All posts by Brian Vecci

Getting the Most Out of Data Transport Engine

Getting the Most Out of Data Transport Engine

If you don’t need it, get rid of it. If it’s sensitive, make sure sure it’s in the right place, and only accessible to those who need it. Old files are expensive and risky, which is why we have retention and disposition policies for what should happen to data that we don’t need anymore.

The Data Transport Engine (DTE) is a component of the Varonis Data Security Platform that lets you automate these kinds of policies at the file or folder level, so you can automatically move data to where it’s supposed to be.

How does it work?

DatAdvantage collects directory information (users and security groups from Active Directory and local accounts), file system permissions (access control lists, or ACLs), classification information on which files contain PII or other sensitive data, and a record of access activity by all users and service accounts. With all of this information, Varonis knows where your data is, who’s got access to it, which files might be sensitive, and exactly what’s being used (or not and by whom).

With DTE, you can create file and folder transportation rules based on this metadata, so DTE will move files from one location to another that match the rule. For example, you can automatically move files that haven’t been accessed (by a human being!) in more than seven years to meet your retention policy. You can also create rules based on content, so if someone puts something sensitive where it’s not supposed to be, like an open SharePoint site, a DTE rule could automatically put it some place safe.

What are some popular use cases?

Stale Data Cleanup

Setting up DTE to clean up old data is straightforward, and leaving stub files behind means that user can still have access to archived data if needed.

One customer had an interesting variation on this use case. They needed to archive a lot of data, but with one important exception: any financial records that met certain criteria couldn’t be moved or modified in any way because of a compliance issue. They used DTE to identify and move the special financial records to separate folders with a unique naming scheme. Then they created their automated retention policy with a clause to exclude those folders from the retention rule’s scope.

You can run stale data cleanup jobs manually with DTE or configure automated retention rules that constantly scan for data that is old enough to archive.

Data Classification Rules

Sensitive Data Migration

Your security policy might dictate where sensitive or regulated data should live (or where it shouldn’t) and who should have access to it (or who shouldn’t). Customer data with PII can’t live in folders open to everyone in the company, for example, or in personal drives. Since DTE rules can use the sensitive data scans from our Data Classification Framework (DCF), you can move sensitive files where they’re supposed to be.

One customer took this a step further and enhanced the DTE rule to modify the permissions of the files in transit. DTE rules can be set to modify permissions so the destination data is more secure than the source. In this case, the DTE rule was set so that once files get to the destination folder, file system permissions were overridden to inherit from the parent folder. This simplifies their security and helps make sure the right people have access once the data it moved.

What if someone drops a sensitive file somewhere by accident? Just like with stale data, you can set DTE rules that affect sensitive data to automatically quarantine them some place safe.

Classification Rules

Migrating Everything, Even Between Domains

Migrations and consolidations can be massive projects, like in the case with one large telecom customer we have who went from hundreds of individually-managed, remote Windows file servers down to just a few very large NAS devices. Instead of having to manually migrate each server to a NAS and then re-create all of the file system permissions in the destination domain, DTE managed the whole process automatically.

In this case, the movement rules were set up to re-permission the data at the destination NAS devices, too. This is important if your migration is between Active Directory domains, since if you don’t re-permission the data, no one will be able to access anything if the old domain goes away. DTE will re-create the groups in the new domain so you can automate that part of the process as well.

Want to set DTE rules up for yourself? Check out this how-to guide or video. If you’re not running DTE, contact us about lighting up a trial license so you can see how it works.

The Differences Between DLP, IAM, SIEM, and Varonis Solutions

The Differences Between DLP, IAM, SIEM, and Varonis Solutions

You can’t always do it all alone and sometimes you need help from your friends. It’s good life advice, and as it turns out, good advice for a security solution. A multi-pronged security program that uses a mix of technologies and approaches is the best way to reduce risk and to protect your organization’s most important data resources.

For example, Data Loss Prevention (DLP) solutions are often used to help protect sensitive data as it moves around the network and makes its way to endpoint devices.  Identity and Access Management (IAM) solutions complement DLP by connecting disparate authentication services together, so that when users need to access systems or applications, they make a request through a single service. And Security Information Event Management (SIEM) tools aggregate, correlate, and help analyze the logs from a variety of different sources in a single repository.

