1. 12 Tips to Prevent your Sensitive Data Becoming a Wikileaks Headline
By David Ricketts Head of Marketing C24
Recent worldwide controversies surrounding confidential material being supplied to
unauthorized people and sites such as Wiki Leaks by anonymous whistle-blowers
should act as a catalyst for organisations across the globe to take control of data
governance and offer a guarantee that employees have access to only the information
they need.
In our experience we have found that employees responsible for the IT function are
finding it increasingly difficult, and in some cases impossible, to manage many elements
of data governance within their organisation. Below are some tips that explain the steps
that organisations in charge of permission management of employee data access need
to take to safeguard their data. By taking these steps, the IT function will be able to
understand who can access, who is accessing, who shouldn't have access, and who
owns the data, and remediate risk faster than traditional data governance and
classification methods.
At present, IT professionals – rather than the people that create the data (be it a
spreadsheet, PowerPoint presentation or company report) – are the ones making many
of the decisions about permissions, acceptable use, and acceptable access review.
However, as IT personnel aren‘t equipped with adequate business context around the
growing volumes of data, they‘re only able to make a best effort guess as to how to
manage and protect each data set.
Until organisations start to shift the decision making responsibility to business data
owners, it is IT that has to enforce rules for who can access what on shared file
systems, and keep those structures current through data growth and user role changes.
IT needs to determine who can access data, who is accessing it, who should have
1
12 Tips David Ricketts C24

2. access, and what is likely to be sensitive.
Here are the top must-do actions for the IT team‘s ‗to do‘ list, to carry out as part of a
daily data management routine for senior executives, to create a bench mark for data
governance:
1 Identify Data Owners
The IT department should keep a current list of data business owners (e.g. those who
have created original data) and the folders and sites under their responsibility. By
having this list ―at the ready,‖ they can expedite a number of the data governance tasks,
including access authorisation, revocation and review, and identifying data for archival.
The net effect of this simple process is a marked increase in the accuracy of data
access entitlement and, therefore, data protection.
2 Remove global groups and perform data entitlement reviews
It is not uncommon for folders on file shares to have access control permissions
allowing ―everyone,‖ or all ―domain users‖ (nearly everyone) to access the data
contained. This creates a significant security risk, for any data placed in that folder will
inherit those ―exposed‖ permissions, and those who place data in these wide-open
folders may not be aware of the lax access settings. Global access to folders should be
removed and replaced with rules that give access to the explicit groups that need it.
3 Audit Permissions Changes
Access Control Lists are the fundamental preventive control mechanism in place to
protect data from loss, tampering, and exposure. IT requires the ability to capture and
report on access control changes to data – especially for highly sensitive folders. If
access is incorrectly assigned or changed to a more permissive state without good
business reason, IT and the data business owner must be quickly alerted, and able to
remediate the situation.
2
12 Tips David Ricketts C24

3. 4 Audit Group Membership Changes
Directory Groups are the primary entities on Access Control Lists (Active Directory,
LDAP, NIS, etc.); membership grants access to unstructured data (as well as many
applications, network gateways, etc.). Users are added to existing and newly created
groups on a daily basis.
5 Audit Data Access
Effective management of any data set is impossible without a record of access. Unless
you can reliably observe data use you cannot observe its misuse, abuse, or non-use.
Even if an IT department could ask its organisation‘s users if they used each data set,
the end users would be unlikely to be able to answer accurately—the scope of a typical
user‘s access activity is far beyond what humans can recall.
6 Prioritise Data
While all data should be protected, some data needs to be protected much more
urgently than others. Using data owners, data access patterns, and data classification
technology, data that is considered sensitive, confidential, or internal should be tagged
accordingly, protected and reviewed frequently.
7 Align Security Groups to Data
Whenever someone is placed in a group, they get file system access to all folders that
list the group on its ACL. Unfortunately, organisations have completely lost track of what
data folders contain which Active Directory, SharePoint or NIS groups. It is impossible
to align the role with the right data if the organisation cannot verify what data a group
provides access to.
8 Lock Down, Delete, or Archive Stale, Unused Data
Not all of the data contained on shared file servers, and network attached storage
3
12 Tips David Ricketts C24

4. devices are in active use. By archiving stale or unused data to offline storage or deleting
it, IT makes the job of managing the remainder simpler and easier, while freeing up
expensive resources. At the very least, access to inactive data should be tightly
restricted to reduce the risk of loss, tampering, or theft.
By automating and conducting the ten management tasks outlined above frequently,
organisations will gain the visibility and auditing required that determines who can
access the data, who is accessing it and who should have access.
9 Review data entitlement (ACL)
Every file and folder in a file system system has access controls assigned to it which
determine which users can access the data and how (i.e. read, write, execute, list).
These controls need to be reviewed on a regular basis and the settings documented so
that they can be verified as accurate by data business owners and security policy
auditors.
10 Revoke unused and unwarranted permissions
Users with access to data that is not material to their jobs constitutes a security risk for
organisations. Most users only need access to a small fraction of the data that resides
on file servers. It is important to review and then remove or revoke permissions that are
unused. IT should have the ability to capture and report on access control changes to
data - especially for highly sensitive folders. If access is incorrectly assigned or changed
to a more permissive state without good business reason, the data business owner will
be able to quickly identify and mitigate the situation by reporting the inconsistency to IT.
11 Delete unused user accounts
Directories may at times contain user accounts for individuals that are no longer with the
company or group. These accounts constitute a security hole. Those with a working
4
12 Tips David Ricketts C24

5. knowledge and access to user directories may retrieve information under someone
else‘s name. Organisations should routinely identify inactive users and verify that the
need for the account is still there.
12 Preserve all user access events in a searchable archive
Even for environments where the user-to-data permissions are current and accurate, it
is important to maintain a searchable archive of all user access events. This will help
organisations with triage and forensic analysis should data misuse or loss occur. IT
should be able to search on a username, filename as well as date of interest and any
combination thereof to ascertain who accessed what and how. This information can also
help expedite helpdesk call resolution.
What Are You Waiting For?
The biggest hurdle to overcome with this ‗to do‘ list is the amount of time conducting
these checks on a daily basis requires, if it is even possible! It is imperative that
businesses support their internal IT function by allowing them to utilise tools such as
Varonis so as to enable them to adopt best practice techniques so that they can
manage the business critical areas highlighted in this report.
If you would like further information about any of the areas highlighted in this report
please do not hesitate to call C24 or visit www.c24.co.uk
5
12 Tips David Ricketts C24