Monitoring Sensitive Data Activity and Identifying Data Owners

If you’ve been following along in this 5-part Checkbox Compliance to True Data Security series, you should have a better understanding of how to locate your data, pinpoint which data is considered sensitive or risky to your organization, and compile a priority list of the sensitive data you’ll want to govern first. You may be thinking that once you’re done with the above it’s time to start making changes to security and locking down the risky data you found, however, we’re not quite there yet.  In part 3 of this 5-part of the series, we’re going to explain why it’s important to begin monitoring the activity surrounding that data. As an Administrator, you cannot possibly know offhand exactly which people within your organization need access to all your data or what they’re actually doing with the data they have access to.  An audit trail of file activity is the treasure trove of information you need to figure that out.

In this series, we’ve established that data is the target in most data breaches, so the risk of having too many people with excessive access rights is far too high. We’ve also talked about how unstructured data makes up 90% of an organization’s data, and it’s also what end-users create and interact with the most. When it comes to unstructured data, we’ve found that users have access and permission levels that are much too high. As a result, attackers (whether internal or external) can get immediate access to far more data than the accounts they’ve compromised need, making attacks much easier to perpetrate.

If users only had access to the data they needed to do their job, and at the lowest permission levels possible (least privilege access), then the risk posed by any standard user’s account being compromised would be relatively low in comparison to what it would be otherwise. This would force attackers to compromise larger numbers of accounts to find the data they’re looking for, thus increasing their likelihood of detection.

Role-Based Groups are Not Working

Most commonly, administrators grant access to unstructured data using Role-based Groups organized along business and geographical lines or other company dimensions. There oftentimes is little consideration for whether or not each individual user within the group actually needs access to the data or the level of access they should have to that data. So now 90% of an organization’s data access has been granted in a haphazard way, which opens that data up to common threats like ransomware.  Ransomware relies on the privileges of the accounts they compromise, so fewer privileges will lead to less risk.   

Consider, for example, if the group that grants a user access to a resource you want to remove them from also grants them permissions to other resources the user regularly accesses to do their job. In that situation you cannot remove them from the group, because they will not only lose access to the resource you intended, they’ll also lose access to the additional resources needed to do their job. We haven’t even touched on the additional complications that arise when organizations go through M&A, internal reorganizations, technology migrations, and other business-driven initiatives which directly impact the makeup of these groups.

Why We Need to Monitor File Activity Before Taking Action

One common complexity that stands in the way of creating your ideal access model, and the reason we monitor first, is the lack of insight in determining who needs access to your file shares in the first place, and how much access they need. We suggest administrators start by trying to determine the most probable owners for a file share (data custodians), so they can help determine access. That process can be time-consuming and inefficient if you don’t prioritize analyzing basic information about the share such as:

• Who is accessing the files and how often they do so
• Who is creating or contributing the most amount of content
• Who manages the users accessing the files

Armed with the results of that analysis you’ll be ready to approach a targeted list of people and survey them to find out who is actually responsible. With all the data an organization manages, administrators need data custodians who understand the data in the file shares to tell you who should actually be able to access it. This person will likely be the person who created the data in the first place. This data custodian will help you make sure the access to the data is best aligned with the business needs.

Deciding who needs access and the level of permission that user needs will become obvious during this monitoring phase. In order to properly secure your file share, you will need to observe not only how users are interacting with the data, but also the specific operations they’re performing. You will notice that while many users may have access to data, they don’t always leverage the access or permissions they have. By observing file activity over time and comparing that activity to the list of users with access, you will quickly be able to determine who needs access and at what permission level.

In the next blog post of the series, we’ll tell you how to approach your possible data custodians to get them on board to help manage the file shares and the best way to maintain fine-grained control over your resources.

See upcoming blog posts in the series below:

• POST #1: Moving From Checkbox Compliance to True Data Security
• POST #2: Prioritizing Data Governance Initiatives Through Discovery
• POST #3: Collect and Analyze Relevant Data Points to Assess Risk
• POST #4: Monitoring Sensitive Data Activity and Identifying Data Owners
• POST #5: Restructuring Permissions to Achieve a Least Privilege Access Model

Don’t want to miss any blog posts in this series? Subscribe to be notified as new posts are added to this series, here.

Join Adam Laub, our Senior VP of Product Marketing, on September 5, 2018 for the 2^nd webinar in this series, ” Data Footprint: Understanding Data Sensitivity and Prioritizing Risk.” He’ll walk you through the best methods to locate all your data, how to best classify it, and show you why you should monitor data activity before taking action. At the end of this webinar, you’ll be able to compile a priority list of the active files and shares that put your company at most risk. You will receive a CPE credit upon completion of this series.

Don’t miss a post! Subscribe to The Insider Threat Security Blog here:

Name

Email*