Yes, organizations often employ some or all of DLP, IAM, and SIEM in a best-of-the best approach. But what are the differences in each of these technologies, and how do they relate to Varonis, which is neither DLP, IAM, or SIEM?

Let’s go through the distinctions.

Data Loss Prevention

To prevent a user’s sensitive data from making  its way outside the corporate network, DLP solutions execute responses based on pre-defined policies and rules, ranging from simple notification to active blocking.

DLP typically covers three high level use cases:  endpoint protection, network monitoring of data in motion, and classification of data at rest.

Endpoint protection use cases include hard drive encryption, optical drive and USB port locking to prevent exfiltration, and malware protection.

Data in motion technologies inspect email and web traffic to attempt to identify sensitive data potentially being exfiltrated so that data remains in the organization, and may also help ensure that content is only accessed over encrypted channels.

Data at rest classification inspects the content of file to identify where sensitive data may exist on server and cloud platforms so that additional action can be taken to ensure proper access controls.

IAM

While DLP is great for protecting sensitive data, it generally has no information about how data is being used or how access controls are granted.  To obtain this access information, many organizations turn to Identity and Access Management.

Identity Management serves as a gatekeeper in terms of user access rights . When a user starts a new role, he gets authorized and access rights to systems and applications. And when he leaves the organization, those rights are terminated.

What makes Access Management so critical is that  access rights, especially for unstructured data, typically accumulate over a time. The longer a user stays with a company, the more access the user usually has. Users with privileges beyond what is required to perform in their current role can put the company at risk. Moreover, if a hacker gains access to the account of a user with excessive access, it might further increase the company’s risk. Both scenarios can result in data breach.

Together, Identity and Access Management ties disparate applications together into a single repository for management of access and entitlements. IAM solutions will often provide access management workflows, user entitlement reporting, application owner entitlement reviews, and even single-sign-on (SSO) functionality between applications with the goal of providing a single entitlement store and workflow solution for managing access.

SIEM

SIEM systems store, analyze, and correlate a multitude of security information, authentication events, anti-virus events, intrusion events, etc. Anomalous events observed in a rule alerts a security officer/analyst to take swift action.

SIEM systems aggregate logs, most commonly through reading event viewer data, receiving standard feeds from SNMP traps or Syslog, or sometimes get log data with the help of agents.  These feeds come from user devices, network switches and other devices, servers, firewalls, anti-virus software, intrusion detection/prevention systems, and many more. Once all of the data is centralized, it runs reports, “listens” for anomalous events, and sends alerts.

For the SIEM tool to identify anomalous events, and send alerts, it’s important that an administrator create a profile of the system under normal event conditions. SIEM alerts can be pre-configured with canned rules, or you can custom create your own rules that reflect your security policies.

After events are sent to the system, they pass through a series of rules, which generate alerts if certain conditions are met. Keep in mind, with potentially thousands of devices, and different sources to monitor, each generating potentially thousands of records or more a day, there will be plenty of data to sift through.  The goal is to use SIEM rules to reduce the number of events down to a small number of actionable alerts that signal real-world vulnerabilities, threats, or risk.

Varonis

Varonis does not provide DLP, IAM, or SIEM functionality, and is not designed to replace any of those solutions. In fact, Varonis tends to enhance each one by providing visibility into and context around the unstructured data – which can prevent insider and outsider threats, malware activity, lateral movement, data exfiltration, and potential data breaches.

What sets Varonis solutions apart from traditional file-level DLP solutions?

Identifying sensitive data on your server and/or blocking it is DLP’s strong suit. Yes, it  knows where all your sensitive files reside, but it has a weak point:  if a hacker or insider compromises an account who is authorized to access sensitive docs, DLP can’t stop it.

To really protect your organization’s sensitive data, you should also know:

  • who is accessing it
  • who has access to it
  • who likely no longer needs access
  • who outside of IT the data belongs to, and
  • also when a user or users start accessing that data in strange ways.

Varonis makes DLP better by providing all of that additional context. After absorbing the classification scans from DLP, Varonis provides activity monitoring, alerting, and behavior analysis along with intelligent permissions management. DLP tells you where your sensitive data is, and Varonis helps make sure that only the right people have access to it and that you know when access is abused.

