Preventing Data Leaks with Automated Data Governance
1
Issue 1 2 Research from Gartner: Security and Risk Management Lessons, Courtesy of WikiLeaks 4 Is Your Data At Risk? 5 Security and Risk Management with Unstructured Data
Preventing Data Leaks with Automated Data Governance Assess Your Current Risk Profile and Effectively Reduce Risk with Metadata Framework Technology
6 The Metadata Imperative for Security and Risk Management 8 Evaluate the Metadata Approach
Introduction:
10 About Varonis
As WikiLeaks and other recent newsworthy breaches remind us, organizations now house sensitive information belonging not only to the organization itself, but to its partners, clients, and employees. Governing access and monitoring use of so much data is mandatory to optimize productivity and security, and to remain a viable business partner. A critical part of the solution to preventing unauthorized or inappropriate access to sensitive data is the ability to leverage metadata – data about data (or information about information). In this newsletter, we’ll explore how an automated data governance system like the Varonis® Metadata Framework™ technology enhances protection and management of sensitive file share data.
Featuring research from
2 Research from Gartner
Security and Risk Management Lessons, Courtesy of WikiLeaks The wholesale release of sensitive diplomatic cables by WikiLeaks serves as a reminder to organizations of the need to evaluate the benefits and risks of broader data access; the need for data access governance, controls and monitoring; and the need for data and infrastructure protection. ANALYSIS While your organization is probably not going to become the next featured subject on WikiLeaks’ home page, it provides important data control (data governance) lessons for all organizations. In the aftermath of the Sept. 11 attacks, the U.S. Department of Defense determined that intelligence efforts would be aided by access policies that enabled wider access to data. There were undoubtedly many benefits to opening up the data that are not visible here. No one should conclude that, because of WikiLeaks, everyone would have been better off with the pre-9/11 information control policies. The Gartner advice encapsulated in the referenced research is intended to help our clients optimize their decisions, making productive use of large amounts of data, while reducing the potential for leakage. Organizations need to:
Data Access Governance The WikiLeaks incident highlights the risks associated with broader and poorly managed access to data. Commercial organizations face the same set of tradeoffs, as exemplified by the all too common loss (and subsequent discovery by the wrong people) of large amounts of customer data by knowledge workers. Data access decisions should be based on an assessment of the risks and benefits of a given level of data sharing as well as an assessment of the process, people and technology that can securely enable that sharing. Data access decisions do not need to be “share all” or “share nothing.” Organizations can apply data access governance processes and technologies to implement policies for fine-grained entitlements that enable broader data sharing with limited risk.
Insider Threats
• Establish data access governance processes.
The WikiLeaks release of diplomatic cables began with the large-scale removal of sensitive data by an insider. The security threat from insiders (the malicious and the negligent) isn’t new, but it is evolving. Enterprises need to expand security attention to include the risks presented by insiders’ inappropriate behaviors, whether malicious or simply negligent. Security organizations should consider a blend of process changes and technology-based solutions to address the insider threat.
• Develop security capabilities that include:
Data Protection
• Evaluate the benefits and risks of data sharing.
• Role and entitlement management • Data encryption • Data loss prevention technology • User activity monitoring and fraud detection • Denial of service protection
The risks of data sharing can be limited by effective data protection controls in the areas of data loss prevention and data encryption. Security organizations should work to align the data security program with the overall enterprise IT governance, evaluating policies and data classification before selecting controls. Organizations also need to focus on endpoint and mobile data protection. The effort should begin with the creation of data encryption policies that are developed with reference to real-world data breach scenarios that are relevant to the organization and the tasks performed by its users. Data encryption technology selection and deployment should be driven by these policies.
3 User Activity Monitoring A common comment on the wholesale copying of the diplomatic cables was “Why didn’t alarms go off?” When organizations make the decision to allow broader access to data, it becomes essential to monitor employee use of their access privileges. The discovery of internal or external targeted attacks requires broad-scope user activity monitoring and the ability to discern data access and transaction activity patterns that signal exceptions to normal resource access and user behavior.
