File auditing on NetApp Filer


Published on

NetApp Filer auditing is indispensable to data protection, enforcement of internal controls and adherence to external regulations, for those organizations that use NetApp Filer appliances. NetApp monitoring and auditing changes in files, folders, and permissions help tighten security and ensure compliance. Learn how to best go about NetApp Filer auditing, what features are required and how the whole process can be approached.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

File auditing on NetApp Filer

  1. 1. File Auditing with NetApp Filer Chris Rich NetWrix Corporation Corporate Headquarters: 12 N State Rt 17, Suite 104, Paramus, NJ Office: (201) 490-8840, Toll-Free: (888) 638-9749, E-mail:
  2. 2. White Paper: File Auditing with NetApp Filer Table of Contents3 Why is File Auditing on NetApp Filer Important?3 ....... File Auditing to Reduce Risk3 ....... File Auditing to Improve Security4 ....... File Auditing to Sustain Compliance4 Required NetApp Filer Auditing Features4 ....... Automatic Data Collection5 ....... Efficient and Centralized Data Storage5 ....... Scalability5 ....... Advanced Reporting Capabilities6 ....... File Integrity Monitoring6 ....... Additional Considerations7 NetWrix approach to File Auditing on NetApp Filer8 About NetWrix8 About the Author8 Additional Resources
  3. 3. White Paper: 3 File Auditing with NetApp Filer Why is File Auditing Important?The importance of comprehensive file auditing is best illustrated by a real-world example. Datahoused in an organization’s servers and storage devices contain massive amounts ofsensitive information. It is absolutely critical that at any point in time, you can show an audittrail of who has accessed files and folders or modified permissions of files and folders includingthe date and time when the attempt or change was made and where the change occurred.For organizations bound by regulations such as SOX, HIPAA, and PCI, detailed file auditingshowing who changed what, when, and where is a necessity. Without it, the organization risksnon-compliance which may result in fines and sanctions. Consider all the information in anyorganization stored in various files: employee data, financial information, proprietary and tradeinformation not meant for public or even selective internal access.File access violations have great potential of becoming much worse if information in sensitivefiles has been modified or removed or if the file were deleted altogether. Without effective fileauditing in place, you have no way of providing an audit trail of who accessed what, when, andwhere this activity took place. With file access auditing, this information could have been quicklyand easily discovered. File Auditing to Reduce RiskDetailed file access auditing delivers accountability and proof of regulatory compliance.Automatic collection and reporting of file change and file access information providesorganizations with a steady stream of feedback regarding file activity in the enterprise. Using thisinformation can greatly reduce risks. A file permission change may allow a user or group to seeor modify sensitive information. A user repeatedly reviewing information they would notnormally read may reveal an employee who is providing a competitor with upcoming productdetails. Important files deleted from a network share may explain why important reports werenot submitted on time. File auditing is the vehicle by which access attempts and changes madeto files, folders and permissions can be monitored to uncover security risks so they can beaddressed. On NetApp Filer, auditing permissions helps to ensure rights to sensitive data aremaintained properly. Effectively managing every aspect of user and administrator interactionwith the multitude of files within the environment reduces risk while granting the appropriateaccess users need to perform their duties. File Auditing to Improve SecurityEmployees are given a level of trust and when that trust is abused, organizations quickly becomevictims. File auditing provides organizations with the ability to establish an audit trail for all filesystem activity thus greatly improving security. Security flaws and holes are often discoveredafter the fact and the reason for this is automatic file auditing and file audit reporting is notpresent. Monitoring file activity frequently to improve security in the enterprise for both internaland external threats. To improve file security, extract change information automatically andreview changes and access attempts on a regular basis.