What sets Varonis solutions apart from IAM solutions?

Even though IAM connects various applications and systems into a single solution for entitlements, that functionality tends to stop when it comes to unstructured data. Because access to unstructured data is controlled both by directory users and groups and file system ACLs together, there’s no single “application” for IAM to connect to. This means that IAM has a blind side when managing access to unstructured data.

Moreover, access to unstructured data tends to be chaotic and unmanaged—permissions are complex and not standard, multiple groups often have access to data, folders and SharePoint sites are open globally, etc—managing unstructured data entitlements through IAM is often impossible.

This is where Varonis can help.

DatAdvantage allows IAM to extend to unstructured data through many use cases:

  • Map out the functional relationships between the users/groups, and the data necessary for a role.
  • Restructure permissions so that they can be efficiently managed through single purpose groups.
  • Analyze user behavior over time and provide recommendations to owners on who likely no longer needs access
  • Leverage data classification to help ensure sensitive data is owned and managed appropriately

DataPrivilege can complement IAM by empowering data owners, and users by:

  • Enabling ad-hoc requests so users can get access to data, only for as long as necessary, without having to redefine a role
  • Giving data owners insight into activity on their data sets
  • Allowing for regular reviews of access to ensure only the right people have access to the right data

What sets Varonis solutions apart from SIEM?

SIEM will read event viewer logs from network devices, systems, and AD, but has no view into actual data activity since those logs often don’t exist natively and can be difficult to parse.

With our file activity monitoring system, Varonis closes this gap by collecting and analyzing all access activity on platforms SIEM can’t usually see.

We can tell your SIEM when someone’s accessing the CEO’s mailbox, changing critical GPOs, encrypting large numbers of files in a short period of time, or otherwise misbehavior when it comes to your data and directory services.

Moreover, Varonis baselines user activity and provides alerts that can be passed directly to SIEM for further correlation, analysis or action. Varonis alerts can be sent via Syslog to any SIEM, and there are pre-built templates for connection with some specific platforms.

Summing Up

DLP, IAM, and SIEM are all useful, important technologies for enterprise security. There is no single product or category that an organization needs to protect their data and systems, and defense in depth is becoming increasingly important. When it comes to unstructured data, all of these technologies have significant gaps in the kinds of detective and preventive controls they can provide, and all of them are made more useful by integrating with the Varonis Metadata Framework.

Using Varonis: Involving Data Owners (Part I)

(This one entry in a series of posts about the Varonis Operational Plan – a clear path to data governance.  You can find the whole series here.)

Almost every organization is now data driven. With all the talk about data growth and big data analytics over the past couple of years, people have started to ask: “How do we maximize the value of our data? How can we make sure we’re deriving real business benefit?”

The keys to maximizing the value of our data are to gather the right intelligence about it, and then give the right people the ability to take action using the intelligence you’ve gathered.

Now that we know who our Data Owners are, it’s time to start getting them involved. Remember that it’s the owners—not IT—that have adequate context to make decisions about who should and shouldn’t have access to their assets.

The next step in operationalizing Varonis is to provide owners intelligence about their data assets.  DatAdvantage can deliver data-driven reports that shed light on what is happening with their data: who can access it, what they’re doing with it, which data is stale, etc. These reports greatly simplify and optimize reporting by delivering reports to all owners which contain information about only the data they own.

An Example

Say you’ve spent a few weeks identifying and confirming business owners for all of the top-level folders on a large NAS (or two, or three…). Depending on the size of the company, this might be a few dozen or a few thousand people. One of the most common next steps is to provide permissions reports on all of these data sets to the relevant owners. So the HR owner gets a report on all of the users who have access to the HR folder, for instance. It’s the same with Finance, Marketing, R&D, etc. In the past, you would have to create and deliver a separate report for each owner, which depending on the complexity of your reporting process might be an onerous undertaking all by itself. DatAdvantage gives you a far better alternative.

In DatAdvantage, to accomplish the same thing, you’d only need to create a single report, and all owners would get permissions reports once a quarter (or however often you like). Create the report, include the proper filters and formatting, and then set up a data-driven subscription to be delivered on the first day of the first month of the quarter. That’s it you’re done.