Distributed Denial-of-Service Protection One of the outcomes of the diplomatic cables release was a series of denial-of-service (DDoS) attacks against the WikiLeaks site and against websites associated with various parties that were perceived to be enemies of WikiLeaks. DDoS
attacks are not new phenomena, but this round of attacks serves as a reminder for organizations to plan for the possibility. DDoS mitigation services should be a standard part of all Internet service procurements when the business depends on the availability of Internet connectivity. Only very large enterprises with complex Internet connectivity should consider buying DDoS equipment for self-protection. Most enterprises should look at detection and filtering services that are available from Internet service providers or DDoS securityas-a-service specialists. Where content delivery networks (CDNs) are used for corporate Web content, DDoS services from the CDN provider should also be evaluated. Source: Gartner RAS Core Research Note, G00210101, Mark Nicolettl, 23 May 2011
4 Is Your Data At Risk? How to Assess Your Current Data Governance Capabilities Pick two file shares at random and choose a folder within each of them. Pose the following questions: Who has access to them?
If you can answer all of these questions easily, then you’re in great shape (at least for the folders you chose). If you can’t, then you have a clear opportunity to enhance your data governance capabilities.
Who is now responsible for making access control decisions for that data (who owns it)?
One answer you may hear goes something like, “We have owners for groups, not data. We review group membership regularly.” If that is the response, then pick a group or two, and pose the following questions:
When did that person or persons last review current access to those folders?
What are all the folders that members of this group have access to, and how do we know?
What decisions did they make?
If that group is added to another folder’s access control list, how do we know?
Who granted all those people access, and why?
Who has been actively accessing the data?
Again, if you can answer those questions easily you’re in good shape. If you can’t, then you may be managing groups effectively, but you’re still not managing access to the file share data. Source: Varonis
5 Security and Risk Management with Unstructured Data “Organizations are becoming significantly more collaborative,” said Yaki Faitelson, Chief Executive Officer, President and Co-founder of Varonis. “As a result, data is more widespread and vulnerable than ever before. For organizations to prevent loss of sensitive data while still enabling the collaboration needed to conduct business, they need to ensure that they have processes and automation in place for authorization and review of access to data, monitoring who is using data, and identifying sensitive data that is at risk.”
Each file and folder, and user or group, has many metadata elements associated with it at any given point in time – permissions, timestamps, location in the file system, etc. – and the constantly changing files and folders generate streams of metadata, especially when combined with access activity. These combined metadata streams become a torrent of critical metadata. To capture, analyze, store and understand so much metadata requires metadata framework technology specifically designed for this purpose.
Unstructured and semi-structured data such as spreadsheets, presentations, documents, multimedia files, etc., stored in repositories such as file systems, NAS devices, SharePoint sites, Exchange mailboxes and public folders, are a challenge to manage for any organization. All of these documents account for roughly 80% of business data. This shared data is highly dynamic and growing by about 50% each year. The relevance of this data is constantly in flux, changing far faster than each user’s access rights. As a result, users are often able to download or edit data they no longer need access to long after a project finishes or their role has changed.
“As the WikiLeaks fiasco has shown, it only takes one rogue member of staff – or a malignant individual – to access and copy a set of critical data files for the entire security system and the integrity of the organization to be severely compromised. Staff collaboration is why the data is open to begin with. But using manual methods to secure data in this era of digital collaboration is asking for trouble. It is astonishing that every file share, NAS device, SharePoint site and Exchange mailbox doesn’t have automated protection that prevents unwarranted access since this type of solution is readily available and the benefits are immediate,” Faitelson said.
A key part of managing risk associated with unstructured and semi-structured data is the use of metadata – data about data (or information about information) – and the technology needed to leverage it. When it comes to identifying sensitive data and protecting access to it, a number of types of metadata are relevant: user and group information, permissions information, access activity, and sensitive content indicators. A key benefit to leveraging metadata for preventing data loss is that it can be used to focus and accelerate the data classification process. In many instances, the ability to leverage metadata can speed up the process by up to 90%, providing a short list of where an organization’s most sensitive data is, where it is most at risk, who has access to it and who shouldn’t.
