Your SlideShare is downloading. ×
From Zero to Data Governance Hero
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Saving this for later?

Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime - even offline.

Text the download link to your phone

Standard text messaging rates apply

From Zero to Data Governance Hero

359
views

Published on

The Varonis Data Governance suite helps organizations manage and protect their unstructured and semi structured data—the documents, spreadsheets, presentations, media files and other business data in …

The Varonis Data Governance suite helps organizations manage and protect their unstructured and semi structured data—the documents, spreadsheets, presentations, media files and other business data in file servers, NAS devices, SharePoint and Exchange.

Published in: Technology, Business

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
359
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
34
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • How many times have you felt like this?Sustainable data governance is about embracing a methodology and a culture that treats data as a business asset rather than a technology asset. What I’d like to do today is lay out the basics of our approach, as well as talk about how we’ve seen it work with some recent customers.This methodology works for all business data, but PCI can be the driver that gets your organization to adopt a platform and process that helps you do the right thing and the expedient thing.
  • We need to be able to answer this questions quickly and completely.
  • Why is this important?You can’t manage what you can’t measure. If you don't know who has access to data and is accessing data you can't possibly improve.Many businesses are completely in the dark. They have no idea where their PCI data is, who can access it, whether or not it’s being used or abused.
  • Inventory permissions. We do this by crawling all of your file servers, NAS devices, SharePoint sites, Exchange servers, etc. each night and analyzing the contents of every ACL. There are utilities that you can use to inventory file server permissions. For instance, for Windows servers, you could write a PowerShell script that enumerates all of your file servers and NAS devices and uses the Get-Aclcommand to query for permissions.Things to be aware of:In most cases, you’ll have groups on an ACL and will have to cross-reference Active Directory to figure out which users are in those groups.Cross-platform can be very tricky. SharePoint groups can contain Active Directory groups. There are also custom permissions levels. Boiling down effective permissions becomes complex.Many companies say: we do RBAC and we have IAM. That’s not enough! Just because you have neatly organized security groups based on roles doesn’t mean you can answer questions about which data those groups can access at all times.Once you have a complete permissions inventory, you can figure out where global access groups are located and begin answering questions about who has access to what.
  • It’s usually not enough to know who has access. You also want to know who is accessing data, especially if you’re going to start revoking access. For this, we need to implement some sort of access auditing.Things to look for in an auditing solution:Speed: if you have a busy server, you don’t want your auditing mechanism adding a bunch of overhead.Completeness: some auditing systems, like Exchange Journaling, won’t capture many event types. You want to cover as much ground as possible.Scalability: after the data is collected, where does it go? Is it written to the same server the event occurred on? Is it normalized? How much can you keep before you start running into capacity issues?Usability: if you have to grep through log files in order to answer simple questions, chances are you’ll never actually do it. The easier it is to sort, search, and alert, the more useful the audit trail will be to you.
  • Most operating systems have some auditing capabilities built-in, but:They can be resource intensiveIt takes subject matter expertise to configure themIt takes a lot of work to combine them from multiple servers and platforms
  • Now that we can see who has access to data and who is accessing data, it’s important to start folding in content information so we can effectively prioritize our remediation efforts.Here’s the process we go through with customers:Interview stakeholders to figure out which patterns are sensitive (e.g., PCI, HIPAA, patient IDs, keywords).Build a library of regular expressions and key terms to search for and rank them.Load them into ascanning engine
  • Data classification only finds important data – it doesn’t give you context, like tell you who is responsible for that data, who has and should have access to it, and what folks are doing with it. This is the problem many DLP vendors run into.We were working with aneducational institution of about 15,000 users this year and they had just implemented data classification through a DLP tool. The scan took a fair amount of time, and at the end they’d identified 193,000 some-odd violations, or instances of a file containing possibly sensitive information. What the CISO told me was, “Yesterday I had one problem: where’s the sensitive data. Today I have 193,000 problems.”Which should be higher on your triage list for access control cleanup, a folder that contains 40 credit card numbers open to 20 people that nobody ever touches, or a folder open to the Everyone group with 300 credit card numbers that’s being constantly accessed?
