All posts by Ken Spinner

Another Look at Folder Permissions: Beyond AGLP

AGLP is Microsoft’s four-letter abbreviation for guiding admins in setting permissions in an Active Directory environment. Account, Global, Local, Permission just means the following: you put user accounts (A) into global groups (G), put the global groups into domain local groups (L), and then grant permissions (P) to the domain local group. Makes sense, right?

It’s a convenient way to permission users based on their roles.

All your sales people are added into the Sales group, the marketing folks into the Marketing group, etc. The domain local groups are then associated with a resource—say a file share or a printer.

You place Sales and Marketing into a domain local group called, say, Presentations, which controls access to a file share. Finally you apply appropriate permissions — read access, or read-write access — to the domain local group.

The fancy name for what I just described is referred to by another four-letter abbreviation, RBAC, or role-based access controls

Problems

AGLP has a nice side benefit. It’s far easier to audit access controls: you just focus on the domain local groups. But this comes at a price.

AGLP can’t be easily applied to selected users across multiple business roles. Several approaches have been tried to resolve this problem, known of course as SUAMBR, but with little success. In most cases, the attempts to work around AGLP’s lack of permission granularity leave the file system’s permission in a state of over-permissive access.

It’s a major problem when recertifying file permissions for certain data security regulations and compliance standards—for example, HIPAA or SOX.

What are some of the things that can go wrong with AGLP? We have a list:

  1. Over-Permissive Access to Sensitive Data Caused by Using Functional Groups

A common practice is to grant an entire functional group, business role, or global access group, permissions to a data share. Because Microsoft requires that permissions are granted through Active Directory groups, this method is widely used to provide access. Although this approach ensures that users who require access have sufficient rights, it also poses a security risk. Many unauthorized users are also granted permission to sensitive data, mainly because they are included as a member of a specific role.

  1. User and Non-Group Permissions are Directly Assigned on an ACL

Another way to manage permissions on sensitive data is to directly grant user account permissions on the folder instead of the security group. This ensures that only authorized users have access; however, it also makes permission recertification a very complicated process. It’s then difficult to effectively manage access across the file system: you’re now faced with tracking individual files and folder and updating the ACL when a user no longer requires access because of a role change.

  1. Ordinary Users are Intentionally Assigned Full Control Permissions

In many cases, administrators intentionally grant Full Control permissions to ordinary users. This approach brings a security risk: in the event of a malware or cyber- attack, Full Control permissions could be leveraged by hackers. For example, the hacker (or employee who becomes an insider threat) removes all permissions from other groups, or deletes all data within the folder. Even regular users with Full Control permissions can accidentally change folder permission settings, resulting in the loss of access or deletion of data.

  1. Ordinary Users are Unintentionally Assigned Full Control Permissions

IT administrators may unintentionally grant Full Control permissions to ordinary users by failing to limit default Owner rights. This approach also poses a security risk for the same reasons mentioned above.

It is important to note that Owner rights should be explicitly defined on the ACL with Modify permissions and not Full Control permissions. Additionally, attempts to remove Owner rights will only remove the visual display of the permission and revert the Owner rights to Full Control.

  1. IT Administrators are Unnecessarily Granted Full Control Permissions

IT administrators are usually granted Full Control permissions to all data, including sensitive data. This practice may be acceptable in tightly controlled organizations. But it’s not unusual now for administration to be outsourced to providers, where there is greater opportunity for errors, negligence and malicious behavior.

  1. Failure to Audit and Recertify Access

In most environments, there’s no clear definition of what data is considered sensitive. In cases where sensitive data is identified, having both multiple functional security groups and direct permissions can make auditing access and permission recertification a time consuming and error prone task. Data owners who fail to audit and recertify access to sensitive data risk that data being exposed by hackers.

Solutions

We have ‘em too! Check out the full list in our awesome Best Practices For Planning and Implementing NTFS Permissions For Recertification!

 

Another Great Trade Robbery

“The Great Trade Robbery” – currently used in the context of questionable international trading policies and lopsided sports team player trades—now has yet another meaning. Two recent articles about Digital Espionage and IP theft by the Chinese Government and Chinese businesses describe a new trade robbery that has apparently been going for some time, and the extreme measures some organizations are taking to protect themselves.

A recent New York Times article discussed how employees now must travel “electronically naked,” meaning leave all electronic devices at home, as just about everything you carry with you digitally—your personal information, your contacts, your login credentials, your company’s Intellectual Property—will get stolen. The article went on to say, “The Chinese are very good at covering their tracks,” stated a former F.B.I. agent. “In most cases, companies don’t realize they’ve been burned until years later when a foreign competitor puts out their very same product — only they’re making it 30 percent cheaper.”

