BeyondTrust

Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

Data Governance – Why and How?

Posted July 30, 2011    Morgan Holm

In my first blog post I talked about proving and maintaining compliance for data governance rules defined for file system resources in the enterprise. This post will continue the discussion of data governance, reviewing some of the reasons organizations are implementing these policies and processes as well as the main challenges associated defining the rules for file system resources.

Data Governnance – Why and How?

Organizations are being driven to undertake data governance initiatives for compliance to internal policies and guidelines, contractual obligations, SLAs and regulatory compliance for FISMA, GLB, HIPAA, PCI, SOX among others. There also have been a number of high profile security breaches resulting in data theft that have substantial costs to both the organization’s reputation and bottom line. A significant portion of the data held by many organizations is in the form of unstructured data in the file system. How can they find out what permissions are currently set to create and align the data governance rules?

The first challenge for the creation of data governance rules for file system data is to define the locations of the meaningful data that is to be governed. Sometimes there is an immediate knee jerk reaction where the reply is “We need to know everything about all of the file system resources in the whole environment.” While this would be a panacea, it would also create unnecessary complexity and management costs. The result would be an overload of information making difficult to locate what is important in all the noise. For example, if I take a look at a simple member server in my test lab there are around 85,000 files in 19 GB of disk space in the c:\windows directory alone. For most organizations, understanding the permissions set on each individual file on every member server in their environment would not be considered valuable to a data governance initiative. Working with the data owners (stakeholders) and the data managers (stewards) the meaningful data in the file system can be defined.

Now that the files, folders and shares have been identified the creation of the data governance rules is easy, well no. Part of the process is to ensure that the appropriate control mechanisms are in place for the people responsible for managing data and for those who use it. In Windows environments this would be the permissions set on the files, folders and shares. Unfortunately there is no central repository for the permission information in Windows and with permission inheritance; permissions may be set on parent folders throughout the hierarchy. Even with targeted file system resources the effort required to analyze and report on these permissions would be daunting and not achievable for most organizations. Even if it could be accomplished once, it would be impossible to keep a regular historical record for these access rights for auditors or if a forensic investigation needs to be done.

BeyondTrust PowerBroker Privilege Explorer provides organizations with the ability to target the meaningful files, folders and shares in the environment to both analyze and set permissions on these file system resources. This enables the viewing and reporting on who has access to these resources, where a user or group has rights in the environment and what these permission were in the past. These are key elements to creating and aligning data governance rules and the ongoing resolutions to non-conformance.

Tags:
, , , , , , ,

Leave a Reply

Additional articles

6

A Quick Look at MS14-068

Posted November 20, 2014    BeyondTrust Research Team

Microsoft recently released an out of band patch for Kerberos.  Taking a look at the Microsoft security bulletin, it seems like there is some kind of issue with Kerberos signatures related to tickets. Further information is available in the Microsoft SRD Blogpost So it looks like there is an issue with PAC signatures.  But what…

Tags:
, , , ,
Password Game Show

Managing Shared Accounts for Privileged Users: 5 Best Practices for Achieving Control and Accountability

Posted November 20, 2014    Scott Lang

How do organizations ensure accountability of shared privileged accounts to meet compliance and security requirements without impacting administrator productivity? Consider these five best practices…

Tags:
, , , , , ,
Triggering MS14-066

Triggering MS14-066

Posted November 17, 2014    BeyondTrust Research Team

Microsoft addressed CVE-2014-6321 this Patch Tuesday, which has been hyped as the next Heartbleed.  This vulnerability (actually at least 2 vulnerabilities) promises remote code execution in applications that use the SChannel Security Service Provider, such as Microsoft Internet Information Services (IIS). The details have been scarce.  Lets fix that. Looking at the bindiff of schannel.dll, we see a…

Tags:
, , , , ,