  • Now that we can see who has access to data and who is accessing data, it’s important to start folding in content information so we can effectively prioritize our remediation efforts.Here’s the process we go through with customers:Interview stakeholders to figure out which patterns are sensitive (e.g., PCI, HIPAA, patient IDs, keywords).Build a library of regular expressions and key terms to search for and rank them.Load them into ascanning engine
  • After we’ve taken care of our sensitive content—the stuff that can really get us into a bunch of trouble—we begin to target other areas where there is excessive access.
  • How many of you are familiar with the term “permissions creep?”Even if you’re not familiar with the term, you probably know the concept – people who have been at an organization for some time begin to accumulate more and more access to data. They change roles, they get promoted, maybe they move to a different department entirely.When you change job roles, I’m sure the first thing you do is call the help desk and say, “Hey, guys, I’m changing roles so you can revoke my access to this data set and that data set…”It never happens.If you’re extremely lucky, IT has a master list or database of revocations to make for people like consultants who you know only need access for a certain time period. And that there’s some sort of workflow in place to know when full-time employees should have access revoked. It’s hard and time-consuming.
  • So what would you need in order to systematically determine desired access?If you knew someone hadn’t used a set of permissions for a certain period of time, you might reasonable assume that it’s safe to revoke the access. But in practice, we’ve found that’s not good enough. If you’re a member of the finance group, for instance, and you have Cyber-Ark’s 2012 global Trust, Security and Passwords Survey45% of users said they have access to information that is not relevant to their role*How do we know who shouldhave access?Periodic Data owner entitlement reviewsAutomated recommendationsHow do we safelyeliminate excess permissions without interrupting business?
  • Explain our methodology: bi-directional cluster analysis.And how modeling can prevent mistakes.-- should this slide have numbers next to the text (1 in front of “recommendations” 2 in front of “Click” 3 in front of “Everything”?
  • Why data owners?First ask yourself the question, honestly:1.) Does help desk or IT in general have enough business knowledge to make access control decisions about, say, finance data?2.) Who does the help desk go to for approval when making access control changes? In most organizations the answer is the requestors boss. This is usually NOT the right person.Leveraging data owners is the key to sustainable data governance. Why?1.) They’re the best information to make decisions about access2.) There’s more of them! IT departments can’t scale, but the humans who are generating business data do.
  • Challenges:People change roles frequently and had no way to cleanup excess access safelyDidn’t know when sensitive data was being moved out of controlled directoriesIT staff was overburdened trying to figure out who should be accessing customer dataLeveraging data owners is the key to sustainable data governance. Why?1.) They’re the best information to make decisions about access2.) There’s more of them! IT departments can’t scale, but the humans who are generating business data do.DataPrivilege makes it easy to follow policies you put in place for entitlement reviews, access authorization and revocation, and ethical walls. Unless the policies are made easy to follow by technology, people will make mistakes or get lazy. What’s more, with a system like DataPrivilege, all actions are recorded so you can prove to auditors that your policies are actually being followed.All folders containing PCI are assigned data ownersAuthorization requestsgo to owners, not IT or help deskAuthorization requests must contain a reason and an automatic revocation date
  • We use a data-driven approach to locating owners. We look at our audit trail and determine the most active users on a given data set. The appropriate owner is almost always that person, or their manager.We don’t assign ownership to files. That’s too intensive, even with automation. In fact, not every folder needs an owner either. We’ve got a methodology for demarcating the points in your file system hierarchies where owners are needed. It’s quite simple:Identify the topmost unique ACL in a tree where business users have access.If that ACL’s permissions allow write access to users outside of IT, it’s considered a “demarcation point.”For what’s left, identify highest-level demarcation points where non-IT users can only read data.For each demarcation point, identify the most active usersCorrelate active users with other metadata, such as department name, payroll code, managed by, etc.This way, every folder where the business can read or write data has an ownerWe can then designate them as the owner and send them entitlement reviews (with recommendations) on a regular basis which they can review and digitally sign. This gets us closer to a truly mature data governance model.
  • DataPrivilege makes it easy to follow policies you put in place for entitlement reviews, access authorization and revocation, and ethical walls. Unless the policies are made easy to follow by technology, people will make mistakes or get lazy. What’s more, with a system like DataPrivilege, all actions are recorded so you can prove to auditors that your policies are actually being followed.Some example best practices that can be automatically implemented:All folders containing PCI or PII are assigned data ownersAuthorization requestsgo to owners, not IT or help deskAuthorization requests must contain a reason and an automatic revocation date
  • I urge you to see a demo of DatAdvantage and DataPrivilege to see how data governance becomes so much more a reality once you have automation in place.
  • Transcript

