Product showcase: DCAP solution FileAuditor for data classification and access rights audit

The concept of DCAP solutions was introduced by Gartner experts, as it was clear, that without such solutions information security (IS) specialists would not be able to cope with the protection of data in various silos due to the increase in the overall amount of kept and created, as well as amount of operations of operations on data, such as copying, editing, transmitting etc. These factors will inevitably stipulate the increasing need to monitor and audit access rights and to protect data across silos.

In real life, critical data is scattered within the corporate infrastructure and kept in various folders, duplicated, is saved on personal devices, in cloud services and in publicly available folders. At some point, it’s impossible to track where the data is stored and who has access to it.

Requirement to protect some sensitive data, such as personal details is enshrined in law: for instance, these are demands of GDPR, KVKK, SAMA, PDPA, BDSG, PDPL etc.

Traditional tools are incapable of ensuring appropriate level of protection. That’s why according to experts there was the necessity to introduce the DCAP class solutions to the market. SearchInform has also developed its own DCAP solution – FileAuditor.

To understand, why DCAP functionality is crucial, let’s first of all examine the case.

Case study

The retail company purchased a few expensive market researches (the price of each research was more than $100,000). Just a week after the file, containing results of research was received by the retail company, the document was leaked to the darknet, and one more week later it was exposed on the Internet. The company’s IS officers deployed SearchInform FileAuditor and performed the audit of access rights to find out, who had access to the confidential document.

According to the security policies, established in the organization, only 100 users had legitimate access rights to the file. However, it turned out, that in fact more than 300 users had access to the confidential data. That happened because one of the employees, who had legal access rights moved documents to a shared folder. Only a specialized advanced DCAP system is capable of revealing that a document with confidential content is kept in publicly available storage and that users inside corporate perimeter, who don’t have legitimate access rights to the file, access or process it.

FileAuditor (DCAP solution by SearchInform) work process

Let’s learn how FileAuditor works.

The work principle of FileAuditor

Obtaining and classifying all the data

FileAuditor scans all file storages and checks them for compliance with security policies. It examines files’ names, directory they are kept in, reveals, which users have access to the files, and what’s the most important, it analyzes each files’ content.

If the file falls under any of the search rule, FileAuditor adds confidentiality label to the file: for instance, personal data or source code.

The preset includes 424 out-of-the-box security rules (including those, which are crucial for compliance with GDPR, PCI DCC etc.), so a customer can run the system immediately after installation.

Templates for sensitive data classification in FileAuditor

The sensitive data classification rules can be configured according to clients’ own requirements, complemented with customers’ own samples, or they may be simply activated – the system will immediately start to work automatically. The solution is capable of checking textual information and images as well (scans and photos of documents).

The example of rules creation in FileAuditor

Manual labeling

In order to attract users’ attention and make employees used to secure document flow, it’s possible to set the requirement for employees to add labels manually. The labels may be also made visible for users, what also contributes to ensuring of secure document flow. However, the system will automatically check the label anyway to make sure that the user didn’t make a mistake.

Adding of a confidentiality label in the manual mode

Confidentiality labels, added to files are based primarily on the file content. That’s why the system cannot be deceived – the results of analysis doesn’t depend on change of attributes.

For instance, it doesn’t matter, if the file is moved to another directory, its name and extension are changed – FileAuditor makes decision basing on the file content – if the file still contains something confidential after editing, the appropriate label is added to the file and it remains protected.

Thus, the content-based confidentiality labels enable to configure access rights appropriately. IS officer detects violations in files and folder access rights distribution.

Access rights audit and distribution

FileAuditor enables to easily manage users’ access rights to confidential documents.

FileAuditor shows user access rights to each document and folder using information from file system resources. Thanks to this, an IS specialist does not need to use additional tools, he/she can immediately see: which groups and employees have access to a document and who are not allowed to access it; view the list of operations available to each user / each group of users with a particular file / a particular directory.

It’s crucial that the system allows to manage access rights, taking into account not only file attributes (format, date of creation, etc.), but also the file’s content.

It’s possible set or change permissions on interaction with documents immediately in the FileAuditor console. The process is fast and easy, all changes for the entire network can be made from a single point.

This is how change of access rights to file is performed in FileAuditor

Monitoring user actions

After data classification and access rights distribution/redistribution is performed, FileAuditor starts the process of continuous monitoring. From now on every operation with a document, such as file opening or changing access to it; making changes to file content; file transmissions etc. will be recorded.

Monitoring of operations is implemented at the driver level, which is technologically very different from analysis of EventLogs, which can be deleted and which do not record all the operations. For each document in the controlled storages you can view the history of operations with files: who and when opened or edited the file you are looking for. You can also use search filters to specify, which critical operation should be monitored. This will help to reduce the number of documents analyzed. For example, you can select files, which during the time period of interest were changed; renamed, transmitted or deleted; which access rights were redistributed; fell under a rule or vice versa, which control was stopped.

FileAuditor in the illustrative manner visualizes operations with files.

Operations on a critical file

Blocking user actions

The blockings by FileAuditor make sure that no illicit operation will take place. According to the rules, configured beforehand, solution prevents unwanted operations, e.g. attaching file to email, opening email via any application etc.

Blockings are configured according to the automatic classification (content-context analysis) and manual classification labels, mentioned above. For example, you can prohibit everyone except selected users and groups to read files labeled For Internal Use.

It is also possible to limit the range of users who are able to read (as in the described example) or any other function. Thus, it is possible to block not only operations of confidential files transmition, but also prohibit working with them in any application, ranging from email (including web mail and drafts) to a graphic editor or a tailor-made corporate messenger. If an employee doesn’t have legitimate access rights to work with the file, but intends to forward or open it, he/she receives a notification on the restriction of the operation.

This means, that, in case the FileAuditor was implemented in advance in the company, mentioned in the case study in the beginning of the article, even if the confidential file was transmitted to a shared folder, unauthorized users wouldn’t even be able to open it.

Security policy (blocking) activation when a user doesn’t have legitimate access rights to work with a file

If the confidential and valuable data is deleted from the file, the confidentiality label is also changed and the file control is stopped. This helps to offload the infrastructure and save the organization’s resources.

File control is stopped because it no more corresponds to the rules

All in all, FileAuditor is the reliable assistant in achieving the data-centric security model goals.

First of all, it enables to discover what data is kept in the organization (including confidential data). It helps to manage the data (configure access policies) and protect data against loss, unauthorized use or encryption by ransomware viruses. Finally, it enables to perform the permanent monitoring of data usage.

The solution makes backups of required types of files just in case they are lost or stolen. Thus, it prevents loss of the most valuable information. The solution monitors all operations with files, reveals, who and when worked with file and what operations exactly were made, for instance, if a file was renamed or transmitted anywhere. So, IS officer has the full picture of the file lifecycle and has all the functionality for performing investigations close at hand.

Without knowing precisely where exactly data is kept and who has access to it, it’s unclear, what should be protected. So, the file system audit is the first and necessary step. Creation of a comprehensive protection system implies protection of data transmission channels and monitoring all users’ activity as well. SearchInform’s line of solutions includes the comprehensive Risk Monitor solution for data leak prevention and risk management. SearchInform systems seamlessly integrate with each other, work within a single platform, and only 1 single agent is required for deployment.

To learn more and try the solution for free you may visit the solution’s page on SearchInform website.