Archive for: July, 2011

Token Bloat. It’s Preventable. by David Gibson

I mentioned last week that organizations are moving toward using single-purpose security groups, where each shared folder has a read group and a write group on its ACL, and these groups are not used to permission other folders or resources. DataPrivilege® automatically creates and helps data owners maintain these single-purpose security groups, so the additional groups don’t have to introduce administrative overhead.

However, new groups do add new relationships to Active Directory, and this ties into the topic I mentioned last week called “token bloat,” referring to growing access tokens. In a nutshell, when a user’s access token gets too big, sometimes they can’t log in to their workstations. This is a high-priority help desk call when it happens to any user—when this happens to your CEO it is definitely sub-optimal.

Why does it happen? Access tokens are created when users authenticate with Active Directory, and they store a lot of SIDs, or Security Identifiers. Each group you’re in adds a SID to your token. Each group those groups are in adds a SID to your token, and so on. SID history also adds SIDS to your token. By default, the number of SIDs your Active Directory access token can contain is 1024—if your token contains more than 1,024 SIDs, you may not be able to log in.

In addition to the obvious security benefits, this token limitation is another good reason to remove users from unneeded groups, identify and remediate deeply nested/looped nested groups, eliminate security groups that aren’t used to access any resources, and to clean up SID history. Automated recommendations and reports about these and other issues are included in Varonis DatAdvantage.

Another piece of news is that there is a registry setting that increases the size of the token, described here. We have tested this successfully and we’re curious to see how it’s working for other folks. Please email me at if you have feedback.

Thanks to Sundar Ramakrishnan, who wrote a very helpful write-up, here.

Aligning Security Groups and Automating Entitlement Reviews by David Gibson

More and more of the companies I’ve been meeting with recently are discussing the need to align groups with data, and then to perform entitlement reviews (aka permissions audits/attestations) on the re-aligned groups or the data itself. One administrator took the words out of my mouth, “If you’re not sure that the groups are correctly aligned with the data then reviewing group members is just an empty exercise.”  Whether you review access from a group membership or data perspective, the goal is really the same—to make sure only the right people have access to the right data.

In order to reign in “group sprawl,” one practice that is becoming more popular is using single-purpose groups. A shared folder will have two groups: a read group and a write group, and those groups aren’t to be used anywhere else. The actual implementation varies a bit depending on whether you use the AGLP/UGLY model, but the end result is groups are aligned to a single data resource. With this approach it makes little difference whether you review access from the group or the data perspective.

One question that naturally follows is, “Aren’t we going to end up with a ton of groups?” We’ll address that in my next post about “token bloat.”

In the meantime, we’ve created a new movie about automating Entitlement Reviews.


Enterprise Governance with RSA and Varonis by Brian Vecci

One of the things our customers ask us from time to time is how RSA DLP, RSA Archer and Varonis can work together. RSA Archer is an eGRC or enterprise governance, compliance and risk product. It’s designed to help organizations organize and maintain a wide variety of governance and risk policies, and it does a great job of absorbing information from and integrating with systems like Varonis.

Let’s take a look at how EMC leveraged all three products. EMC has over two petabytes of unstructured data on file shares and Celerra NAS devices. To get a handle on some of the risk associated with that data, EMC scanned the content of those shares with RSA DLP, uncovering more than 30,000 files containing sensitive information. The challenge was to remediate those files by moving them to secure locations, deleting them, or locking down access to appropriate users. EMC set an aggressive goal: all remediation should be completed in less than two months.

The key for EMC was to identify and involve the business owners of the assets so that the remediation didn’t affect the business. EMC needed to know who had the proper context to make these decisions, so they leveraged Varonis. By looking at actual file access, EMC was quickly able to determine likely data owners for all 30,000 files—around 1,200 users.

The next step for EMC’s risk organization was to involve those 1,200 business users and find out what needed to be done about all of that sensitive content. EMC leveraged Archer’s assessment functionality to reach out to the owners and query them on each file. Data owners received custom questionnaires about each sensitive file they owned. Out of 1,200 users who owned sensitive data, only 150 responded saying they needed to retain the data. Archer was then used to track the remediation and encryption of each of the 30,000 incidents. Archer can prove the process was completed, and Varonis and RSA DLP are used to ensure that any new data is protected accordingly.

PCI DSS Compliance: It’s Not Just About Structured Data

Many times in organizations there is such a focus on databases in regards to PCI Compliance that other critical data repositories are neglected to the detriment of an organizations compliance efforts. E-Commerce Times, just published an article by David Gibson, Director of Strategic Accounts and Technical Marketing for Varonis which outlines why it is important to protect  file shares and SharePoint sites that house spreadsheets and documents when implementing and managing a PCI strategy. The article goes into details about how organizations can implement a comprehensive approach to not only to finding PCI information that resides outside of databases, but also how to manage authorization, access control and auditing of all unstructured and semi-structured data stores. Read the full article.