  4. 4. White Paper: 4 File Auditing with NetApp Filer File Auditing to Sustain ComplianceRegulations such as SOX, PCI, FISMA, and HIPAA each have their own security standard practicesincluding what exactly needs to be tracked and recorded in file systems. These regulations existto establish (IT) change auditing standards to protect both businesses and consumers. At theend of the day, these regulations and their enforcement strive to confirm the organization issecuring, recording and monitoring change events that permit access to sensitive informationsuch as banking information, social security numbers, and health records. File and folderpermissions are essential to segregating information so that only select groups and individualscan access it. Mostly, demonstrating compliance is an exercise in presenting this information toauditors upon request and to the level of detail required. Auditing files, folders and permissionaccess attempts and changes provides the Who, What, When, and Where information mostfrequently requested by auditors and almost equally important is the need to store thisinformation for sometimes up to 7 years or more to be considered compliant. For NetApp Filer,this is extremely difficult and an entirely manual process with native functionality and thereforewill require specialized tools. Required NetApp Filer Auditing FeaturesCentralized storage and reporting tools are unavailable for audit data on NetApp Filer nativelymaking the collection and reporting steps of change auditing for file, folder and permissionaccess attempts and changes difficult and time consuming without additional tools. There is alsoa risk of losing audit data if event log settings are not set properly or the volume of informationlogged and exceeding log limitations if too much information is being captured or purged priorto review. Once native information is analyzed by an administrator experienced with the NetAppFiler events and messages, the interpretation then would need to result in a decision to act.Combine these factors and the result is native file auditing is not feasible except for smallerenvironments that are adequately staffed to handle this workload. Automatic Data CollectionIn order to efficiently audit NetApp Filer, the process must be automated. Without automation,collecting the information in a timely manner is not feasible. This is especially true as the size ofthe organization will have a great impact on the raw volume of information collected making iteven more challenging to track and report NetApp Filer changes. Additional scripting and/or a3rd-party file server monitoring tool are frequently employed to collect event data. Furthermore,if audit data is not collected regularly, there is a risk of losing this information due to logoverwrites or retention settings unsuitable to the overall requirements. This is an importantrequired feature to change auditing because without it, timely auditing is nearly impossible.
  5. 5. White Paper: 5 File Auditing with NetApp Filer Efficient and Centralized Data StorageAutomation of any kind typically requires additional resources and may negatively impactsystem performance. For this reason, it’s important that the impact of the method employed toautomatically collect data is minimal. Furthermore, storage of data must also be a considerationduring implementation. While it is possible to store audit data exclusively on the NetApp Filerwhere the events are taking place, the preferred method will be to centralize this information ina data store that is both secure and readily available. This greatly facilitates analysis andreporting making it easier to integrate NetApp Filer auditing into your daily routine.Collection of information must also be reliable. Occasionally, each piece of the file auditingsystem should have a periodic check to ensure information is consistent when collected. Themost advanced methods of reliably collecting this information will also have the ability topre-screen data and filter for only essential information. During collection, preference should begiven to methods that leverage the native audit information that will eliminate common noiseand log excess that is not of value. To completely understand an event, information from allsources involved must be aggregated and analyzed as a whole. Securing this information forshort and long-term storage is also an important consideration and thus best-practices forsecuring audit data should be included pre-deployment such that no single power-user hasaccess to or the ability to delete or tamper with the audit trail. Access to this information shouldbe heavily restricted and monitored as well. ScalabilityTo audit file changes, access attempts and permission adjustments in the enterprise, thesolution must be readily scalable to adjust to a constantly changing environment without theneed for dramatic steps. Implementation and ongoing NetApp Filer auditing will be simplifiedwhen no additional software or extensive reconfigurations are required when adjusting tochanges within the organization. Auditing needs to keep pace with all granular changes as theoverall topology of the network changes. Advanced Reporting CapabilitiesOnce data has been stored securely, file auditing can assume a proactive role in sustainingcompliance, securing information and improving overall stability. Moving forward automaticreporting provides customizable summarized report output on every change and accessattempt for any time period. Reporting needs to present report data in a clearly understandableformat that is easy to understand including all the important details such as Who made Whatchange, When and Where as well as Before and After Values. Without the ability to produce clearinformation on change history for day-to-day modifications to files and folders, such as, whochanged shared folder permissions or who deleted an important accounting spreadsheet,sustaining compliance, stability and security will be difficult if not impossible and manyopportunities to implement NetApp Filer auditing will be surrendered.
