varonis usage example: reducing risk - amazon web services · varonis usage example: reducing risk...

Varonis Usage Example: Reducing Risk

The Business Case for Data Governance Varonis Systems, Inc. 1

Overview ................................................. 1

Traditional/Manual Approaches ............... 1 How do I find and remediate global access through the Everyone group, Authenticated Users, etc.? .......................... 1

Where do my users have excessive permissions? ............................................... 2

How do I revoke permissions without disrupting my users, or test changes before I make them? ................................... 2

How can I make permissions and group changes more easily?....................... 2

How can I identify which data is the most sensitive? ........................................... 2

Varonis Approaches ................................ 3 DatAdvantage Quickly Shows Where Data is Most at Risk .................................... 3

Varonis DatAdvantage Shows How to Fix Those Folders Most at Risk .................. 5

DatAdvantage Can Simulate Changes ....... 6

DatAdvantage Shows Excessive Group Memberships ................................... 8

Easily Commit Changes with DatAdvantage ........................................... 10

About The Varonis Metadata Framework11

Varonis Data Governance Suite ............ 12 Varonis DatAdvantage for Windows Varonis DatAdvantage for UNIX/Linux Varonis DatAdvantage for SharePoint ...... 12

Varonis DataPrivilege ............................... 13

Varonis Data Classification Framework .... 14

Learn More ............................................... 14

Reducing Risk

OVERVIEW

When reducing risk, the most important question is, "Where tobegin?" Varonis is the only solution that identifies the highestconcentrations of sensitive data that are most at risk andprovides a clear methodology to remediate that risk andmaintain an optimal security posture.

Varonis DatAdvantage gives organizations the tools andintelligence to quickly and effectively reduce risk, providingactionable intelligence to answer pressing data governance questions, like :

• How do I find and remediate global access through the Everyone group, Authenticated Users, world-writable files in UNIX/Linux, etc.?

• Where do my users have excessive permissions? • How do I revoke permissions without disrupting my

users, or test changes before I make them? • How can I make permissions and group changes more

easily? • How can I identify which data is the most sensitive?

Traditionally, these questions have been difficult to answer.

TRADITIONAL/MANUAL APPROACHES How do I find and remediate global access through the Everyone group, Authenticated Users, etc.?

Microsoft Windows directories contain global groups like Everyone, Authenticated Users, and Domain users. Thesegroups are often added to the access control lists of folders andSharePoint sites, granting access to everyone in the directory and exposing data far beyond the number of required users.

Simply finding these open access points can be problematic,and without automation there is no way to accomplish thiswithout checking the ACL of every folder manually. Once file systems get large enough, this becomes an intractableproblem. As data grows, so do the number of data containers and the number of containers open to global access groups—the problem gets worse.

CONTENTS


WORLDWIDE HEADQUARTERS EUROPE, MIDDLE EAST AND AFRICA 499 7th Ave., 23rd Floor, South Tower 1 Northumberland Ave., Trafalgar Square New York, NY 10018 London, United Kingdom WC2N 5BW Phone: 877-292-8767 Phone: +44-0-800-756-9784 [email protected] [email protected]

Even if IT is able to find folders open to global access, the problem of remediating that access remains. Traditionally, IT will attempt to divine the users that require access to the folder and grant them access as the global group is removed. In almost all cases, however, IT receives support requests from users whose business has been disrupted by the removal of their access.

Where do my users have excessive permissions?

As users move through an organization, with changing roles and responsibilities, file and folder permissions tend to be granted—but rarely taken away. IT is able grant access when required but is rarely notified when access is no longer needed (prior to an employee’s departure from the organization). This means that many users and groups have far more access than is required for their current role. Even worse, the common practice of “cloning” user access for new team members means that excessive access can propagate unchecked across an organization.

Discovering and removing excessive access is difficult or impossible for many organizations. While companies may perform regular entitlement reviews which examine current access levels, without good intelligence surrounding what access a given user or group actually has, it’s virtually impossible to reduce access levels without adversely affecting the business. IT rarely tries to remove access because such actions might have unintended consequences that impact business process.

How do I revoke permissions without disrupting my users, or test changes before I make them?

When IT discovers excessive permissions on a folder or within a directory group, it’s often unclear what effects the removal of that access might have to the organization. Even with a QA environment designed to mirror production, the actual effects of a change will not likely be apparent, since there is usually little to no actual business activity within the QA environment. Without a way to test permissions changes, IT is reluctant to revoke access to permissions on production systems.

How can I make permissions and group changes more easily?

Since there is no unified interface within Windows, SharePoint, or Unix/Linux for looking at file and folder access control lists and directory group membership, it can be difficult to make sure that planned changes are synchronized across the infrastructure. Changes to file and folder ACLs must be done on the file server, while group membership changes are made through the directory service (Active Directory, LDAP, etc). To complicate matters, these functions are often separated into different IT groups, so planned changes can be difficult to synchronize, increasing their complexity.

How can I identify which data is the most sensitive?