It makes sense that we become a little more circumspect with the information we carry around. Most of us wouldn’t tote our life savings in cash around the block (much less to China) without a very good reason to do so. A single smartphone can now be a gateway into our digital realm (as well as our life savings, because there’s an app for that). A Trojan installed or outright theft can conceivably lead to the theft of your entire digital life-savings and your organization’s valuable data.

A Business Week article, “Hey China, Stop Stealing our Stuff,” provided additional detail about China’s questionable “trading” practices, including sanctioned hacking of foreign entities by the Chinese Government.  The article included a few examples of the impact on the victims – millions of dollars lost, a significant drop in stock price, and a loss of customer confidence.

So we can’t just keep our data at home, apparently. We have to continue to be vigilant even on our “trusted networks.”

China represents a huge market, but these articles illustrate that companies doing business in China or with Chinese interests must begin to think about mitigating new levels of risk, and in some cases take drastic actions like traveling “electronically naked” to minimize potential exposure.

Putting China and extreme security aside for a second, how is your organization doing at some of the more basic data protection tasks? For example:

  • Do you know for certain where all the intellectual property in your organization resides?
  • Do you know who can and does access it?
  • How often is access reviewed?
  • Does the organization allow intellectual property to be accessed or stored on laptops?
  • Does the organization allow intellectual property to be accessed or stored on remote devices, such as smartphones or tablets?

If the answer is “no” to the first two questions, for example, forget about keeping your data secret from China—you may not be able to keep it secret from your kids.

What are you most concerned about when considering your organizations Intellectual Property? Please take our informal poll.

Authorized Access – Understanding how US laws affect your authorization p...

In 1986, the United States Congress passed the Computer Fraud and Abuse Act (CFAA).  While the intent of these laws were originally to protect government computers and information from hackers, the laws have been applied to commercial interests, as well. Specifically, the Computer Fraud and Abuse Act subjects punishment to anyone who “knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value.”  While it is not our position to advise clients on this topic, it is important to understand how the US Courts interpret the phrase “authorized access,” and “exceeds authorized access.”

Through litigation, the US legal system has attempted to interpret the CFAA and determine the legal definition of “authorized access” and “exceeds authorized access.” Before getting into the value of Varonis features, it is essential to review the prevailing case law and judicial opinions about this topic.  While there have been a number of cases addressing this issue, there are two cases and an opinion by a US District Court that stand out, each of which provides a basis for current legal decisions that address authorization issues.  Not surprisingly, most available case law involves data “theft” by individuals who, at some level, had permission to access the information that they accessed.  For example:

  • USA v Nosal – In this case Nosal (a former employee of Korn/Ferry) obtained proprietary information from his former co-workers which he used to start a competing business. The former co-workers had authorization to access the information via the access permissions provided to them by Korn/Ferry, but the courts challenged whether they “Exceeded Authorized Access” because they signed a Non-Disclosure Agreement as well as an Acceptable Use Policy.
  • LVRC Holdings LLV v. Brekka – Brekka (an employee of LVRC) emailed business documents to his and his wife’s personal email accounts. Brekka had permission to access the business documents and LVRC did not have an acceptable use policy, so Brekka did not violate any access restrictions and ultimately maintained “Authorized Access.”
  • The United States Seventh Circuit District Court has stated that “an employee accesses a computer without authorization the moment the employee uses a computer or information on a computer in a manner adverse to the employer’s interest.”   This opinion stated that access permissions were only one factor in determining authorized access.  In this case, the access permissions available to the employee were considered, as well as whether the employee used these permissions and data in a manner which was detrimental to his employer’s interests. In other words, regardless of the permissions available to an employee, a “disloyal” employee may be guilty by accessing information available to them with ill-intent.  Other courts have offered differing opinions about this specific issue, creating additional confusion.

As you can see, the ability to determine what constitutes authorized access is still subject to interpretation in the courts. Acceptable Use policies and Non-Disclosure Agreements are important, but they are only useful after an incident has taken place.  Written policies and expectations of loyalty don’t safeguard important data and they don’t prevent disloyal employees from using data to their advantage.  Ultimately, IT Administrators must enforce rightful access via best practices–data owner involvement in authorization processes in conjunction with an audit trail to validate acceptable use. In other words, access should be granted purposefully and periodically reviewed.

Varonis products provide the following features which will help to address the legal issues identified above:

  • Complete visibility into the permissions that each individual has across Windows, Unix, Linux, SharePoint and Exchange environments
  • A full audit trail which demonstrates whether an employee has accessed data that an employer would consider important or inappropriate
  • The ability to ensure rightful access, involving data owners in the decision making process
  • The ability to determine the sensitivity of data, as defined by data owners
  • A provisioning system complete with an audit trail which can report on why a person was granted access to a resource, when, and by whom
  • Automated entitlement reviews to ensure that permissions are always appropriate

Moral of the story: Make every effort to ensure and validate rightful access so that you can peacefully co-exist with the vagaries of the law. Varonis products can ensure ongoing authorized access and provide information to support a claim that a person exceeded their authorized access.