Every quarter, every data owner is going to get that report in their inbox, and the report will contain information about only the data that they own—they won’t see anything that doesn’t belong to them. As you add and change owners over time, the subscription will continue to work without intervention. If my job role changes and suddenly I’m the owner of additional folders, my permissions report will show those as well. If I’m no longer an owner, my report won’t contain information about what I no longer own.

Permissions reporting is a great use case for data driven reports, and it’s not the only one. Reports that show actual access can be useful, too.  What if every data owner could see exactly who on their team was accessing data most? What about those people who weren’t accessing any? Or people from outside their team bumbling around?  Who creates content? Showing owners what data is stale or which folders are growing the fastest can help give them understanding of how their using resources. Providing owners intelligence about where their sensitive data is, where it’s exposed, and who has been accessing it lead to informed decisions about how they can reduce risk.

Once you’ve started putting intelligence into the hands of your owners, the next step is to give them the power to take action without bugging IT. We’ll cover that next.

Using Varonis: Who Owns What?

(This one entry in a series of posts about the Varonis Operational Plan – a clear path to data governance.  You can find the whole series here.)

All organizational data needs an owner. It’s that simple, right? I think most of us would be hard pressed to argue against that as a principle—the data itself is an organizational asset, so of course it’s not the Help Desk or AD Admin folks who own it, it’s the users or business units that should own it. Of course, that’s great in theory, but with 1, 5, 10, or even 20 years’ worth of shared, unstructured data, figuring out who owns data is far from simple, let alone involving those owners in any meaningful way.

Before we get into using Varonis to locate owners, I want to talk about why finding a single data owner can be such a problem. IT probably knows who owns the Finance folder.  It’s the CFO or a delegated steward. Same with HR, Marketing or Legal—these tend to be clearly-delineated departmental shares and it’s not hard to figure out whom to go to if we need an informed decision. (Regularly involving those owners in data governance is a different problem, and one I will cover in future posts.)  The identification for these folders is relatively straightforward.

But what happens if you need to find the owner of a folder that has a less obvious name? What if the folder’s name is a project ID, or an acronym of some kind? In my experience, a majority of unstructured data resides in folders that aren’t obviously owned by anyone.

What IT tends to do then is a few different things:

  • Check the ACL and see which groups have access. If it’s a single group with an obvious owner, that’s a likely candidate. If the ACL contains many different groups or a global access group like Domain Users, though, this tactic tends to fail.
  • Check the Windows owner under Special Permissions. This metadata can be helpful, but can also be a red herring since it’s often just set to the local Administrator of the server. Even if there’s actually a human user there (who likely created the folder), that value may be outdated or inaccurate.
Special Permissions Dialog

  • Check the owner of files within the folder. Same problems as above.
File Properties Dialog
  • Enable operating system auditing to identify the most active user. Anyone out there excited about turning on file level auditing in Windows? I have yet to talk to anyone who answers yes to this question because of the performance hit on the server as well as the storage required and expertise to parse the logs effectively.
  • Turn off access and see who complains. Not an optimal strategy when it comes to critical data.
  • Email the world and hope for a response. In general, people don’t want to take ownership of something without good reason, since it may mean more work. How confident are you that the proper owners (who may be at a management or director level) are going to know exactly which data sets their teams are using regularly? If they’re not sure, are they going to jump to take responsibility?

So finding owners is hard, let alone finding owners at scale. If you’ve got thousands of unique ACLs and you want owners for all of them (or at least the ones that make sense) you’re going to have to go through some version of this process for each one. It’s no wonder we haven’t done a good job of this over time. Thankfully, there’s a better way.

Step 4: Identify Data Owners

The key difference between attempting to solve this problem manually and attacking it intelligently with Varonis is the DatAdvantage audit trail. A normalized, continuous, non-intrusive audit record of all data access is a key piece of DatAdvantage, and it allows us to actually identify data owners at scale without having to hunt and peck. Once you start gathering usage data and rolling it up into high level stats you can start to see the likely owners of any data set, not just the obvious ones.

DatAdvantage gives you two straightforward ways to get this information: First, we can quickly take a look at a high-level view of a single folder within the Statistics pane of the DatAdvantage GUI. This will show us the most active users of a particular folder. We like to say that at most, you’re one phone call away, since if the most active user isn’t the data owner, they almost certainly know who is.