  6. 6. White Paper: 6 File Auditing with NetApp FilerUsing SQL to store data and leverage SQL Reporting Services are obvious choices for storing andreporting on data in most environments. SQL Server Express Edition with SQL Reporting Servicescan be downloaded for free from Microsoft and expertise with SQL is common and frequentlyavailable. Having the ability to customize ad-hoc and predefined 3rd-party reports will acceleratefile auditing efforts by saving time and providing configuration options to suit the majority ofneeds. Using reports on a daily basis ensures complete visibility over the entire NetApp Filerinfrastructure providing opportunities to improve security and sustain compliance. Additionalreporting services such as e-mail alerts and subscription capabilities and will also add to theimpact advanced reporting will have on overall file systems management effectiveness. Onceestablished, reporting will be the main driver behind successful sustained NetApp Filer auditingday-to-day. File Integrity MonitoringFile Integrity Monitoring, or FIM, ensures the integrity of files by monitoring a hashrepresentation of a file instead of the entire file itself. This approach allows for fast detection offile changes facilitating timely alerting when a change occurs on a file. FIM is also required for PCIcompliance. Using file integrity monitoring in your NetApp Filer auditing is necessary to providethe highest level of security and meet PCI compliance. Additional ConsiderationsPreferred solutions (and providers) should offer additional capabilities to form a comprehensivemanagement suite to maximize the potential benefits of change auditing throughout theenvironment. This includes auditing of file and other changes in Windows servers and otherappliances such as EMC Celerra. Additional auditing capabilities may include network devicessuch as firewalls and Microsoft technologies such as Active Directory, Group Policy, Exchange,SQL and SharePoint. Real-time alerting and object restore features will also add value to anyenterprise-wide change auditing solution.
  7. 7. White Paper: 7 File Auditing with NetApp Filer NetWrix Approach to NetApp Filer AuditingNetWrix NetApp Filer Change Reporter is a specialized NetApp Filer auditing solution thatmonitors changes made to files, folders, permissions and successful access events across theentire enterprise using AuditAssurance™ technology. This technology ensures accurate detailsof audit events by pulling from multiple resources and compiling into single human-readablerecords for each change. This product is part of NetWrix File Server Change Reporter whichaudits these same events on Windows file servers and DFS shares as well as other appliancessuch as EMC Celerra. It generates NetApp audit reports that include the four W’s: Who, What,When, and Where for every audited file change, permission change, or successful accessattempt, including before and after information.Using the AuditIntelligence™ technology, NetWrix is able to present complex native loggingconventions and formats into simple and easy to understand reports. NetWrix also provides upto three custom-built reports at no additional cost. The automatic collection and reporting onNetApp audits not only surpasses any native capabilities in NetApp, Windows and EMC Celerrabut expands upon them eliminating the time and effort spent collecting change auditinformation manually or through any other means making this information highly reliable, easilyunderstandable and actionable. It has the ability to sustain compliance through historicalreporting for up to 7 years and more. File integrity monitoring further extends the oversight onfiles through advanced change detection methods.In addition to file auditing for Windows, NetApp and EMC, NetWrix offers additional integratedmodules for Active Directory, Group Policy and more helping protect existing investments incurrent NetWrix product installations by offering current license credit applicable to additionallicenses of other NetWrix software solutions.See how the NetWrix NetApp Filer Change Reporter included in the NetWrix File Server ChangeReporter can help with your auditing and compliance needs.Download link:
  8. 8. White Paper: 8 File Auditing with NetApp Filer About NetWrixNetWrix Corporation is a highly specialized provider of solutions for IT infrastructure changeauditing. Change auditing is the core competency of NetWrix and no other vendor focuses onthis more extensively. With the broadest platform coverage available in the industry, innovativetechnology and strategic roadmap aiming to support different types of IT systems, devices andapplications, NetWrix offers award-winning change auditing solutions at very competitive prices,matched with great customer service. Founded in 2006, NetWrix has evolved as #1 for ChangeAuditing and Compliance as evidenced by thousands of satisfied customers worldwide. Thecompany is headquartered in Paramus, NJ, and has regional offices in Los Angeles, BostonTampa, Miami, UK and Japan. About the AuthorChris Rich has been involved in numerous aspects of IT for over 16 years including help desk,systems administration, network management, network architecture, telecom and softwaresales and sales engineering, and product management. He is also a certified technical trainer,MCSA, avid runner, musician and happily married father of two. Additional ResourcesInformation security professionals and trends - www.infosecisland.com10 Immutable Laws of Security - Corporate Blog - http://blog.netwrix.comNetApp Support Forum - Corporate Headquarters: 12 N State Rt 17, Suite 104, Paramus, NJ 07652 Office: (201) 490-8840, Toll-Free: (888) 638-9749, E-mail:©2012 All rights reserved. NetWrix is trademark of NetWrix Corporation and/or one or more of its subsidiaries and may beregistered in the U.S. Patent and Trademark Office and in other countries.All other trademarks and registered trademarks are the property of their respective owners.