Q&A: The problems of permissive data access

Matt Lock, Director of Sales Engineers, at Varonis explains why organisations need to get a handle on the data protection essentials.

While organisations are focussed on chasing threats cyber criminals are focussed on gaining access to an organisation’s most valuable IT assets; its sensitive data.  These data breaches are occurring all too frequently, however if basic data protections had been in place, many such breaches might have been avoided.  

Matt Lock, Director of Sales Engineers, at Varonis explains why organisations need to get a handle on the data protection essentials – understanding where their information assets are located and controlling who is accessing them.   

1. Should there be more focus on protecting data rather than protecting the perimeter?  

For many organisations the focus of their security strategy is on chasing down threats or on building up their perimeter defences. However, data breaches are still occurring, often because the security measures to protect the data itself are not in place.  If we think about the end goal for the attackers, it is the data that is their target: files and emails containing intellectual property or PII (personally identifiable information), payroll information, personnel records, credit card numbers, health records. Once an attacker has breached the perimeter defences, they have carte blanche to gain access to these high value assets through lateral movement, or by escalating privileges.  We ignore the protection around the data itself at our peril. 

2. What are the biggest security risks when it comes to unmanaged access to sensitive data files?

When access to data isn’t managed or monitored, organisations are at far greater risk from cyber attacks  - such as ransomware - and insider threats. 

The issue is about gaining visibility and control:  organisations need to have processes to identify anomalous behaviour and trigger alerts, such as files that are being accessed by individuals who don’t normally access them. It’s also about ensuring employees privileges are locked down by placing controls around which individuals can access sensitive data.  The implications of this are  significant; in the case of ransomware, for example, if the individual that is compromised has global access rights, all the data that they can access will be encrypted. 

We know that permissive access controls are a common problem. From our own 2017 Data Risk Report 1, we’ve discovered that a significant proportion of users have way more access to data than they need to do their jobs. On average, 20% of all folders in an organisation were open to every employee. Think about the damage that could be inflicted on your business if ransomware encrypted 20% of your file shares? 

3. What about the problem of folders containing ‘stale data’ – why does this pose a risk for organisations? 

The volume of data we’re creating is growing exponentially and much of it becomes stale as soon as it’s created.  If you’re holding on to that data unnecessarily you’re simply creating more challenges, not only security risks but also management and storage costs. 

To put this into context, our research with organisations also revealed that 71% of all folders contained stale data – that is, data that hadn’t been touched, accessed or modified for 6 months or longer – accounting for almost 2 petabytes. Stale data carries little value to the business when it’s not being used but still carries risk and financial liability. 

Our recommendation is that any stale data should be identified and archived according to regulatory requirements.  

4. What steps should they be taking to mitigate these risks? 

Organisations should be managing these risks as part of a data protection strategy. Firstly define where your data is, then examine user behaviour to understand the flow of data within the organisation, how it’s used and who needs access to it. Then it’s about putting in place defences; define who has access to files and develop strategies to dispose of data that isn’t needed.  

5. Why do you think that more companies aren’t enforcing a ‘least privilege’ access model?

Sensitive and personal data should be kept to a ‘need to know’ access basis. Organisations should be aiming for this ‘least privilege’ model in which only those that need to know have access. This ensures a level of security and protection for personal data that is safer by design. 

Overly permissive data controls play into the hackers’ hands as data that anyone can see is far more likely to be lost or stolen. We need to have access to folders to do our jobs, the problem is that, over time, ‘permission-creep’ sets in. Access permissions can be set too broadly, often because IT and admin teams simply can’t keep up with the pace of internal changes. This could be changes to internal workers’ current roles, or when an employee leaves a company or organisational re-structuring such as acquisitions or mergers. The time and manpower required to audit these permissions can be a serious drain on resources.  

6. What part do wider organisational factors such as budget / resources play in preventing organisations from implementing access controls?  

Managing this within the constraints of budgets and available manpower is, of course, an issue. However, these factors need to be viewed in the context of how much a breach would cost and the resulting financial fall out from downtime, fines and reputational damage.  

The good news is that there are ways to automate the management of access rights and permissions saving time and improving efficiencies, so that these processes need not be a management burden for IT teams. 

7. With the GDPR on the horizon, what steps should organisations be taking now to protect access to sensitive files?  

The legal implementation of the GDPR is now just a year away, which has significant implications for all organisations collecting data on EU citizens. With new requirements for documenting IT procedures, performing risk assessments, and tougher rules for breach notifications, organisations should be preparing now with a framework for data protection and a roadmap to achieving compliance. Start with getting control on your information assets. Establish a data asset register to identify what data you hold, why and where. From here you can start the process of protection and placing controls around who should be accessing it, based on a least privilege model. Make sure you know when data can, and should, be deleted. 

8. What would your advice be to any organisation that doesn’t have insight into the access controls around its sensitive data?  

Data that is unmonitored and broadly accessible is a security risk. Our advice is to understand where these risks are so that you can take steps to mitigate them. There are just too many unknowns around data access and you can’t control what you don’t know.  With the GDPR now a year away, there’s an added impetus for organisations to shine a light on where the security gaps are; from  data which is no longer needed, to data with oversubscribed access or with limited controls in place.  

Getting a grip on data protection has never been more important. 

Matt Lock, Director of Sales Engineers, Varonis
Image source: Shutterstock/Carlos Amarillo