Data Authorization Processes – A need to relive the past

In 1941, the accounting governance body, the American Institute of Certified Public Accountants (AICPA) overhauled their Rules of Professional Conduct.  Rule 16 stated “A member or an associate shall not violate the confidential relationship between himself and his client.”  This provision was developed to guide Accountants (Data Stewards) and to reassure their customers (Data Owners) of the confidentiality of business and personal information.  Ironically enough, prior to this time, the AICPA, which has been in existence since the 1800’s, felt that a provision like this was unnecessary as they felt that  “The man with a loose tongue, the man who cannot keep a secret, should never attempt to practice public accounting.”* Prior to this change, the AICPA believed that an Accountant would never risk their professional career by revealing confidential information to a third party.

From the late 1800’s through the mid-1980’s, the manner Accountants stored financial information and the processes they used to manage it supported information confidentiality—usually a simple wood filing cabinet and keys.  Authentication and Authorization protections were simple:  If you didn’t have the key to the office you couldn’t get the filing cabinet.  If you didn’t have the key to the filing cabinet, you couldn’t open it or access the information within.  The key to the office was only given to select employees and associates authorized by the Accountant (once again, the Data Steward) to have access to the information.  If client information was revealed to a competitor, it was fairly easy to determine who leaked it.  In this regard, as early as the 1900’s the premise of least privilege existed and both the data owner and data steward had control and visibility into data authorization process.

Unfortunately, the paradigm of data protection has changed, and not in a positive way. Financial information is no longer controlled by a process with a clearly identified data owner and data steward.  Most companies have not identified data owners, most companies don’t have appropriate controls over their data, and most companies cannot exercise the same level of data owner involvement in access control decisions that existed in the early and mid-20th Century Accounting.  And, if a data owner has not been identified risk is extremely difficult to quantify, appropriate controls are difficult to implement and enforce, and customers will eventually lose faith in the ability for a supplier to protect personal and business data.

Electronic record keeping in conjunction with digital collaboration has overloaded manual authentication and authorization processes, even for those data sets that do have owners.  Automation is now necessary to achieve the level of data protection that Accountants used in 1900’s, where users are authenticated, owners are identified, and participate in the authorization process armed with the intelligence to make good decisions.  No one can dispute the many benefits of the electronic recordkeeping.  However, as we approach the end of the fiscal year, while many companies are doing tax planning and budgeting for 2011 and 2012, we should all be conscious of the steps our IT suppliers are taking to protect our business and personal data—hopefully they’re using more than a bigger file cabinet.

*Carey, John L. “Professional Ethics of Public Accounting” New York: American Institute of Accountants, 1946.

Steve Jobs – the Ultimate Data Owner

Those of us who have admired Steve Jobs throughout his career have spent the last week reading countless articles about his personal and professional life. Through Steve, Apple has rewarded both consumers and shareholders with incredible products and consistent profitability. So, what is the relationship between Steve Jobs and Varonis? Apple’s maniacal control of its Intellectual Property is widely known, and Apple goes to excruciating lengths to protect its information. The following are perfect examples of how least privilege, need to know, and authorization controls are used within Apple that can be traced to the culture Steve created:

  • According to [an article in the NYTimes in 2009], “Employees working on top-secret projects must pass through a maze of security doors, swiping their badges again and again and finally entering a numeric code to reach their offices.”
  • There were only about a dozen people that had actually seen an iPhone before [it was shown at Macworld 2007]1
  • An iPad developer reported on some of the [steps necessary to get one] prior to the release date.2 These included:
    • Working in a room with no windows
    • Only four people were allowed to go in the room, and Apple recorded the names and social security numbers of each
    • Devices were chained to a hole in individual desks using bicycle cables
    • Each iPad was encased in custom frames to hide their external appearance
    • Apple took pictures of the wood grain of the desks so that if any pictures leaked out, they could trace it back to the specific desk each iPad came from

These are but a few examples of a defined and tightly-controlled authorization process based on data owner involvement, with Mr. Jobs being the consummate Data Owner at Apple.  Consider the number of people, internal teams and departments, vendors and suppliers involved in development of a product as popular as the iPhone or iPad.  Apple maintained a security culture that kept control of all access to what is undeniably one of the most popular products ever.   Intellectual property data protection is critical for most companies, not just Apple, and those who don’t have defined authorization processes involving data owners will certainly pay the price. Apple rarely paid such a price—a testament to the fact that Steve Jobs was the ultimate Data Owner.

1 http://allaboutstevejobs.com/being/3-work/3-work.html

2 http://www.businessinsider.com/heres-a-great-story-about-the-astonishing-lengths-apple-went-through-to-keep-the-ipad-secret-2011-9