Understanding which data is the most business-critical is difficult even when the content and data owner of a folder is well-defined. While some data is obviously sensitive—data financial records and personal information—other sensitive data can be much harder to identify. IT departments can enlist the help of data owners or manually scan files individually, but without intelligence and automation there is simply no way to know which user-generated content could potentially contain sensitive data. At best, IT will only be able to identify a subset of critical data and, without intelligence about access and user activity, will have only a partial understanding of how best to protect it.



VARONIS APPROACHES

DatAdvantage Quickly Shows Where Data is Most at Risk

The Varonis Data Classification Framework provides visibility into the content of data across file systems and SharePoint sites and integrates that information into the Varonis Metadata Framework. Classification information based on pattern matching and dictionary search technology is integrated into the DatAdvantage user interface to provide actionable intelligence to IT on where sensitive content resides, who has access to it, who is accessing, and where excess access can be reduced.

With DCF, IT administrators can quickly see which folders contain sensitive data, which ones are over-exposed, which are being accessed, and by whom. Here is a screenshot of folders that are open to the Everyone group (green folders) AND contain sensitive data (those with a Violation Count):



With automated, data-driven reports, IT administrators and data owners can get regular intelligence about which critical folders are most exposed. The Classification and Priorities and Over Permissive Critical Folders reports are useful tools for administrators to identify where risk can quickly and effectively be reduced.

Prioritized List of at Risk Folders

High Profile at Risk Folders



Varonis DatAdvantage Shows How to Fix Those Folders Most at Risk

Varonis DatAdvantage provides the ability for IT administrators to quickly see everywhere across the file system infrastructure that a global group has access. Because user and group information is combined in the metadata framework with file and folder permissions data from the file server, Varonis is able to quickly display every folder accessible to any user or group (green folders indicate access):



One way to reduce risk quickly is to generate a report on which folders containing sensitive data are open to global access groups like Everyone, Domain Users, or Authenticated Users, and which users are accessing those folders via the global access groups:

DatAdvantage Can Simulate Changes

Once excess access to a resource has been uncovered, it can be difficult to remove without impacting normal business process. Because Varonis collects a full audit trail of file system events, DatAdvantage can provide the ability to simulate permissions changes within the Varonis sandbox. Administrators can test the removal of access in DatAdvantage to see which users have been actively using the permissions that they would like to revoke—these are displayed in the DatAdvantage Errors pane:



This list can then be reviewed, and/or simulation can continue.

For example, proper group access can be determined and added to the folder—still without affecting the production environment. In the screen shot below, The Everyone group has been removed and a smaller group (Legal) added. Additionally, an active user of the legal folder was being added to the Legal group:

After confirming that proposed changes will have no adverse impact on users that have been actively accessing the target folder, all changes can be executed right from DatAdvantage (see Easily Committing Changes, below).



DatAdvantage Shows Excessive Group Memberships

DatAdvantage simplifies identifying stale or excessive group memberships. Because Varonis collects information about who can access data, along with a full audit trail of who is accessing the data, DatAdvantage is able to combine those two data streams and perform a sophisticated bi-directional cluster analysis. Within the DatAdvantage Work Area, DatAdvantage displays which users can be safely removed from each group—these users are highlighted with red X’s next to their names. These users do not access the same data sets as other members in this group—their access patterns indicate that they actually belong to a different work cluster, and are good candidates for inspection when performing an entitlement review. When data owners are provided with DatAdvantage recommendations, they quickly recognize users that have left their business unit, should only have been granted temporary access but were not removed, and potential group membership errors. (Entitlement Reviews can be fully automated with DatAdvantage and DataPrivilege).



Varonis can also make recommendations on a user basis to help assess the effectiveness of Role Based group assignments, to identify unneeded security groups prior to cloning, or to review access for a single user. DatAdvantage will display which groups a user can be safely removed from without affecting their normal activity:



Easily Commit Changes with DatAdvantage

Once an IT administrator has decided on necessary permissions changes, DatAdvantage provides the capability to commit those changes directly to the file and directory servers. With proper credentials, an administrator can commit changes, schedule them if necessary, and roll back changes right from the DatAdvantage interface:



ABOUT THE VARONIS METADATA FRAMEWORK

Ongoing, scalable data protection and management require technology designed to handle an ever-increasing volume and complexity—a metadata framework.

Four types of metadata are critical for data governance:

• User and Group Information – from Active Directory, LDAP, NIS, SharePoint, etc. • Permissions information – knowing who can access what data in which containers • Access Activity – knowing which users do access what data, when and what they’ve done • Sensitive Content Indicators – knowing which files contain items of sensitivity and importance, and

where they reside

The Varonis metadata framework non-intrusively collects this critical metadata, generates metadata where existing metadata is lacking (e.g. its file system filters and content inspection technologies), pre-processes it, normalizes it, analyzes it, stores it, and presents it to IT administrators in an interactive, dynamic interface. Once data owners are identified, they are empowered to make informed authorization and permissions maintenance decisions through a web-based interface—that are then executed—with no IT overhead or manual backend processes.

