BeyondTrust

Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

Data Governance – Why and How?

Posted July 30, 2011    Morgan Holm

In my first blog post I talked about proving and maintaining compliance for data governance rules defined for file system resources in the enterprise. This post will continue the discussion of data governance, reviewing some of the reasons organizations are implementing these policies and processes as well as the main challenges associated defining the rules for file system resources.

Data Governnance – Why and How?

Organizations are being driven to undertake data governance initiatives for compliance to internal policies and guidelines, contractual obligations, SLAs and regulatory compliance for FISMA, GLB, HIPAA, PCI, SOX among others. There also have been a number of high profile security breaches resulting in data theft that have substantial costs to both the organization’s reputation and bottom line. A significant portion of the data held by many organizations is in the form of unstructured data in the file system. How can they find out what permissions are currently set to create and align the data governance rules?

The first challenge for the creation of data governance rules for file system data is to define the locations of the meaningful data that is to be governed. Sometimes there is an immediate knee jerk reaction where the reply is “We need to know everything about all of the file system resources in the whole environment.” While this would be a panacea, it would also create unnecessary complexity and management costs. The result would be an overload of information making difficult to locate what is important in all the noise. For example, if I take a look at a simple member server in my test lab there are around 85,000 files in 19 GB of disk space in the c:\windows directory alone. For most organizations, understanding the permissions set on each individual file on every member server in their environment would not be considered valuable to a data governance initiative. Working with the data owners (stakeholders) and the data managers (stewards) the meaningful data in the file system can be defined.

Now that the files, folders and shares have been identified the creation of the data governance rules is easy, well no. Part of the process is to ensure that the appropriate control mechanisms are in place for the people responsible for managing data and for those who use it. In Windows environments this would be the permissions set on the files, folders and shares. Unfortunately there is no central repository for the permission information in Windows and with permission inheritance; permissions may be set on parent folders throughout the hierarchy. Even with targeted file system resources the effort required to analyze and report on these permissions would be daunting and not achievable for most organizations. Even if it could be accomplished once, it would be impossible to keep a regular historical record for these access rights for auditors or if a forensic investigation needs to be done.

BeyondTrust PowerBroker Privilege Explorer provides organizations with the ability to target the meaningful files, folders and shares in the environment to both analyze and set permissions on these file system resources. This enables the viewing and reporting on who has access to these resources, where a user or group has rights in the environment and what these permission were in the past. These are key elements to creating and aligning data governance rules and the ongoing resolutions to non-conformance.

Tags:
, , , , , , ,

Leave a Reply

Additional articles

Are Your Data Security Efforts Focused in the Right Area?

Posted January 28, 2015    Scott Lang

Vormetric Data Security recently released an insider threat report, with research conducted by HarrisPoll and analyzed by Ovum. Based on the survey responses, it is apparent that there is still a great deal of insecurity over data. However, the results also show that there may be misplaced investments to address those insecurities. I will explain…

Tags:
ghost

GHOST Vulnerability…Scary Indeed

Posted January 28, 2015    BeyondTrust Research Team

A vulnerability discovered by Qualys security researchers has surfaced within the GNU C Library that affects virtually all Linux operating systems. The vulnerability lies within the various gethostbyname*() functions and, as such, has been dubbed “GHOST.” GHOST is particularly nasty considering remote, arbitrary code execution can be achieved. In an effort to avoid taxing DNS lookups, glibc developers introduced…

Tags:
,
dave-shackleford-headshot

Your New Years Resolution: Controlling Privileged Users

Posted January 27, 2015    Dave Shackleford

Is 2015 the year you get a better handle on security? The news last year was grim – so much so, in fact, that many in the information security community despaired a bit. Really, the end-of-the-year infosec cocktail parties were a bit glum. OK, let’s be honest, infosec cocktail parties are usually not that wild…

Tags:
, , ,