“Organizations have to be aware they no longer have to manually manage permissions to ensure that only the correct users have access to the right data and that their permission can be revoked when they no longer need them. The previously impossible is now possible through the intelligent use of metadata and data governance automation. The instinctive reaction of many to these WikiLeaks is to try and lock down all data – that is not only impossible, it is unnecessary if you use the right technology,” said Faitelson. Source: Varonis
6 The Metadata Imperative for Security and Risk Management Four types of metadata are critical for data governance:
• Access Activity – knowing which users do access what data, when and what they’ve done
• User and Group Information – from Active Directory, LDAP, NIS, SharePoint, etc.
• Sensitive Content Indicators – knowing which files contain items of sensitivity and importance, and where they reside
• Permissions and other File System Information – knowing which users and groups are listed on ACL’s, access time stamps, file counts and sizes
FIGURE 1
VARONIS® METADATA FRAMEWORK™
Source: Varonis
7 The Varonis® Metadata Framework™ nonintrusively collects this critical metadata, generates metadata where existing metadata is lacking (e.g. its file system filters and content inspection technologies), pre-processes it, normalizes it, analyzes it, stores it, and presents it to IT administrators in an interactive, dynamic interface. Once data owners are identified, they are empowered to make informed authorization and permissions maintenance decisions through a webbased interface—that are then executed—with no IT overhead or manual backend processes.
The Varonis® Data Governance Software Suite will scale to present and future requirements using standard computing infrastructure, even as the number of functional relationships between metadata entities grows exponentially. As new platforms and metadata streams emerge, they will be seamlessly assimilated into the Varonis framework, and the productive methodologies it enables for data management and protection. Source: Varonis
8 Evaluate the Metadata Approach Experience the Varonis® Metadata Framework™ with our 30-Day Free Trial:
Within 3 Weeks of Installation
Within Hours of Installation
Varonis DatAdvantage will actually make highly reliable recommendations about how to limit access to files and folders to just those users who need it for their jobs.
Instantly conduct a permissions audit: You’ll have a full view into file and folder access permissions and how those map to specific users and groups. You can even generate reports. Within a Day of Installation You’ll be able to instantly see which users are accessing the data and what they are doing with their access.
FIGURE 2
VARONIS® DATADVANTAGE® – ACCESS AUDITING
Source: Varonis
9 FIGURE 3
VARONIS® DATADVANTAGE® – ACCESS AUDITING
Source: Varonis
FIGURE 4
VARONIS® DATADVANTAGE® – PERMISSIONS VISUALIZATION
Source: Varonis
Source: Varonis
10 About Varonis Varonis is the leader in unstructured and semistructured data governance for file systems, SharePoint and NAS devices, and Exchange servers. Voted one of the “Fast 50 Reader Favorites” on FastCompany.com, Varonis has more than 4500 installations worldwide. Based on patented technology and a highly accurate analytics engine, Varonis’ solutions give organizations total visibility and control over their data, ensuring that only the right users have access to the right data at all times. Varonis is headquartered in New York, N.Y. with regional offices in Europe, Asia and Latin America.
Varonis Systems, Inc. – Worldwide Headquarters 1250 Broadway, 31st Floor New York, NY 10001 Phone: 877-292-8767 www.varonis.com
Preventing Data Leaks with Automated Data Governance is published by “Client Name”. Editorial supplied by “Client Name” is independent of Gartner analysis. All Gartner research is © 2011 by Gartner, Inc. All rights reserved. All Gartner materials are used with Gartner’s permission. The use or publication of Gartner research does not indicate Gartner’s endorsement of Client Name’s products and/or strategies. Reproduction or distribution of this publication in any form without prior written permission is forbidden. The information contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof. The opinions expressed herein are subject to change without notice. Although Gartner research may include a discussion of related legal issues, Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner is a public company, and its shareholders may include firms and funds that have financial interests in entities covered in Gartner research. Gartner’s Board of Directors may include senior managers of these firms or funds. Gartner research is produced independently by its research organization without input or influence from these firms, funds or their managers. For further information on the independence and integrity of Gartner research, see “Guiding Principles on Independence and Objectivity” on its website, http://www.gartner.com/technology/about/ombudsman/omb_guide2.jsp.
