Businesses face challenges when implementing sound policies for dealing with their unstructured data, an ever-present thorn in the side of most enterprises today. It is estimated that more than 80 percent of enterprise data is in unstructured form, meaning it lives in files that are scattered around the file system.
Whether they’re spreadsheets, text documents, XML or CSV data files, file system permissions remain a critical part of controlling access to organizational data and pose a significant liability when a process for locating the information and identifying who has access to it hasn’t been firmly established.
Compounding the problem is the dynamic nature of today’s enterprises and the technical systems they employ. Changes to company data, personnel and technology are constant and unavoidable. Those who employ a “fix it and forget it’ approach by treating unstructured data as a discrete project may be able to get the answers they need for that moment in time, but will often find the information is outdated before they’ve even left the room, making it near impossible to keep up in the long term.
The key to making any lasting change is to have a solid plan of attack. The following tips can help your organization implement a system that makes governance on unstructured data a lifestyle change that any business can implement and stick to.
There are a few key elements to getting a handle on unstructured data across your file system. The first step involves discovery. In order to take steps toward a lasting change, you must first take the time to understand your current situation; where you are most vulnerable. A good place to start this exercise is in Active Directory. Since access to files is often determined by group memberships, you can easily discover your current vulnerabilities by assessing groups that are obsolete or whose memberships may need to be updated. Couple this effort with a scan for accounts that are themselves obsolete. Perhaps the simplest way to do this is to identify accounts which have not been used to logon in more than 90 days or some other interval.
To gain a comprehensive view on the state of your user accounts and security groups, perform baseline checks to discover whether you have any of the following:
- Unused user accounts
- Unused groups
- Over-empowered users/groups
- Under-utilized groups
- High-risk accounts/groups.
Once you understand the low-hanging fruit – empty or obsolete groups and dormant accounts – it is important to discover who then actually has access to what. This will give you an idea of where actual or effective permissions at the file system level may be inappropriate. Understanding permissions can be complex, to say the least.
Permissions across Microsoft Windows networks are granted based on user accounts and security groups that exist in Active Directory to which we’ve just alluded. However, permissions are applied to the files and folders themselves and may be granted to groups or directly to users. These permissions sometimes grant rights and other times revoke them. To complicate matters, conflicting group memberships make it unclear as to what set of permissions will actually apply to a given user.
What you need to do at the file system level is to take individual folders and files and then resolve all the group memberships and explicit permissions on each folder or file. Once you have done this, you will have a picture of the state of your permissions that may help you determine how permission assignments need to be changed. If you’re able to ascertain a snapshot of what rights exist at a folder, file, group, and user level, you’ll significantly improve your organization’s security, reduce your workload when it comes to searching for answers, thereby reducing your audit costs and increasing your chances for success in the event of an audit.
After you’ve taken the time to understand the state of your files and folders and the access rights associated with them, the next step is to develop a routine process that enables business owners to easily review and approve user permissions and activity on critical files and folders, as well as to subsequently clean up users and groups with unwarranted access rights. Starting off with the smaller, simpler tasks is the key to making this process more manageable and sticking with it long term.
Use the following checklist as your guide:
- Clean up dormant accounts
- Clean up obsolete groups
- Remove inappropriate group memberships
- Confirm users have appropriate password policies
- Delete redundant or unused files.
It’s important to have a process in place that makes it easy to keep up with these changes as they’re happening, so that users are added as needed but dormant users aren’t forgotten about. If you can implement this process as part of a routine, you’ll be ready to move on to some of the more challenging areas like identifying data with an unusually high number of permissions, identifying files that haven’t been accessed over a long period of time (i.e., more than a year), and finally which users appear to have too much access.
Next you’ll want to monitor access to files/folders (who is opening or changing files), changes to permissions on those resources, as well as any user account or security group changes. By monitoring activity over time, you can quickly report on all activity related to sensitive files, identify data owners, and get alerts on inappropriate behavior.
Key areas to track on a routine basis (daily where possible/weekly at minimum) include:
- What files are being accessed and by whom to know when policies are being breached or when sensitive files are being accessed
- Changes to access rights to keep track of permission and ownership changes over time
- Group membership/user changes that enable/deny access rights.
Where possible, use tools that help automate the analysis of these changes in real time so that you’re able to respond to any events that require further action as opposed to just logging them.
You’ve taken the time to understand which files are most critical. You understand who has access to those files/folders. You’ve put a process in place to keep track of permission and ownership changes over time and resolve issues more easily. However, you’re not done yet. Completing these tasks should never be viewed as a one-time occurrence. It’s time to make sure you have a plan in place that will make it easier to incorporate these practices as part of a lifestyle.
The final step to bringing structure to your unstructured data is to perform a vigilant assessment of any problem areas on a regular basis. These include items such as dormant user accounts, orphaned SIDs, circular groups, and groups with no members. By scheduling assessments into your daily/weekly/monthly routine, you can dramatically reduce the potential for security threats that come from unstructured data and keep your file systems in tip top shape, making it less of a chore for next time.
Getting control of file system permissions can seem complicated and overwhelming, but it doesn’t need to be difficult. Bringing more structure to your unstructured data starts with a sound plan of attack and includes taking time to understand where your vulnerabilities lie so that you can put a process in place to resolve, actively monitor and vigilantly assess any problem areas. With the right approach and tools in place, you will feel empowered to embrace a lasting lifestyle change that creates real governance over what may have oftentimes seemed so un-governable.