You can operationalize this process even further by creating a statistics report, which can be run on an entire tree or even a server. A single report can show the top users of every unique ACL, and it’s possible to set up advanced filters to make this even more useful—showing only users outside of IT or in a specific OU, for example. You can even add additional properties from AD to the report, showing each user’s department or line manager, if available. None of this is possible without constantly gathering access activity and providing an interface to combine it with other available metadata.

Identifying owners is useful, but actually involving them is where IT can really start to make headway when it comes to ongoing governance. We’ll tackle that next.

Using Varonis: Fixing the Biggest Problems

(This one entry in a series of posts about the Varonis Operational Plan – a clear path to data governance.  You can find the whole series here.)

Now that we have a pretty good idea where the highest-risk data is, the question naturally turns to reducing that risk. Fixing permissions problems on Windows, SharePoint or Exchange has always been a significant operational challenge. I’ve been in plenty of situations as an admin where I know something is broken—a SharePoint site open to Authenticated Users for instance—but I’ve felt powerless to actually address the problem since any permissions change carries the risk of denying access to a user (or process) who needs it. Mistakes can have significant business impact depending on whose access you broke and on what data. Since we’re defining “at-risk” as being valuable data that’s over-exposed, that means that any accessibility problems we create will impact valuable data, and that can create more problems than we started with.

Step 3: Remediate High-Risk Data

The goal is to reduce risk by reducing permissions for those users or processes that don’t require access to the data in question.

The next step in the Varonis Operational Plan is fixing those high-risk access control issues that we’ve identified: data open to global access groups as well as concentrations of sensitive information open to either global groups or groups with many users. Since simply reducing access without any context can cause problems, we need to leverage metadata and automation through DatAdvantage.

Let’s tackle global access first. When everyone can access data, it’s very difficult to know who among the large set of potential users actually needs that access. If we know exactly who’s touching the data, we can be surgical about reducing access without causing any headaches.

DatAdvantage analyzes the data’s audit record over time in conjunction with access controls, showing folders, SharePoint sites, and other repositories that are accessible by global access groups, and those users who have been accessing that data who wouldn’t have had access without a global access group. In effect, it’s doing an environment-wide simulation to answer the question, “What if I removed every global access group off every ACL tomorrow. Who would be affected?” This report gives you some key information:

  • Which data is open to global access groups
  • Which part of that data is being accessed by users who wouldn’t otherwise be able to access

And it’s not just global groups that DatAdvantage lets you do this with. Because every data touch by every user on every monitored server is logged, Varonis lets you do this kind of analysis for any user, in any group, on any file or folder. That means you can safely remediate access to all of the high-risk data without risking productivity. You can actually fix the problem without getting in anyone’s way.

The next step is to start shifting decision making from your IT staff to the people who actually should be making choices about who gets access to data: data owners.

Image credit: harwichs

SharePoint Permissions Cheat Sheet

Complexity is dangerous in the security world.  The harder something is to understand, the harder it is to protect.  SharePoint falls squarely into this category.  Configuring permissions in SharePoint can be daunting, especially if you don’t understand the core concepts and terminology.  Unfortunately, managing access controls in SharePoint is often left end-users, not IT administrators, and that can spell disaster.

Learn more about permissions management with our free guide. 

This mini cheat sheet is designed to point out the various gotchas with SharePoint permissions so you don’t make the typical mistakes (now you’ll only make atypical mistakes).

  • SharePoint has “local” groups that can contain Active Directory Groups
    • For example, you can have a SharePoint permissions group called “Sales” which can contain Active Directory groups “Sales” and “Sales Engineering” and “Chess Team”
    • Unlike file shares where local groups are generally avoided, SharePoint specific groups are very common – this is makes it much harder to answer the question “Which human beings can access my data?”
  • There are more default permissions types than you can keep in your head at one time (33 in all):
    • 12 permissions types for Lists
    • 3 permissions types for Personal actions (e.g., views)
    • 18 permissions types for Sites
    • Each permissions type can be grouped into Permissions Levels.
      • For example, the default “Contribute” site permission level contains 8 of the 12 site permission types.
  • In addition to the built-in permissions types, admins can create custom levels
    • For a given site or list, a custom level might be applied, making it really hard to determine who can do what
    • A malicious admin could create a custom level called “Extremely Limited” (sounds innocent, no?) but grant that level permission to do everything
  • If you’re running a version of SharePoint prior to 2010, watch out for the “Authenticated Users” button
    • Before 2010, there was a button that let admins grant access to everyone who authenticated to the domain
    • The button was a common cure-all for frustrated admins trying to grant access to frustrated users