Issue 1 2 Research from Gartner: Security and Risk Management Lessons, Courtesy of WikiLeaks 4 Is Your Data At Risk? 5 Security and Risk Management with Unstructured Data
Preventing Data Leaks with Automated Data Governance Assess Your Current Risk Profile and Effectively Reduce Risk with Metadata Framework Technology
6 The Metadata Imperative for Security and Risk Management 8 Evaluate the Metadata Approach
Introduction:
10 About Varonis
As WikiLeaks and other recent newsworthy breaches remind us, organizations now house sensitive information belonging not only to the organization itself, but to its partners, clients, and employees. Governing access and monitoring use of so much data is mandatory to optimize productivity and security, and to remain a viable business partner. A critical part of the solution to preventing unauthorized or inappropriate access to sensitive data is the ability to leverage metadata – data about data (or information about information). In this newsletter, we’ll explore how an automated data governance system like the Varonis® Metadata Framework™ technology enhances protection and management of sensitive file share data.
Featuring research from
2 Research from Gartner
Security and Risk Management Lessons, Courtesy of WikiLeaks The wholesale release of sensitive diplomatic cables by WikiLeaks serves as a reminder to organizations of the need to evaluate the benefits and risks of broader data access; the need for data access governance, controls and monitoring; and the need for data and infrastructure protection. ANALYSIS While your organization is probably not going to become the next featured subject on WikiLeaks’ home page, it provides important data control (data governance) lessons for all organizations. In the aftermath of the Sept. 11 attacks, the U.S. Department of Defense determined that intelligence efforts would be aided by access policies that enabled wider access to data. There were undoubtedly many benefits to opening up the data that are not visible here. No one should conclude that, because of WikiLeaks, everyone would have been better off with the pre-9/11 information control policies. The Gartner advice encapsulated in the referenced research is intended to help our clients optimize their decisions, making productive use of large amounts of data, while reducing the potential for leakage. Organizations need to:
Data Access Governance The WikiLeaks incident highlights the risks associated with broader and poorly managed access to data. Commercial organizations face the same set of tradeoffs, as exemplified by the all too common loss (and subsequent discovery by the wrong people) of large amounts of customer data by knowledge workers. Data access decisions should be based on an assessment of the risks and benefits of a given level of data sharing as well as an assessment of the process, people and technology that can securely enable that sharing. Data access decisions do not need to be “share all” or “share nothing.” Organizations can apply data access governance processes and technologies to implement policies for fine-grained entitlements that enable broader data sharing with limited risk.
Insider Threats
• Establish data access governance processes.
The WikiLeaks release of diplomatic cables began with the large-scale removal of sensitive data by an insider. The security threat from insiders (the malicious and the negligent) isn’t new, but it is evolving. Enterprises need to expand security attention to include the risks presented by insiders’ inappropriate behaviors, whether malicious or simply negligent. Security organizations should consider a blend of process changes and technology-based solutions to address the insider threat.
• Develop security capabilities that include:
Data Protection
• Evaluate the benefits and risks of data sharing.
• Role and entitlement management • Data encryption • Data loss prevention technology • User activity monitoring and fraud detection • Denial of service protection
The risks of data sharing can be limited by effective data protection controls in the areas of data loss prevention and data encryption. Security organizations should work to align the data security program with the overall enterprise IT governance, evaluating policies and data classification before selecting controls. Organizations also need to focus on endpoint and mobile data protection. The effort should begin with the creation of data encryption policies that are developed with reference to real-world data breach scenarios that are relevant to the organization and the tasks performed by its users. Data encryption technology selection and deployment should be driven by these policies.
3 User Activity Monitoring A common comment on the wholesale copying of the diplomatic cables was “Why didn’t alarms go off?” When organizations make the decision to allow broader access to data, it becomes essential to monitor employee use of their access privileges. The discovery of internal or external targeted attacks requires broad-scope user activity monitoring and the ability to discern data access and transaction activity patterns that signal exceptions to normal resource access and user behavior.
