In parts 1 and 2 of this blog series, we outlined how access governance, single sign-on and automated provisioning ensure that users have accurate permissions and access within an organizations hybrid IT environment, both on premise and in the cloud.
Today, I want to focus on cleaning up file shares to ensure the aforementioned solutions have a clean slate from which to operate. If you think about it akin to cleaning a room, you would pick clothes off the floor before vacuuming it, right? Similarly, you should clean up your file system before allocating resources in to securing it.
Let's start with the basics... Is your file system polluted?
Unfortunately, it probably is. Cleaning up pollution, and preventing that pollution from reoccurring, is a big headache for the IT department. The tools available to help have always been limited or overpriced, at best. How can you determine which folders are never used and which need to be cleaned up? Who has access to a folder and who has access that should not? These questions cost system administrators substantial effort to answer. ERAM from Tools4ever is the robust and affordable answer to these questions in real time. It enables the safe delegation of access management to data owners, which reduces permission pollution and mitigates the risk of internal breach.
From data to information
Information about file system access is stored in different parts of the network: in the file system itself, in Active Directory groups and in access logs. The information is widely dispersed and often is tremendous in size. ERAM collects and stores all this information in a SQL database and uses it to answer complex access questions needed to meet compliance pressures such as HIPAA and SOX. ERAM allows administrators and security officers the ability to detect pollution and carry out clean-up operations – facilitating data-use auditing or preparation for compliance efforts whenever necessary.
How does ERAM clean up your file system?
ERAM determines which data is no longer utilized - about 75 percent on average - and allows you fix the access permissions via the web interface. With file system data changing continuously, periodically executing ERAM's Collection Module ensures the information is always up-to-date in order to facilitate pre-emptive or timely action. When you see a folder no one is accessing, ERAM provides the option to revoke all access rights. Alternately, you can adjust a user's access so that they can/cannot read, write or edit files in a specific folder. ERAM keeps this process consistent yet configurable should your business rules change. You can have scheduled or on-demand reports so your team are always up to date with permissions.
File systems are normally divided into projects, departments and home folders. You know the layout, but who are the actual owners? Analyzing your organization's data usage provides the perfect starting point for delegating management from the IT helpdesk to the real owners within the business. ERAM's intuitive Data Management module will help to assign data owners within the organization. Data managers can then click on a folder to see who has access to that folder and grant/revoke/regulate access accordingly via the user-friendly interface, all without IT intervention. The final delegation step is Self-Service, whereby end users themselves request access to a folder. Managers can quickly approve or deny changes, which are appropriately implemented in the file system.
With ERAM, it is also possible to see which employees have never actually used their access to a specific folder and remove that access based upon the real-world business case. Moving forward, only the correct people will have access to what they need, when they need it.Each user having the correct access - no more, no less - is key to mitigating internal data breach.
The bi-directional nature of ERAM's reports offers both user to resource and resource to user views. This allows you to quickly respond to internal breaches by pulling all users activity and/or checking who has accessed a particular file that may contain the leaked information. ERAM shows you what actions a user carried out - reading, writing or editing - on a file and allows you to immediately disable or revoke access on suspicious user accounts. With a few clicks, ERAM can find the source of breach and facilitate a quick response.
With over 19 years in the industry and over 5,000 customers worldwide, we have found file shares to contain an average of 75% pollution. While implementing identity and access management solutions will keep your access trails accountable and secure, they do not address the permission pollution already caused. ERAM analyzes and cleans your file system while also offering transparency useful for responding to audits and internal breach.