    • 1. FROM ZERO TO DATA GOVERNANCE HERO A PLAYBOOK FOR SUSTAINABLE DATA PROTECTION Varonis Systems. Proprietary and confidential. Sign up for a free evaluation
    • 2. AGENDA What is sustainable data governance? Overview of the Varonis Operational Playbook A deeper look at the 5 steps: How can we take action today? Takeaways Questions Varonis Systems. Proprietary and confidential. Sign up for a free evaluation
    • 3. Here’s some software… good luck! Varonis Systems. Proprietary and confidential. Sign up for a free evaluation
    • 4. QUESTIONS WE AIM TO ANSWER: WHO has access to a data set? WHO should have access to data set? WHO has been accessing it? WHICH data is sensitive? WHO is the data owner? WHERE is my sensitive data overexposed, and how do I fix it? Varonis Systems. Proprietary and confidential. …so how do we do it? Sign up for a free evaluation
    • 5. GOVERNANCE OPERATIONAL OVERVIEW • Enable Audit Trail • Inventory PermissionsProfile Data Use & Authorization Structure • Classify and Tag Sensitive, High Profile Data Identify Critical Data • Global Access Groups • Excessive Group MembershipReduce Excess Access • Perform Entitlement Reviews • Formalize and Enforce Existing ProcessesIdentify Key Users & Owners • Authorization • Recertification • Handling Policies for Sensitive Data Define & Implement DG PoliciesRisk Sign up for a free evaluation
    • 6. Profile data use & authorization structure Varonis Systems. Proprietary and confidential. Sign up for a free evaluation
    • 7. flickr: enerva Remove the blinders Sign up for a free evaluation
    • 8. WHO CAN ACCESS DATA? Users / GroupsACLs Access Activity Content Varonis Systems. Proprietary and confidential. Sign up for a free evaluation
    • 9. WHO DOES ACCESS DATA? Users / GroupsACLs Access Activity Content Varonis Systems. Proprietary and confidential. Sign up for a free evaluation
    • 10. WHAT TO LOOK FOR IN AN AUDITING SOLUTION Speed Completeness Scalability Usability Varonis Systems. Proprietary and confidential. flickr: olfiika Sign up for a free evaluation
    • 11. NATIVE AUDITING SYSTEMS System Method Windows Event auditing Solaris BSM AIX Audit Linux Auditd NetApp fpolicy EMC VNX CEPA Exchange Journaling & Diagnostics SharePoint Event auditing Varonis Systems. Proprietary and confidential. Sign up for a free evaluation
    • 12. Identify critical data Varonis Systems. Proprietary and confidential. Sign up for a free evaluation
    • 13. Classification flickr: johnbanbury Sign up for a free evaluation
    • 14. WHERE IS MY SENSITIVE DATA? Varonis Systems. Proprietary and confidential. Users / GroupsACLs Access Activity Content Sign up for a free evaluation
    • 15. QUOTE FROM A CIO ON DLP “Yesterday I had one problem: where’s my sensitive data? Today I have 193,000 problems.” Varonis Systems. Proprietary and confidential. Sign up for a free evaluation
    • 16. WHERE IS SENSITIVE DATA OVEREXPOSED? Varonis Systems. Proprietary and confidential. Users / GroupsACLs Access Activity Content Sign up for a free evaluation
    • 17. NOW YOU HAVE A STARTING POINT Varonis Systems. Proprietary and confidential. Sign up for a free evaluation
    • 18. Reduce excess access Varonis Systems. Proprietary and confidential. Sign up for a free evaluation
    • 19. Permissions Creep flickr: basheertome Sign up for a free evaluation
    • 20. WHO SHOULD HAVE ACCESS TO DATA? Varonis Systems. Proprietary and confidential. Users GroupsACLs Access Activity Content Magi c Sign up for a free evaluation
    • 21. RECOMMENDATIONS AND MODELING Varonis Systems. Proprietary and confidential. Sign up for a free evaluation
    • 22. Identify owners Varonis Systems. Proprietary and confidential. Sign up for a free evaluation
    • 23. WHY DATA OWNERS? Varonis Systems. Proprietary and confidential. Sign up for a free evaluation
    • 24. HBR ON DATA OWNERS Varonis Systems. Proprietary and confidential. You don't manage people assets the same way you manage capital assets. Nor should you manage data assets in the same way you manage technology assets. This may be the most fundamental reason for moving responsibility for data out of IT. http://blogs.hbr.org/cs/2012/10/get_responsiblity_for_data_out.html
    • 25. WHO USES DATA THE MOST? Users / GroupsACLs Access Activity Content Varonis Systems. Proprietary and confidential. Sign up for a free evaluation
    • 26. WHICH FOLDERS NEED OWNERS? • Identify the topmost unique ACL in a tree where business users have access. • If that ACL’s permissions allow write access to users outside of IT, it’s considered a “demarcation point.” • For what’s left, identify highest-level demarcation points where non-IT users can only read data. • For each demarcation point, identify the most active users • Correlate active users with other metadata, such as department name, payroll code, managed by, etc. • This way, every folder where the business can read or write data has an owner Varonis Systems. Proprietary and confidential. Sign up for a free evaluation
    • 27. Define & implement policies Varonis Systems. Proprietary and confidential. Sign up for a free evaluation
    • 28. THE MENTOR NETWORK Varonis Systems. Proprietary and confidential. Following the introduction of DataPrivilege [in Minnesota], the workload for our team managing the shares for that state has decreased by 50%. Sign up for a free evaluation
    • 29. Takeaways Varonis Systems. Proprietary and confidential. Sign up for a free evaluation
    • 30. ZERO Before you start: Access is a mystery – lots of excess Activity is a mystery – who knows? Owners are unknown and not involved Preventive controls are in rough shape, no detective controls – recipe for disaster Processes are likely manual Varonis Systems. Proprietary and confidential. Sign up for a free evaluation
    • 31. HERO After you finish: Access is known Use is audited Owners review access, with intelligence Abuse is flagged Preventive controls are optimized, detective controls are in place Processes are automated Varonis Systems. Proprietary and confidential. Sign up for a free evaluation