Five ways to improve file security

File data accounts for approximately 80% of business data, according to market analyst firm IDC, and is growing at 60% per year. For example, if you have a single terabyte of file data today, you’ll have over 10 terabytes of file data five years from now. That staggering pace explains why most organizations are challenged to protect their sensitive file data.

Insider threats are the most significant factor driving the need to protect this data. The prospect of personal, financial and professional gain can drive insiders to abuse their access rights, as demonstrated by numerous media reports. Consider the following examples from the recent past:

• A former Ford Motor Company worker was indicted for taking over 4,000 documents with future automotive designs which he used to help land a new job with a different automaker in China (Wall Street Journal, Oct 2009).
• A former Goldman-Sachs worker was arrested for taking source code files for a Goldman-Sachs trading system so he could take them with him to his next employer (Wall Street Journal, July 2009).
• The Canada Revenue Agency, the national tax authority, reported that Agency workers had been downloading revenue and tax related files for personal gain and to provide preferential treatment for relatives and friends (Toronto Star, June 2010).
• WikiLeaks.

There are five critical areas to consider when looking at improving file security in your organization:

1) Define data owners

Data owners are critical to accurately protecting files because they best understand the data and its relevance to your business. If you don't know who your data owners are, it's hard to properly secure your file data and to make well informed data management decisions. For example, on the security front, you won't be able to establish business need-to-know access without owner input. You can only guess who should and shouldn't have access to the files. It will also leave you at a loss operationally when it comes to data migrations, establishing archiving policies and knowing when file data is no longer relevant and can be purged.

In most organizations, data owners are known for only a small fraction of file data. This is because as job roles and data change, it becomes difficult to tell who owns the data at any given instant. Ultimately, the most efficient and accurate way to identify ownership is to determine who is actually using the files the most. The top data users are either going to be the data owners or, as the primary business users of the data, are going to able to identify an owner almost instantly.

2) Understand and identify who is actually using your files.

Establishing an audit log of who is accessing file data is vital for security, compliance and IT operations.  Security teams need an audit trail for forensic investigations into data breaches and other security incidents, and to spot activity that violates business policy. Compliance teams need file activity auditing to validate and document that access activity complies with regulations. And, IT operations staff use audit details to track down problems such as files that have been modified, deleted or gone missing. Auditing also forms the basis of owner identification, as discussed above.

However, continuous activity auditing for files is difficult because native operating system auditing imposes a tremendous performance impact on file servers and generates a huge volume of difficult-to-interpret audit records.  As a result, organizations typically turn auditing on only after an incident has already occurred in the hope of catching a repeat offense. This results in an incomplete audit trail and won't help with events that occur only once.

The only viable solution is to deploy an auditing system that can capture all access activity without impacting server performance, and which can distil mountains of audit detail into actionable information. 

3) Know who has the potential to access your files.

File access rights visibility is required by numerous regulations that address data security and is, in general, a data security best practice. By understanding the file access rights as set today on the file systems in your organization, you can see what your de-facto access policy is. The rights may not reflect the desired state of security, but they will tell you what users actually have access to right now. That visibility is necessary to begin the process of remediating excessive access and for demonstrating, compliance with data security regulations.

Rights visibility, analysis and problem remediation require a system that can automatically gather file rights across an entire enterprise - on each file server and NAS device. These rights have to be collected on an ongoing basis, consolidated and stored for analysis and reporting. 

4) Know whose access rights should be revoked.

In most organizations, user access rights to file data are far in excess of what is required for the business. This is because user rights are frequently granted, but seldom revoked. For example, access rights are granted to users when they join the company, start a new project, change job roles, etc. But, IT staff doesn't know when users are done with their file access needs, and users themselves don't call up the help desk and ask for their access to be revoked once their needs change. As a consequence, access rights become excessive and, over time, no longer based on a business need-to-know.

Establishing rights review cycles helps maintain a business need-to-know level of access for file data.

5) Know when access rights or activity violate corporate policy.

Rights review cycles are important, but most organizations don't conduct reviews more than quarterly. If rights are granted to the wrong people, sensitive data is left exposed to unauthorized access until the next review cycle.  And, organizations that do not perform regular rights reviews may go even longer with sensitive data exposed.

The best way to detect policy violations is to thoroughly analyze file access rights and file access activity, and apply a set of checks to determine if a violation has occurred. If this can be done in an automated way and in real-time, actionable alerts can be generated so that administrators can take action as soon as problems are detected.

To learn more about improving file security at your company, the 10 Building Blocks for Securing File Data describes ten phases for securing file data, including how and when to use these basic capabilities, as well as when to deploy other complementary technologies.