In today’s business world the greatest commodity is undoubtedly data. It’s the most valuable thing any organisation possesses and its value is ever-increasing. What’s more, companies are increasingly being valued not on their assets, but their data. Yet the paradox is data security adoption has not increased at the same rate, in fact in many instances data security is worse now than it ever has been.
When compared to data management processes 20 years ago, it’s shocking how free and easy we are with our business’ lifeblood. It’s not hard to illustrate the point: one look at the headlines will uncover yet another breach, often involving human error, procedural issues or insider threats.
Data access 20 years ago
So let’s remember how data was secured back in the day and contrast it with modern approach.
I’m going to use the example of my dad’s ship broking firm which was like most offices up and down the country using physical security to look after their confidential and sensitive data. Ease of access might have hampered everyday users back then, but boy was their data secure, with monitored access and an audit trail.
Firstly, there was a lock on the office door, a lock per filing cabinet and the room was protected by CCTV. All files were checked in and out to the individual with logged reasons relating to the purpose/usage. Copies could be made, but only if you had the pincode for the photocopier.
Not only was it harder for access to be granted accidentally (as only certain individuals were allowed to access certain filing cabinets), it was also very difficult to take data. While you could conceivable walk out of the office with a few files (or possibly fax them…or even telex them), stealing data en masse required some planning. As the company database resided on six 5-foot filing cabinets, someone would have to wheel them out. Nowadays it’s just a few clicks and the whole lot is copied in a few seconds, with little evidence that it has been taken.
Importantly, back then accidental mistakes were harder to make, and the risks of accidental abuse were much less.
Of course it was very different from today, back then it was an analogue, off-line world of paper storage, and much more manual processes. But we can learn what has gone wrong since then and apply the principles of best practice data security that are still valid today.
What we can learn today – controlling Permissions Sprawl
So travelling back to the present day, data management has changed enormously and the risks are much greater. Company data is stored electronically in file/folders, user permissions are often granted via group membership. This means people can access data they don’t need to access and the vast majority of businesses don’t have a process to check regularly who has access to sensitive data.
It’s much easier to make mistakes with regards to data access too. Now data access is granted through group access and as people move departments they normally keep their privileges. So it spirals out of control and we end up with over-privileged users or ‘Permissions sprawl’ where users have access to data they don’t legitimately need to do their jobs.
The big problem with permissions sprawl is that companies often don’t check – there’s no process to monitor permissions at all. Our market research finds that between 60-70 per cent of organisations don’t have a process or tech in place to regularly monitor who has access to what data and whether they need it. Which is a dangerous approach given the importance of data to the modern business.
There are modern file server auditors that do just that, such as LepideAuditor, enabling you to easily see exactly who has which permission to the folder in question. Plus it can also alert and report on group membership changes to help prevent permission sprawl.
The importance of PoLP
One concept that is understood but not implemented widely by businesses is the Principle of Least Privilege (PoLP). This is the process of ensuring a ‘user should only be able to access the information and resources he or she requires for legitimate reasons’.
While it’s difficult to pinpoint damage to the business, as PoLP happens over a long period of time, make no mistake it definitely creates security risks long term. And because it’s not a ‘noisy’ or publicised problem, as many discoveries are not made public, it’s hard for CIOs to prioritise spend.
PoLP is such an important concept to understand. When we analyse the root causes of data leakage incidents, there are so many instances that can be attributed to opportunism. Often perpetrators of data leakage aren’t in themselves by nature, malicious. They aren’t part of any organised crime group and they aren’t hardened foreign hackers. They are ‘normal’ employees. They may potentially be disengaged, but either way, they’re opportunists. These people realise they have access to data (files or folders) that they can use or abuse for personal or financial gain.
Yet most organisations still don’t audit, monitor or proactively track how users are interacting with the data.
We often see the issue where employees have disproportionate or inappropriate level of permissions to data. One recent example we had was a services company based in the USA. Members of the sales department realised they could access an ‘approved expenses’ folder and modify expense amounts after expenses were approved and would get reimbursed appropriately. In this instance PoLP was definitely not in force.
Twenty years ago, this would have been a manual process where the paper form would have been passed from desk to desk and only those that would have needed to have seen it would see it. Thus removing the opportunity.
You might be forgiven in thinking that if a user suddenly started accessing multiple finance folders there might be some form of alarm raised. But there’s not. Data should be accessible, but don’t make it too easy. And don’t forget people are opportunistic and are happy to copy a database in case it’s useful in future - well it’s only one single click after all.
Overall it’s important to balance the expectations of the users (24/7 accessibility from anywhere) with good data management practices that meet compliance standards. Often companies make accessing their critical systems convenient for users, at the expense of security. We’re not suggesting going back to physically locking filing cabinets, but transferring the concept to your digital data storage means you’re not leaving your valuable data lying around for anyone to copy.
What’s needed is an ongoing process of monitoring/auditing who has access to which folders and alerting if things look amiss. Businesses need the kind of drills for data security like we have fire drills - including spot checks and effective audits.
Aidan Simister, CEO, Lepide
Image Credit: Wright Studio / Shutterstock