Distributed Denial-of-Service Protection One of the outcomes of the diplomatic cables release was a series of denial-of-service (DDoS) attacks against the WikiLeaks site and against websites associated with various parties that were perceived to be enemies of WikiLeaks. DDoS
attacks are not new phenomena, but this round of attacks serves as a reminder for organizations to plan for the possibility. DDoS mitigation services should be a standard part of all Internet service procurements when the business depends on the availability of Internet connectivity. Only very large enterprises with complex Internet connectivity should consider buying DDoS equipment for self-protection. Most enterprises should look at detection and filtering services that are available from Internet service providers or DDoS securityas-a-service specialists. Where content delivery networks (CDNs) are used for corporate Web content, DDoS services from the CDN provider should also be evaluated. Source: Gartner RAS Core Research Note, G00210101, Mark Nicolettl, 23 May 2011
4 Is Your Data At Risk? How to Assess Your Current Data Governance Capabilities Pick two file shares at random and choose a folder within each of them. Pose the following questions: Who has access to them?
If you can answer all of these questions easily, then you’re in great shape (at least for the folders you chose). If you can’t, then you have a clear opportunity to enhance your data governance capabilities.
Who is now responsible for making access control decisions for that data (who owns it)?
One answer you may hear goes something like, “We have owners for groups, not data. We review group membership regularly.” If that is the response, then pick a group or two, and pose the following questions:
When did that person or persons last review current access to those folders?
What are all the folders that members of this group have access to, and how do we know?
What decisions did they make?
If that group is added to another folder’s access control list, how do we know?
Who granted all those people access, and why?
Who has been actively accessing the data?
Again, if you can answer those questions easily you’re in good shape. If you can’t, then you may be managing groups effectively, but you’re still not managing access to the file share data. Source: Varonis
5 Security and Risk Management with Unstructured Data “Organizations are becoming significantly more collaborative,” said Yaki Faitelson, Chief Executive Officer, President and Co-founder of Varonis. “As a result, data is more widespread and vulnerable than ever before. For organizations to prevent loss of sensitive data while still enabling the collaboration needed to conduct business, they need to ensure that they have processes and automation in place for authorization and review of access to data, monitoring who is using data, and identifying sensitive data that is at risk.”
Each file and folder, and user or group, has many metadata elements associated with it at any given point in time – permissions, timestamps, location in the file system, etc. – and the constantly changing files and folders generate streams of metadata, especially when combined with access activity. These combined metadata streams become a torrent of critical metadata. To capture, analyze, store and understand so much metadata requires metadata framework technology specifically designed for this purpose.
Unstructured and semi-structured data such as spreadsheets, presentations, documents, multimedia files, etc., stored in repositories such as file systems, NAS devices, SharePoint sites, Exchange mailboxes and public folders, are a challenge to manage for any organization. All of these documents account for roughly 80% of business data. This shared data is highly dynamic and growing by about 50% each year. The relevance of this data is constantly in flux, changing far faster than each user’s access rights. As a result, users are often able to download or edit data they no longer need access to long after a project finishes or their role has changed.
“As the WikiLeaks fiasco has shown, it only takes one rogue member of staff – or a malignant individual – to access and copy a set of critical data files for the entire security system and the integrity of the organization to be severely compromised. Staff collaboration is why the data is open to begin with. But using manual methods to secure data in this era of digital collaboration is asking for trouble. It is astonishing that every file share, NAS device, SharePoint site and Exchange mailbox doesn’t have automated protection that prevents unwarranted access since this type of solution is readily available and the benefits are immediate,” Faitelson said.
A key part of managing risk associated with unstructured and semi-structured data is the use of metadata – data about data (or information about information) – and the technology needed to leverage it. When it comes to identifying sensitive data and protecting access to it, a number of types of metadata are relevant: user and group information, permissions information, access activity, and sensitive content indicators. A key benefit to leveraging metadata for preventing data loss is that it can be used to focus and accelerate the data classification process. In many instances, the ability to leverage metadata can speed up the process by up to 90%, providing a short list of where an organization’s most sensitive data is, where it is most at risk, who has access to it and who shouldn’t.
