The old biblical adage to “beware of the wolf in sheep’s clothing” in many cases applies to system administrators. Unfortunately, their mission sometimes conflicts with the security department. They must provide computing resources to users and they want to do it as quickly as possible. Business matters! So, when a user wants access to data (all legitimate) they do their best to help. Unfortunately, that sometimes means putting user permissions directly on folders, adding the Everyone group because they can’t figure out the correct permissions, or putting a folder containing sensitive data in a place that is open to many people.
Now that you have remediated a whole slew of folders with Varonis DatAdvantage, how to protect your glorious handiwork.
There are number of things that we can do. Here are some of the steps that we would take.
- Document your new standards and train the system administrators. Working with standard Windows tools is like exploring a cave with a flashlight. Possible but difficult. Teach them how to view permissions in DatAdvantage.
- Put in place detective controls (reports) to identify when changes are made that violate the new standards.
- Utilize an automated provisioning solution for the security groups that you have applied to the folders. Varonis has DataPrivilege, and there are other Identity and Access management solutions such as SailPoint and RSA Identity and Access Management.
Here are some of the reports that we use to maintain the new permissions structure:
- Monitored Share – Global groups in Use (4b)
This lists all the folders where global groups are applied. It should be blank.
- Monitored Share – Individual Permissions (12d)
This lists all the folders where Individual Users are applied directly to a folder. It should be blank.
- Monitored Share – Folder Changes (1a)
This lists any permission changes or new folders created at the top-level of the monitored Share folder.
I know that you can run some of these reports across the entire environment, such as monitoring for global groups, but we set up them up as separate subscriptions for the most important shares and don’t deliver them if they are empty. That way you can send them to the system administrators as well as the security team. If they see violations of policy, we want to encourage them to repair them without anyone having to ask. After all, these wolves are on your side.
Good luck keeping the wolves at bay!
High value targets are resources that would be of great interest to people who should not have access to them.
These might be folders containing compensation information, the email
mailbox of the CEO, or the database containing the credit card numbers
of your customers. Knowing where that data is stored, used, and
transmitted is a critical first step in making sure that you are doing
your job as a security professional. Then align your security
investments with protecting those high value targets.
Before you go off and undertake a high-priced data classification and
discovery project, please speak with your business leaders and get them
to tell you what is important and where it is located. Then utilize
your existing security tools to track activity to those assets.
Track high value targets with a SIEM. In an ArcSight implementation
this can be done with asset categories and active lists. In the
unstructured data world, the Varonis DatAdvantage suite gives you the
ability to flag and tag these resources so that they can be easily
identified, and special reports created to protect them.
Make sure that you have access provisioning and entitlement review
processes in place to ensure that you are following a least privilege
model. If you have 20 system administrators who have access to the
compensation folder, that is a PROBLEM.
Only when you have the basic blocking and tackling in place should
you can move up to the advanced class and start talking about data
discovery, data classification, and data loss prevention solutions.
Focus on what matter to the business! Protect the high value targets.
