Top Ten Tips for Preventing Data Loss
By
David Gibson

With the rapid advancement of hacking techniques and the increasing threat to all organizations presented by the “Bring Your Own Device” (BYOD) challenge, it is almost certain that any data loss protection you once put in place could now be out of date.With over 23 million records containing personally identifiable information (PII) leaked in 2011 alone (source: privacyrights.org), it is more important than ever for organizations to ensure sensitive data is secure.

In many organizations, keeping up with data growth and preventing a data catastrophe seems insurmountable with existing IT resources. Automation is the only way forward given the vast number of processes which the average IT security manager has to manage, and the almost infinite number of threats which the hacking community has forced us to defend ourselves against.

These ten steps will help to keep your organization secure:

1. Audit data access
The first step towards getting your data under control and averting disaster is to properly audit all data access activity. Once your data touches are being audited, you can easily determine who is doing what with your data.

2. Inventory permissions and group memberships
A full inventory of permissions for all of your data stores and the folders within them can take time, especially if you’re creating it manually. Thankfully you can now automate all of this. By combining the permissions data with group memberships, you can start to see who has permission to access each file or folder. With this data, IT can quickly answer fundamental data protection questions like “Who has access to a data set?” and “Which data sets does a user or group have access to?”

3. Prioritize at risk data
While all data needs to be protected, not all data is created equal. Some files contain confidential corporate information; other files contain customer or partner data; maybe you keep credit cards on file; perhaps you’re storing social security numbers. By using tools that analyze your data to identify sensitive content and combining that data with other relevant metadata, you will be able to locate files and folders where such data is overexposed.

4. Remove global access groups and revoke broad access rights
Removing global access groups is a good step towards ensuring that only the right people can get to your data. Once these permissions have been revoked, aligning data to the right users becomes much easier. The right technologies will allow you to ‘sandbox’ your changes to see what the impact will be on business processes before committing the changes to your production environment.

5. Identify data owners
Once you’ve done these general ‘housekeeping’ tasks, it is time to look at individual datasets to figure out who is qualified to make access decisions, and designate a data owner. The appropriate owner (or custodian) will often be one of the active users of that data, or their immediate supervisor. Automation can significantly reduce the time it takes to identify data owners, by analyzing access activity over time and indicate who the likely owners are.

6. Perform entitlement reviews
As the organization changes and new data sets are created, it is imperative to review who has access to ensure that permissions are always aligned to business needs. Data owners should be a part of this process as they are the best qualified to determine which users no longer need (or should) have access to their data. Again, with the right technologies, time-consuming manual parts of the entitlement review process can be automated and data owners can be automatically prompted to conduct reviews at pre-defined intervals, and provided with recommendations about which users appear to no longer require access to their data.

7. Align security groups with data
In organizations where access to data is controlled by security groups, it’s critical that the groups themselves are properly aligned with the data sets they’re meant to protect. Often this is easier said than done—roles change, groups are created for special circumstances but not reviewed, and pretty soon the whole system is a mess. Cleaning this up requires complete visibility into which data sets can be accessed by which groups. Automation is best suited to provide this visibility, and to programmatically create new groups and re-permission the data sets if necessary.

8. Audit permissions and group membership changes
Cleaning up permissions and group memberships is critical, but keeping everything in order is impossible without an audit trail of changes over time. Only by tracking all permissions and group membership changes can you be sure that only the right people continue to have access to your data sets. Enforcing access controls is simply impossible without a record of all the daily changes. If inappropriate access or group membership is granted, an audit trail of who made the change and when can help ensure that it doesn’t happen again.

9. Lock down, delete or archive stale data
In many organizations stale data is clogging up vast amounts of storage space and making it harder to manage. In addition to the cost of storing all of this stale data, keeping it on your active servers also increases the risk of it being misused. Automation can analyze access activity and identify any data that is not being used. Once the data owner confirms that he data is indeed stale and no longer needed, data may be archived or deleted.

10. Clean up stale groups and access control lists
Unneeded complexity slows performance and makes mistakes more likely. Organizations often have as many groups as they do users—many are empty, unused or redundant. Some groups contain other groups, which contain other groups, and so on. In some cases, these nested groups end up creating a circular reference where group ultimately contains itself. Also, access control lists often contain references to previously deleted users and groups (also known as “Orphaned SIDS”). These legacy groups and misconfigured access control objects should be identified and remediated to improve both performance and security.

 

David Gibson has been in the IT industry for over fifteen years, with a breadth of experience in data governance, network management, network security, system administration, and network design. He is currently Vice President of Strategy at Varonis Systems, the leading provider of comprehensive data governance software. David holds many certifications, including CISSP. As a former a technical consultant, he has helped many companies design and implement enterprise network architectures, VPN solutions, enterprise security solutions, and enterprise management systems.