless as possible for end users. The actions needing to be performed include:
- File Moves – The first step is to move the file to an archive location on a separate server or to a secured folder on the existing server. It’s important to be able to move the files while maintaining the folder path so the file can easily be restored to its original folder if needed.
- File Stubs – With the right level of planning, only files that are not being used will be moved. However, if an employee does come looking for one of the recently archived files, it is good to have a way for them to find it. Leaving stub files behind that redirect the user to the file in the new location can accomplish this task. It can be extremely effective in avoiding any confusion from end users during the cleanup effort.
- Secure – By locking down a file, it is possible to simulate a delete of a file without actually deleting it. When users do attempt to open the file, they will get access denied messages, which can trigger an alert through activity monitoring so the file can be unlocked if needed. This would typically be done on sensitive files without activity as part of a more secure, staged archival workflow.
- Deletion – Eventually files will need to be deleted from the archival location. When files can be safely deleted depends on the retention policy of the department, organization, or relevant compliance regulations.
Using this graduated approach to file cleanup will result in fewer business disruptions and better results. Next time: Putting It All together.
Need to read part 1? View it here.
As the VP of Product Marketing, Darin is responsible for product messaging and positioning as well as generating industry and market awareness for Stealthbits products. He is an experienced leader who has worked in software for over 21 years.
Prior to joining Stealthbits, he was VP of Marketing for Quorum and SecureAuth, and has held positions in product management & product marketing at Oracle, and Quest Software.