OK, now that I’ve primed you for the worst, I’m going to give you a link that should be your best friend.  Bookmark it, study it, and hope for the best:

http://technet.microsoft.com/en-us/library/cc721640.aspx

Did you really think I’d leave you hanging here?

Varonis DatAdvantage for SharePoint abstracts away the complexity of SharePoint permissions.  You’re only ever a double click away from figuring out who has access to SharePoint document libraries, lists, sites, sub-sites, etc.

Don’t just take my word for it – try DatAdvantage free for 30 days.  At the very least, you can point Varonis at your existing sites and immediately lockdown data that is wide open.

Image credit: keenanpepper

Learn more about permissions management with our free guide. 

Improve Data Protection, Win $500 Gift Card

Regulation in IT is nothing new, especially for those of us who’ve ever worked in the financial, government or health care sectors. What’s changing is the breadth of regulations–how much we actually need to do–and the types of information and systems these regulations apply to. No longer is it just the mainframes and other transactional systems, for instance. People now have to ask themselves “How safe is our unstructured data?” and  “Are we in compliance with new regulations?” One comment I heard recently was along the lines of, “The terrifying thing is that we have no idea whether anything on the NAS is subject to regulation because we’ve never done anything to audit it.” Of course, data security has always been a concern but with the growing threat from internal and external breaches, and a new major Wikileaks story in the news seemingly every month, companies are up against a wall and need some help to analyze the scope of the problem and figure out solutions. I think many of us would just like some help knowing where to begin.

At Varonis we have a lot of experience helping our customers with these problems, and we want to help you see where you stack up compared to other organizations. Take our free 2 minute assessment on your data protection preparedness and we’ll enter you to win a $500 gift card! Click here to access the assessment or copy the following link into your browser:

http://www.surveymonkey.com/s/DataProtectionAssessment

Everyone who fills out the survey will get our comprehensive report on the state of data protection preparedness once the results have been analyzed.

Big Data Management On Your NAS Made Easy

Got data? Got a lot of it? Most companies with NAS devices are struggling with how to manage permissions and understand usage patterns, find data owners, and identify and lock down sensitive information. If any of that sounds familiar, we’ve got the webinar for you. As part of our new partnership with HP, Varonis is co-presenting a webinar on how we can help you master big data.

We enable customers to get control of the information stored within HP IBRIX X9000 storage systems and file shares to help you realize:

  • Visibility into your permissions (set in Active Directory, LDAP, SharePoint, and Exchange)
  • A detailed audit trail of every file and e-mail touch on your servers
  • Recommendations into where access can be reduced without affecting user activity
  • Identification of data owners so they can be directly involved in the management and protection of their data
  • Sensitive content analysis so you can assess risk to your most critical data, allowing you to focus on high-priority areas for remediation

Read the press release announcing our partnership here.

Sign up to attend the webinar here.

Data Connectors Chicago

I just got back from a fantastic Data Connectors event in Chicago where I had the opportunity to speak to a group of IT security professionals about how we think about unstructured data governance. The theme of the presentation was on Authentication, Authorization and Accountability, and how we need the right metadata and automation to ensure secure collaboration and protect unstructured data.

The feedback after the presentation was (and usually is) really the best part—it’s clear that so many of us in IT are starting to really think hard about how to correctly manage access to data. In the past, we haven’t had necessary information we need or the automation in place to manage access in any meaningful way, which is why we’re suddenly scrambling to protect against insider threats. A number of the folks I was fortunate enough to meet told me that five years ago unstructured data was pretty much “out of sight, out of mind” from a security standpoint. Things are changing, though, and quickly. Every time there’s another public data breach due to an insider, more CIOs and CISOs start mandating governance of all organizational data, including unstructured and semi-structured stores. IT professionals are searching for the right solution, and at Varonis we feel very fortunate to be in a position to help.

