In my first blog post I talked about proving and maintaining compliance for data governance rules defined for file system resources in the enterprise. This post will continue the discussion of data governance, reviewing some of the reasons organizations are implementing these policies and processes as well as the main challenges associated defining the rules for file system resources.
Data Governnance – Why and How?
Organizations are being driven to undertake data governance initiatives for compliance to internal policies and guidelines, contractual obligations, SLAs and regulatory compliance for FISMA, GLB, HIPAA, PCI, SOX among others. There also have been a number of high profile security breaches resulting in data theft that have substantial costs to both the organization’s reputation and bottom line. A significant portion of the data held by many organizations is in the form of unstructured data in the file system. How can they find out what permissions are currently set to create and align the data governance rules?
The first challenge for the creation of data governance rules for file system data is to define the locations of the meaningful data that is to be governed. Sometimes there is an immediate knee jerk reaction where the reply is “We need to know everything about all of the file system resources in the whole environment.” While this would be a panacea, it would also create unnecessary complexity and management costs. The result would be an overload of information making difficult to locate what is important in all the noise. For example, if I take a look at a simple member server in my test lab there are around 85,000 files in 19 GB of disk space in the c:\windows directory alone. For most organizations, understanding the permissions set on each individual file on every member server in their environment would not be considered valuable to a data governance initiative. Working with the data owners (stakeholders) and the data managers (stewards) the meaningful data in the file system can be defined.
Now that the files, folders and shares have been identified the creation of the data governance rules is easy, well no. Part of the process is to ensure that the appropriate control mechanisms are in place for the people responsible for managing data and for those who use it. In Windows environments this would be the permissions set on the files, folders and shares. Unfortunately there is no central repository for the permission information in Windows and with permission inheritance; permissions may be set on parent folders throughout the hierarchy. Even with targeted file system resources the effort required to analyze and report on these permissions would be daunting and not achievable for most organizations. Even if it could be accomplished once, it would be impossible to keep a regular historical record for these access rights for auditors or if a forensic investigation needs to be done.
BeyondTrust PowerBroker Privilege Explorer provides organizations with the ability to target the meaningful files, folders and shares in the environment to both analyze and set permissions on these file system resources. This enables the viewing and reporting on who has access to these resources, where a user or group has rights in the environment and what these permission were in the past. These are key elements to creating and aligning data governance rules and the ongoing resolutions to non-conformance.