“Organizations have to be aware they no longer have to manually manage permissions to ensure that only the correct users have access to the right data and that their permission can be revoked when they no longer need them. The previously impossible is now possible through the intelligent use of metadata and data governance automation. The instinctive reaction of many to these WikiLeaks is to try and lock down all data – that is not only impossible, it is unnecessary if you use the right technology,” said Faitelson. Source: Varonis
6 The Metadata Imperative for Security and Risk Management Four types of metadata are critical for data governance:
• Access Activity – knowing which users do access what data, when and what they’ve done
• User and Group Information – from Active Directory, LDAP, NIS, SharePoint, etc.
• Sensitive Content Indicators – knowing which files contain items of sensitivity and importance, and where they reside
• Permissions and other File System Information – knowing which users and groups are listed on ACL’s, access time stamps, file counts and sizes
FIGURE 1
VARONIS® METADATA FRAMEWORK™
Source: Varonis
7 The Varonis® Metadata Framework™ nonintrusively collects this critical metadata, generates metadata where existing metadata is lacking (e.g. its file system filters and content inspection technologies), pre-processes it, normalizes it, analyzes it, stores it, and presents it to IT administrators in an interactive, dynamic interface. Once data owners are identified, they are empowered to make informed authorization and permissions maintenance decisions through a webbased interface—that are then executed—with no IT overhead or manual backend processes.
The Varonis® Data Governance Software Suite will scale to present and future requirements using standard computing infrastructure, even as the number of functional relationships between metadata entities grows exponentially. As new platforms and metadata streams emerge, they will be seamlessly assimilated into the Varonis framework, and the productive methodologies it enables for data management and protection. Source: Varonis
8 Evaluate the Metadata Approach Experience the Varonis® Metadata Framework™ with our 30-Day Free Trial:
Within 3 Weeks of Installation
Within Hours of Installation
Varonis DatAdvantage will actually make highly reliable recommendations about how to limit access to files and folders to just those users who need it for their jobs.
Instantly conduct a permissions audit: You’ll have a full view into file and folder access permissions and how those map to specific users and groups. You can even generate reports. Within a Day of Installation You’ll be able to instantly see which users are accessing the data and what they are doing with their access.
FIGURE 2
VARONIS® DATADVANTAGE® – ACCESS AUDITING
Source: Varonis
9 FIGURE 3
VARONIS® DATADVANTAGE® – ACCESS AUDITING
Source: Varonis
FIGURE 4
VARONIS® DATADVANTAGE® – PERMISSIONS VISUALIZATION
Source: Varonis
Source: Varonis
10 About Varonis Varonis is the leader in unstructured and semistructured data governance for file systems, SharePoint and NAS devices, and Exchange servers. Voted one of the “Fast 50 Reader Favorites” on FastCompany.com, Varonis has more than 4500 installations worldwide. Based on patented technology and a highly accurate analytics engine, Varonis’ solutions give organizations total visibility and control over their data, ensuring that only the right users have access to the right data at all times. Varonis is headquartered in New York, N.Y. with regional offices in Europe, Asia and Latin America.
Varonis Systems, Inc. – Worldwide Headquarters 1250 Broadway, 31st Floor New York, NY 10001 Phone: 877-292-8767 www.varonis.com
Preventing Data Leaks with Automated Data Governance is published by “Client Name”. Editorial supplied by “Client Name” is independent of Gartner analysis. All Gartner research is © 2011 by Gartner, Inc. All rights reserved. All Gartner materials are used with Gartner’s permission. The use or publication of Gartner research does not indicate Gartner’s endorsement of Client Name’s products and/or strategies. Reproduction or distribution of this publication in any form without prior written permission is forbidden. The information contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof. The opinions expressed herein are subject to change without notice. Although Gartner research may include a discussion of related legal issues, Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner is a public company, and its shareholders may include firms and funds that have financial interests in entities covered in Gartner research. Gartner’s Board of Directors may include senior managers of these firms or funds. Gartner research is produced independently by its research organization without input or influence from these firms, funds or their managers. For further information on the independence and integrity of Gartner research, see “Guiding Principles on Independence and Objectivity” on its website, http://www.gartner.com/technology/about/ombudsman/omb_guide2.jsp.
