Part 3: Mitigating the risk of internal breach

In parts 1 and 2 of this blog series, we outlined how access governance, single sign-on and automated provisioning ensure that users have accurate permissions and access within an organizations hybrid IT environment, both on premise and in the cloud.

Today, I want to focus on cleaning up file shares to ensure the aforementioned solutions have a clean slate from which to operate. If you think about it akin to cleaning a room, you would pick clothes off the floor before vacuuming it, right? Similarly, you should clean up your file system before allocating resources in to securing it.

Let's start with the basics... Is your file system polluted?

Unfortunately, it probably is. Cleaning up pollution, and preventing that pollution from reoccurring, is a big headache for the IT department. The tools available to help have always been limited or overpriced, at best. How can you determine which folders are never used and which need to be cleaned up? Who has access to a folder and who has access that should not? These questions cost system administrators substantial effort to answer. ERAM from Tools4ever is the robust and affordable answer to these questions in real time. It enables the safe delegation of access management to data owners, which reduces permission pollution and mitigates the risk of internal breach.

From data to information

Information about file system access is stored in different parts of the network: in the file system itself, in Active Directory groups and in access logs. The information is widely dispersed and often is tremendous in size. ERAM collects and stores all this information in a SQL database and uses it to answer complex access questions needed to meet compliance pressures such as HIPAA and SOX. ERAM allows administrators and security officers the ability to detect pollution and carry out clean-up operations – facilitating data-use auditing or preparation for compliance efforts whenever necessary.

How does ERAM clean up your file system?

ERAM determines which data is no longer utilized - about 75 percent on average - and allows you fix the access permissions via the web interface. With file system data changing continuously, periodically executing ERAM's Collection Module ensures the information is always up-to-date in order to facilitate pre-emptive or timely action. When you see a folder no one is accessing, ERAM provides the option to revoke all access rights. Alternately, you can adjust a user's access so that they can/cannot read, write or edit files in a specific folder. ERAM keeps this process consistent yet configurable should your business rules change. You can have scheduled or on-demand reports so your team are always up to date with permissions.

Data Management

File systems are normally divided into projects, departments and home folders. You know the layout, but who are the actual owners? Analyzing your organization's data usage provides the perfect starting point for delegating management from the IT helpdesk to the real owners within the business. ERAM's intuitive Data Management module will help to assign data owners within the organization. Data managers can then click on a folder to see who has access to that folder and grant/revoke/regulate access accordingly via the user-friendly interface, all without IT intervention. The final delegation step is Self-Service, whereby end users themselves request access to a folder. Managers can quickly approve or deny changes, which are appropriately implemented in the file system.

Preventing Breach

With ERAM, it is also possible to see which employees have never actually used their access to a specific folder and remove that access based upon the real-world business case. Moving forward, only the correct people will have access to what they need, when they need it.Each user having the correct access - no more, no less - is key to mitigating internal data breach.

The bi-directional nature of ERAM's reports offers both user to resource and resource to user views. This allows you to quickly respond to internal breaches by pulling all users activity and/or checking who has accessed a particular file that may contain the leaked information. ERAM shows you what actions a user carried out - reading, writing or editing - on a file and allows you to immediately disable or revoke access on suspicious user accounts. With a few clicks, ERAM can find the source of breach and facilitate a quick response.

With over 19 years in the industry and over 5,000 customers worldwide, we have found file shares to contain an average of 75% pollution. While implementing identity and access management solutions will keep your access trails accountable and secure, they do not address the permission pollution already caused. ERAM analyzes and cleans your file system while also offering transparency useful for responding to audits and internal breach.

Battle of the email solutions: exchange vs. google apps

In the industry I am in, with the job functions I perform daily, I see more and more organizations moving from an in-house email solution such as Exchange to cloud-based email solutions like Office 365 and Google Apps. This is due to many reasons and an easy way to see why is to compare Exchange and Google Apps.

Read more

Category

Identity en Access Management

automated account management, cloud based email solutions, Compage Exchange and Google Apps, compare cloud based email solution, compare email solutions, Exchange, Google Apps

How to manage credentials the easy way

A seemingly simple, yet tedious task for anyone in the information technology field is credential management. End users are given usernames and passwords for various systems in an organizations environment, and the hope is that the end users can manage these credentials with very little issue or assistance.

Read more

Account Management in Education: How Can It Be Improved?

Many school districts and even some higher-learning institutions have their technological infrastructure run by a skeleton crew due to things such as politics and budgetary constraints. Situations such as this can often lead to many issues within the organization: Lack of network resources for end users Inability to properly support end users and systems No time to research and implement newer technology This causes frustrated overworked admins to think outside the box and turn to other solutions, such as software-based, automated or semi-automated identity management.

Read more

Group Policy Object; What is it and how can it allow for seamless deployment of software

In any organization from a small business to a large enterprise, control over user’s access to various resources on the network is a key component of managing the corporate environment. Access to resources such as network shares and printers to things such as settings on local stations, are just some of the items an administrator wants to manage centrally and cohesively. A common method to manage domain resources like this is via Group Policy in Active Directory.

Read more

What is the Next Step in the Evolution of the Password?

Passwords are the most common form of authentication and the current de-facto standard. In fact, passwords have existed in tech since the early 1960’s when they were implemented at MIT for the time sharing system on their computer systems for researchers. In order to allow multiple researchers to have their own personal “profile” when logging in each user was given a login name and password. This allowed each registered user to access the system for their weekly time allotment.

Read more