Archive for: August, 2011

What About Individual Users on ACL’s?

One question I received in response to our recent post about aligning windows security groups and automating entitlement reviews was, “If you’re using single-purpose security groups and managing them automatically with an automated solution like DataPrivilege®, why use groups at all? Why not just assign users directly to the ACL?” That’s a great question (even though the idea may seem like heresy in the windows world).

There’s also a great answer: Applying NTFS permissions takes a very long time when you have to write the ACL’s (access control lists) on a large number of subfolders and files—sometimes it can take hours or even days with a large directory structure. Therefore, for now at least, we seem to be better off using groups and relatively static ACL’s to minimize the number of times permissions have to be applied to individual files and folders. In contrast, moving users into and out of groups is relatively quick, though replication can take a while, and users often have to log out and log back into AD for changes to take effect.

Some organizations have opted for a different approach that goes against what has become accepted as best practice—using Windows share permissions instead of NTFS permissions. I’ll discuss the pros and cons of this technique next time.

Video How To: Transforming Chaotic Collaboration to Secure Collaboration

  • Use metadata to answer questions about data
  • Remediate exposures (like the everyone group)
  • Align data with data owners
  • Involve data owners in data governance and perform entitlement reviews
  • Monitor data use and alert on abuse

Version 5.6 of the Varonis Data Governance Suite® has been released

Version 5.6 of the Varonis® Data Governance Suite® has been officially released. Version 5.6 includes enhancements to DatAdvantage for Windows®, DataPrivilege®, and the IDU Classification Framework®, including:

  • Share permissions visibility in DA/Windows
  • Bulk upload of Data Owners
  • Complete new look and feel for the DP user interface
  • IDU Classification Framework® file results analysis from the DatAdvantage interface

Take a look at some of the new features, here:

Customers may contact for assistance with upgrading.

Permissions out of Control? Step One…Automation

Nowadays, IT administrators identify and repair access control issues in a fraction of the time that it takes to do manually with software automation (Varonis DatAdvantage). However, sometimes access control cleanup projects can be delayed by organizational politics or entrenched bureaucratic processes, sometimes permissions are so out of control that it can take a significant amount of time to determine proper demarcation points, align groups with data, and confirm ownership. In the meantime, what can we do to reduce risk without changing permissions?

In situations like this, one of our systems engineers recommends starting with providing data owners simple to review reports about who is accessing their data on a weekly basis. These reports can be scheduled for automatic delivery with software such as Varonis DatAdvantage.

Every week, the owners of critical folders receive a report with the list of users who have actually accessed data in their folder, and how many access events (opens, creates, deletes, etc.) they’ve generated over the previous week:

Report on access activity for data owners

Simple DatAdvantage Statistics Report

If a data owner sees someone accessing their data that shouldn’t be, they can tell the administrators to remove access, remove it themselves via Varonis DataPrivilege, and/or reach out to that user directly. If desired, they can get a more detailed report of exactly what each user did in their folder.

In many cases administrators require access but they should not be examining or modifying business content. These reports are also helpful to keep an eye on administrative activity.

Eventually, global access groups will be removed and data owners will begin performing regular entitlement reviews to ensure that access control lists are maintained and as lean as possible. Organizations in-the-know have already begun the process of auditing actual access, removing global access groups (everyone, authenticated users, domain users, etc.) aligning data owners and groups with data, and performing entitlement reviews. In the meantime, access can be monitored and reviewed—a good start to improve data security.

For more information, read the white paper, Revolutionize Your Permissions Management.