Part 5: Restructuring Permissions to Achieve a Least Privilege Access Model
In part 4 of this 5-part blog series, ‘Moving from Checkbox Compliance to True Data Security,’ we discussed why it’s important to monitor file share activity before you begin to take any action so you can get a full understanding of:
- Who is leveraging their access privileges
- What types of operations each user performs
- Who is creating or contributing the most amount of content
If you’ve completed that step and those in the Discover and Collect & Analyze phases then you should now be able to determine the most probable owners of your data, which files are active (or inactive), and which resources need to be secured first. With this information available it is now time to begin the Restructure phase of Data Access Governance (DAG).
The ultimate goal of the Restructure phase of DAG is to adjust user permissions to achieve Least Privilege Access. This essentially means to adjust permissions to the exact levels needed for a user to do their job. Historically, the approach to securing file systems has been the responsibility of IT professionals. Unfortunately, there are usually far too many file shares for the IT team to control properly, and they have little to no understanding in many cases of who should have or really needs access to the data. An ideal access model enables employees outside of IT, like the data custodians you’ve identified, to control access to the shares that store the data they’re responsible for.
WHERE TO START THE RESTRUCTURING PROCESS
A good place to start your Restructure process is to remove open access. In our research, we’ve found open access to unstructured data is consistently identified by IT professionals as a critical challenge for their organizations that is often considered too overwhelming and complex to tackle head-on. The good thing is, once you complete the first 3 phases of DAG (Discovery, Collect and Analyze, and Monitor) you’ll be in a position to remove open access – safely – and establish a baseline of user entitlements to support ongoing audit and review requirements.
With your data custodians identified and assigned to each resource, they will be well positioned to perform the key tasks associated with any proper Data Access Governance program, including:
- Self-Service Access Requests – This process allows end-user access requests to data resources to be routed directly to data custodians for approval, rather than to IT resources – saving lots of time and bolstering proper decision-making with regards to data access.
- Entitlement Reviews – This process allows for periodic review and adjustment of access rights by data custodians to ensure access privileges and permissions remain at proper levels.
While it is extremely beneficial to have data custodians, the challenge has always been how to enable them to wield that power without needing a degree in Information Technology and an understanding of Active Directory groups and resource Access Control Lists (ACLs). Solving that problem requires proper standards be implemented when securing file shares and other similar resources.
IMPLEMENTING THE IDEAL MODEL
Implementing a security model that puts the control of access into the hands of data custodians can be done in a repeatable, systematic approach. The driving force behind this approach is to make sure the data custodian can control the access to their file share without impacting access anywhere else within the organization. Also, this approach is designed to be achievable with zero impact to end user access. There are 8 steps to securing your file shares, but you have all the information you need to determine who needs access and the level of permissions they need, as well as who can or should be responsible for keeping access clean moving forward at this point.
Restructuring permissions will help organizations achieve a Least Privilege Access model and will enable them to effectively govern their most valuable assets like intellectual property, financial information and customer data.
THE CURRENT STATE OF DATA ACCESS PRIVILEGES
In many organizations, user privileges are often structured based on their role, such as the business unit they’re in (e.g. Finance, Human Resources, or IT) or a variety of other parameters (e.g. project groups, physical location, executives and decision makers, etc.). One of the unintended byproducts of this methodology is an over-provisioning of access rights. Just because two or more people serve similar roles does not necessarily mean they need access to the same exact things.
THERE’S A BETTER WAY TO RESTRUCTURE PERMISSIONS
Based on the activity observed during the Monitor phase, the data custodians can restructure permissions to the exact level each user needs to perform their job duties. This task isn’t meant to be a guessing game as the level of access is based on existing behavior. The approach to achieving and maintaining fine-grained control over your share is through the use of Resource-Based Groups. We recommend organizations create at least three (3) Resource-Based Groups per share, using a consistent and understandable naming convention like:
- [Server Name]_[Resource Name]_Full Control – Only Administrators ever go in this group
- [Server Name]_[Resource Name]_ReadWrite – Only Users that have demonstrated a need for access beyond Read
- [Server Name]_[Resource Name]_Read-Only – Users that have demonstrated a need for Read access
Once Groups are defined, administrators can populate them with the appropriate users. For example, a user who accesses a file, but never makes any edits to it has no need for ReadWrite access and can safely be reduced to Read-Only access without it interrupting their day to day job responsibilities. Once the groups are populated, they can then be permissioned to the file share’s Access Control List (ACL).
The result is a clean, instantly understandable, maintainable access model for your file share/s that provides the right users with the right level of permission to your data. As new users want or need access to the data, they can be safely placed inside of the appropriate group for the exact share they intend to use. In the next blog post of the series, we’ll show you how to keep your new access model clean, and how to establish ongoing entitlement reviews.
See upcoming blog posts in the series below:
- POST #1: Moving From Checkbox Compliance to True Data Security
- POST #2: Prioritizing Data Governance Initiatives Through Discovery
- POST #3: Collect and Analyze Relevant Data Points to Access Risk
- POST #4: Monitoring Sensitive Data Activity and Identifying Data Owners
- POST #5: Restructuring Permissions to Achieve a Least Privilege Access Model
Don’t miss a post! Subscribe to The Insider Threat Security Blog here:
Latesha Lynch began her career working on VoIP technology, distributed antenna systems (DAS), and voice biometrics before delving into application and data security. Latesha can be found on Twitter @lateshalynch.