The Varonis Data Governance Suite will scale to present and future requirements using standard computing infrastructure, even as the number of functional relationships between metadata entities grows exponentially. As new platforms and metadata streams emerge, they will be seamlessly assimilated into the Varonis framework, and the productive methodologies it enables for data management and protection.



VARONIS DATA GOVERNANCE SUITE

Varonis provides a complete metadata framework and integrated product suite for governing unstructured data on file servers, NAS devices and (semi-structured) SharePoint servers. Varonis DatAdvantage, DataPrivilege, and the Data Classification Framework provide organizations the ability to effectively manage business data through actionable intelligence, automation of complex IT tasks, and sophisticated workflow management.

Varonis DatAdvantage for Windows

Varonis DatAdvantage for UNIX/Linux

Varonis DatAdvantage for SharePoint

DatAdvantage provides a single interface through which administrators can perform data governance activities.

• Visibility o Complete, bi-directional view into the permissions structure of unstructured and semi-structured file

systems: o Displays data accessible to any user or group, and o Users and groups with permissions to any folder or SharePoint site o User and group information from directory services is linked directly with file and folder access control

data • Complete Audit Trail

o Usable audit trail of every file touch on monitored servers o Detailed information on every file event in a normalized database that is searchable and sortable o Data collection performed with minimal impact to the file server and without requiring native Windows

or Unix auditing • Recommendations and Modeling

o Actionable intelligence on where excess file permissions and group memberships can be safely removed without affecting business process

o Model permissions changes without affecting production environments • Data Ownership Identification

o Statistical analysis of user activity effectively identifies business owners of data o Automated reports involve data owners in data governance processes o Facilitates round-trip data owner involvement via DataPrivilege



Varonis DataPrivilege

DataPrivilege automates data governance by providing a framework for users and data owners to be directly involved in the access review and authorization workflows. A web interface for data owners, business users, and IT administrators automates data access requests, owner and IT authorization of changes, automated entitlement reviews, and business data policy automation (e.g. ethical walls). A complete audit trail ensures that data governance policies are in place and being adhered to.

• Automated Entitlement Reviews o Data owners are provided scheduled entitlement reviews with recommendations for access removal

(generated by DatAdvantage) o Reviews can be scheduled based on business policy

• Access Control Workflow o Users can request access to data and group resources directly, providing explanation and duration o Data owners and other stakeholders are automatically involved in authorization process o Permissions changes are carried out automatically once approval requirements are met o Permissions revocations are carried out automatically on their assigned expiration

• Business Policy Implementation o Multiple levels of authorization provide automated implementation of business and IT data governance

policy o Ethical wall functionality enforces data access policies

• Complete Self-Service Portal o Data Owners can view and manage permissions on their data and groups without requiring elevated

access privileges, if desired o Data Owners can view access activity and statistics about their data, if desired

• Complete Audit Trail and Reporting o All workflow events are recorded for audit and reporting which can prove the enforcement of

governance practices o Authorizations, Entitlement reviews, and other management reports provide evidence of process

adherence



Varonis Data Classification Framework

The Varonis Data Classification Framework gives organizations visibility into the content of data, providing intelligence on where sensitive data resides across its file systems. By integrating file classification information—from either the included classification engine or from a third-party classification product—alongside the rest of the Varonis metadata in the DatAdvantage interface, DCF enables actionable intelligence for data governance, including a prioritized report of those folders with the most exposed permissions AND containing the most sensitive data.

• Actionable Intelligence

o Classification information provides visibility into business-critical content from within the Varonis IDU o Organizations can see where their most sensitive data is over-exposed along with actionable

recommendations on where that access can be reduced • Extensible Architecture

o The provided data classification engine provides a powerful and flexible method for classifying sensitive data through regular expressions and dictionary searches.

o The Data Classification Framework can also integrate content classification data from third-party classification and DLP products, extending the ability of both

o Intelligent, fast o True incremental scanning is attained with DatAdvantage real-time knowledge of all file creations and

modifications–only new data is classified o Produces rapid-time-to-value results that have a clear remediation path or “next step” o Produces results dramatically faster than traditional approaches

• Leverages existing infrastructure o Can use either its built-in classification engine or those already deployed o Uses the unique meta-data layer created by the Varonis Intelligent Data Use (IDU) Framework o Builds on the foundation of the Varonis IDU Framework, with no need for additional servers or storage o Results flow into Varonis DatAdvantage and Varonis DataPrivilege (future)

• Easy, powerful classification rules o Rules match a combination of content AND meta-data conditions (e.g. creator, accessing user,

permissions sets) o Prioritization based on Varonis metadata (e.g. scan the most exposed folders first) o Files are searched for keywords, phrases and/or regular expression patterns o Dynamic/auto-updated dictionary matching capabilities

Learn More

Phone: 877-292-8767

[email protected]

www.varonis.com/products

varonis usage example: reducing risk - amazon web services · varonis usage example: reducing risk...

Documents