You can find similar upcoming events on the Varonis events page

Why Do SharePoint Permissions Cause So Much Trouble?

SharePoint permissions can be the stuff of nightmares.  At Varonis, we get a chance to meet with a lot of SharePoint administrators and it’s rare that they’re not exhausted trying to manage user permissions. SharePoint’s a useful collaboration platform—and Microsoft’s fastest selling product ever—but helping to ensure proper permissions and access control is probably not its strongest suit.

The first challenge with SharePoint permissions is that, like file servers, SharePoint has “local” or SharePoint-specific groups that can contain AD groups and users. Unlike file shares, however, where server local groups are rarely used on the shared folders, SharePoint local groups are much more common.  This adds a layer of complexity, especially in large organizations where the SharePoint administrative team may be completely separate from the group managing Active Directory.

Next, the actual permissions themselves are more complicated. NTFS file systems are usually Full, Modify, Read & Execute, List, Read and Write. With SharePoint, you get 12 permissions types for lists, 3 for “personal” actions like views and 18 different types for sites themselves. These permission types can be grouped into “permission levels.” For example, the default “Contributor” site permission level contains 8 of the 12 permission types. In addition to the handful of built-in permission levels, Administrators can create custom permission levels. To top it off, a given user, group, or SharePoint group can be granted multiple permission levels on a given list or site, so it can quickly become very difficult to understand what a given user or group can actually do with the data they’ve been granted access to.

Even though SharePoint permissions can be confusing even for technology teams, Microsoft is designed to allow non-technical folks to manage permissions directly. Prior to SharePoint 2010, there was even a built-in button to easily grant access to all Authenticated Users, or everyone in the organization that’s logged into the domain. What ended up happening is that business users would use this as a short-cut to get people access when needed, rather than managing permissions in a more secure way. With more and more sensitive data being shared on SharePoint servers, this represents a significant area of risk.

The good news is that Varonis DatAdvantage for SharePoint helps organizations make sense of SharePoint permissions by providing intelligence and unobtrusive metadata collection for SharePoint, as it has for years for file systems and (more recently) for Exchange. The SharePoint permissions nightmare ends as critical data governance questions can finally be answered: Who has access to a SharePoint site and what level of access do they have? What have they been accessing? Which SharePoint sites are exposed and contain sensitive data? Most importantly, how do we fix them without disrupting business? SharePoint can be a powerful collaboration tool, but it’s important to understand the data that’s there, who’s using it and what permissions are in place and how those controls are changing.

All I Want for the Fiscal Year End Holiday is an Optimized Security Group

All I Want for the Fiscal Year End Holiday is an Optimized Security Group

In one of our recent posts, Rob Sobers talked a bit about the Varonis recommendations engine and how it compares with hunch.com’s similar technology. I’m currently in the throes of last minute holiday shopping, and one of the things I find myself grateful for is Amazon’s recommendations engine. By analyzing the behavior of its busy shoppers, Amazon can point me towards items that might be of interest based on what I’ve been looking at. If I’m checking out some kitchen gadgets, Amazon will start to populate its pages with other things I might be interested in, like relevant cookbooks. The site is analyzing the activity of millions of users and then making actionable recommendations for me based on all of that behavior.  It’s not just browsing behavior, either. Amazon is able to use information from purchases over time, user wishlists and other relevant metadata to come up with these recommendations.

In an age of virtually unlimited choice, we can easily find ourselves trying to weigh the pros and cons from long lists of items that begin to blur together, making what would normally be a pleasant experience seem overwhelming.  Amazon makes my shopping easier, helping narrow down the choices I have and helping me figure out where I should best spend my energy.

Whether the behavioral analysis is being done on shopping sites, search engines or within your data center, leveraging metadata through automation is a crucial technique for getting better, more actionable information. Varonis helps IT administrators and data owners by providing recommendations on where users have access they likely no longer need. Varonis looks at permissions, user and group relations and access activity on multiple platforms over time in order to produce this analysis.

Big data analytics like this is changing how we make these kinds of decisions by giving us information that was impossible before automation. If you’re considering trying to clean up Active Directory membership next year, think how easy it would be if you had an accurate recommendations engine to get you started.