Locking the Vault with IAM Visibility

Locking the Vault with IAM Visibility

Imagine a large bank. Security cameras continuously and meticulously record every movement in the bank lobby, employees’ offices, entrances and exits, and even in the custodial supplies storage area. Access to these areas is carefully monitored and controlled via restricted badges and other means.

But there’s not a single camera in the vault where the safe deposit boxes and cash reserves are housed, and access to the vault is not monitored or restricted in any meaningful way.

This scenario is, of course, absurd.

Or is it.

Today, most enterprises methodically secure and control access to their applications and application data, often deploying IAM solutions to do so. But what about the 80% of their data that resides on file shares – the unstructured data comprising word documents, excel spreadsheets, PowerPoint presentations, videos, and pictures?

There’s a reason we kept the bank vault unsecured in our analogy, because that’s likely where the most valuable items reside. Similarly, the most valuable – or at least the most sensitive – enterprise information often lives in unstructured form on file shares, and even in organizations with robust IAM deployments, visibility into the world of unstructured data is very limited.

The reason? It’s complicated. Not the reason itself, but the challenge of incorporating unstructured data coverage into an IAM solution. For an IAM solution to work, it has to know who has access to what, and who should and shouldn’t have access to what. And perhaps more importantly, who should decide who has access to what. For a CRM application, for example, that’s likely far more straightforward than it might be for the “Smith Foods Account Proposal” file share. Who’s responsible for that file share? The account manager? Who’s the Smith Foods account manager? Or perhaps it’s the sales support person that manages proposal development? Or maybe the VP of sales who has final pricing authority? Or in this case, maybe it was a smaller account and a Director-level sales manager was in control of pricing? If so, which regional sales Director? Where is Smith Foods headquartered?

You get the idea.

The problem is that when it comes to unstructured data in all the thousands of company file shares, or even SharePoint servers, the IAM connectors have nothing (or very little) to connect to. To complicate matters, the file share environment is anything but static. Files are created and removed, added and deleted thousands of times a day. Thus, creating a hook for the IAM connectors to connect to is a daunting challenge.

Now, this wouldn’t be an especially useful post if we spent the last 400 words discussing a problem and then ended without describing a solution. STEALTHbits’ product collects data from every device housing unstructured data, builds the entitlement catalog, correlates access and permissions to build a complete picture of effective access, and finally, determines file share ownership. This data is then fed to the IAM solution, giving IAM visibility into the enterprise’s unstructured data.

Think of it as installing a camera in the bank vault, and a lock on the door.

Don’t miss a post! Subscribe to The Insider Threat Security Blog here:

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Start a Free StealthAUDIT® Trial!

No risk. No obligation.