BeyondTrust

Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

Data Governance – Why and How?

Posted July 30, 2011    Morgan Holm

In my first blog post I talked about proving and maintaining compliance for data governance rules defined for file system resources in the enterprise. This post will continue the discussion of data governance, reviewing some of the reasons organizations are implementing these policies and processes as well as the main challenges associated defining the rules for file system resources.

Data Governnance – Why and How?

Organizations are being driven to undertake data governance initiatives for compliance to internal policies and guidelines, contractual obligations, SLAs and regulatory compliance for FISMA, GLB, HIPAA, PCI, SOX among others. There also have been a number of high profile security breaches resulting in data theft that have substantial costs to both the organization’s reputation and bottom line. A significant portion of the data held by many organizations is in the form of unstructured data in the file system. How can they find out what permissions are currently set to create and align the data governance rules?

The first challenge for the creation of data governance rules for file system data is to define the locations of the meaningful data that is to be governed. Sometimes there is an immediate knee jerk reaction where the reply is “We need to know everything about all of the file system resources in the whole environment.” While this would be a panacea, it would also create unnecessary complexity and management costs. The result would be an overload of information making difficult to locate what is important in all the noise. For example, if I take a look at a simple member server in my test lab there are around 85,000 files in 19 GB of disk space in the c:\windows directory alone. For most organizations, understanding the permissions set on each individual file on every member server in their environment would not be considered valuable to a data governance initiative. Working with the data owners (stakeholders) and the data managers (stewards) the meaningful data in the file system can be defined.

Now that the files, folders and shares have been identified the creation of the data governance rules is easy, well no. Part of the process is to ensure that the appropriate control mechanisms are in place for the people responsible for managing data and for those who use it. In Windows environments this would be the permissions set on the files, folders and shares. Unfortunately there is no central repository for the permission information in Windows and with permission inheritance; permissions may be set on parent folders throughout the hierarchy. Even with targeted file system resources the effort required to analyze and report on these permissions would be daunting and not achievable for most organizations. Even if it could be accomplished once, it would be impossible to keep a regular historical record for these access rights for auditors or if a forensic investigation needs to be done.

BeyondTrust PowerBroker Privilege Explorer provides organizations with the ability to target the meaningful files, folders and shares in the environment to both analyze and set permissions on these file system resources. This enables the viewing and reporting on who has access to these resources, where a user or group has rights in the environment and what these permission were in the past. These are key elements to creating and aligning data governance rules and the ongoing resolutions to non-conformance.

Tags:
, , , , , , ,

Leave a Reply

Additional articles

dave-shackleford-headshot

Tales from the Datacenter: Vulnerability Management Nightmares

Posted May 27, 2015    Dave Shackleford

Vulnerability scanning, threat management, risk analysis, patching, and configuration management are some of the major activities usually associated with vulnerability management, and none of these are new…so why are we failing so badly at many of them?

Tags:
, ,
Sudo_logo

Don’t Create a Different sudoers File for Each System

Posted May 20, 2015    Randy Franklin Smith

What if you have multiple Linux and/or Unix systems? Sudo management can become onerous and unwieldy if you try to manage a different sudoers file on each system. The good news is that sudo supports multiple systems.

password-safety

What Does Microsoft Local Administrator Password Solution Really Do?

Posted May 19, 2015    Morey Haber

LAPS is a feature that allows the randomization of local administrator accounts across the domain. Although it would seem that this capability overlaps with features in BeyondTrust’s PowerBroker Password Safe (PBPS), the reality is it is more suited for simple use cases such as changing the local Windows admin account and not much more.

Tags:
, ,