In most companies, data security is still in the hands of the IT departments. It is seen as a further element of cybersecurity that, like all other areas, is subject to the exact requirements and processes. Accordingly, the IT team makes many decisions about permissions, appropriate usage, and access controls. However, since it does not know the business context behind the growing data, it can only guess how the individual data sets can be managed effectively.
It makes more sense to delegate who can access which data and how to the data controller. These belong to the relevant specialist departments and can therefore decide precisely which employee has to access which files and thus follow the “need-to-know” approach. This ensures that only those employees have access to what they need for their work. You also have a better overview of whether these rights are still necessary over time, for example, because areas of responsibility change or employees change departments.
Unless organizations start shifting decision-making responsibility to data controllers, IT will struggle to keep file permissions up to date as data grows and user roles change. Implementing the least privileged approach is almost impossible in this way.
How can companies now shape this upheaval towards more data security? The following eleven points are essential. Ideally, these tasks should be automated to adapt the access control to your requirements and circumstances, thus improving data security in the long term.
Audit Of Data Access
Effective management of data is impossible without a record of access. If IT staff cannot reliably monitor data usage, they will not identify abuse. Without a form of data usage, it is challenging to answer critical questions such as: For example: “What data does this person use?” Or “Which files are no longer needed?”
Inventory Permissions And Directory Service Group Objects
To manage the data effectively, one has to know who has access to it. Access control lists and groups (in Active Directory, LDAP, etc.) are the primary protection mechanism for all unstructured data platforms. However, the IT department can often not answer basic questions, such as which data records a user or group has access to. To ensure data security, the answers to these questions must be precise and available at all times.
In principle, all files must be protected. Nevertheless, given the limited resources, one has to set priorities. For a quick plus in data security, the IT department should first concentrate on “sensitive.” Organizations can identify sensitive data and files that too many people have access to using audit logs, data classification technologies, and access control information. These records should be reviewed and addressed first to reduce the risk effectively.
Remove The Global Access Groups From ACLS
Folders on file shares often have access permissions that allow “anyone” or all “domain users” to access the data they contain. This represents a considerable security risk: Lax directory access settings mean that all data stored in a folder also adopt these “open” permissions by default. This becomes particularly problematic for sensitive personal data, credit card information, intellectual property, or personal information. Accordingly, global access to folders, SharePoint sites, and mailboxes should be removed and replaced with rules that only grant access to those who need it.
Identify Data Controllers
IT should keep an up-to-date list of data owners and the folders and SharePoint sites for which they are responsible. Having this list on hand can help IT speed up many of the tasks above.
Regular Checking Of Access Rights And Revocation Of Unused Authorizations
Every file on a Windows or Unix file system, every SharePoint site, and every public folder has access controls that determine which users can access the data and how. These controls must be checked regularly, as roles in companies are changing and access rights that are no longer required represent a security risk for companies.
Align Security Groups With Data
When a person is assigned to a group, they have access to all folders whose ACL the group is listed. It is an enormous challenge to keep track of which data folders contain Active Directory, LDAP, SharePoint, or NIS groups. This uncertainty complicates any project for access control review and role-based access control (RBAC) initiatives.
Review Of Permissions And Changes To Group Membership
Access control lists are the primary preventive control mechanism for protecting data from loss, tampering, and disclosure. When access is reassigned, IT and the data owner need to be quickly informed of any changes. Adequate access controls can only be enforced if a clear audit trail is in place that quickly shows who has been added or removed.
Locking, Deleting, Or Archiving Obsolete And Unused Data
The data risk report for the health sector has shown that on average more than two-thirds of the files (69%) are no longer used. In manufacturing , this value is even higher at 78 percent. By archiving unused data on offline storage, IT reduces the risk of unauthorized access and makes it easier to manage the remaining data. This also significantly reduces the risk of violations of regulations such as the GDPR.
Clean Up Legacy Groups And Access Control Artifacts
Organizations tend to create too many groups that are often empty, unused, or redundant. In addition, access control lists often contain references to previously deleted users and groups (“orphaned SIDS”). This unnecessary complexity slows performance, so stale groups and misconfigured access control objects should be eliminated whenever possible.
Get Control Over Public Cloud Services
Given the millions of users who access Dropbox and other public cloud services, companies cannot store their data in repositories in an uncontrolled manner. Otherwise, they run the risk of fully disclosing or losing their data. Companies must either opt for a private cloud service that meets their security requirements or provide a public cloud so that users are no longer tempted to circumvent IT guidelines and act beyond the specified applications or services (shadow IT).
By following these eleven simple steps, the IT department can streamline and optimize data management and security processes and sustainably reduce the risks. The key here is automation. Only through intelligent automated processes can IT teams be significantly relieved to concentrate on their core tasks.