File Share Entitlement Review: Finding the Owner

One thing top of mind for information security professionals in 2012 is understanding who has access to what and being able to provide clear, concise reporting around it. We call it Access Governance or Data Governance and it consists of entitlement reviews, access reviews, or audit reporting. The terms overlap and the complete superset of product features around this challenge can seem overwhelming and difficult to comprehend. At STEALTHbits, we simplify things. We’ve developed quick-win solutions that get you from where you are today to the next step with a proven and pragmatic methodology.

Data Owners

One small example is how we’re able to identify owners of file shares and other resources. First, we have an algorithm that provides a list of probable owners based on a number of factors – who has rights, who is doing what, etc. The algorithm is adjustable to meet specific requirements, but we know that there isn’t an algorithm on earth that could determine ownership with 100% accuracy across large scale environments. So, we leverage the STEALTHAudit Platform survey modules to reach out to probable data owners to ask them if we’re right.

If we are, we provide a set of instructions on what we need them to do. If they’re not, we move on to the next probable owner to see if we can track down the right people. Each step of the way, we report on where things stand: which shares are high-risk, which have owners, which are still awaiting response, etc.

In large scale environments, there is no easy button. But there is experience and expertise. Experience counts. If you’re trying to figure out who owns your content, let’s chat and we’ll let you know what we’ve learned about this challenge as we’ve helped a number of the world’s largest organizations solve it.

Open File Shares: A Pragmatic Approach

A number of STEALTHbits’ customers have reported that their #1 audit challenge boils down to open file shares. Auditors are clearly concerned with access and while it’s difficult to understand access rights across millions of individual files, it’s immediately apparent when there are file shares that are open to anyone.

But, how do you approach a problem that spans across thousands of servers? Do you implement a monitoring solution for three months? Manually sift through each one? Well, you could do either of those things. And if you’re interested in activity monitoring, we’ve got the best solution on the market. But, I’d argue that the best way to deal with open shares is to move through a quick, pragmatic process that scopes resources, identifies high-risk, and automates cleanup without significant infrastructure or investment.

STEALTHbits has developed a step-by-step approach to closing down open file shares and has proven it out at a number of the world’s largest organizations. It’s simple to deploy, uses a just single server, can scan remotely, and it works. We’re able to provide real results in about one week. Give us 5 days, and we’ll have your arms comfortably around the problem and your mind at rest.

Data & Access Governance for the Masses (of servers)

We’ve been building and perfecting our solution for data and access governance over the past few years and we’ve learned that two of the biggest considerations for data governance solutions are (1) Scalability and (2) Coverage.

Scalability

Scalability is critical. Any solution that attempts to scan a server will take some amount of time depending on how big the server is and how deep the scan goes. We can’t control the number of servers or the fact that scanners take time to work. A few things we CAN control are the architecture of the solution and the flexibility of the approach. For example, the STEALTHbits solution is multi-threaded. So, we can scan 1, 10, 50, or 10,000 servers concurrently depending on the precise need. We can also scan a batch of 500 servers in a single job or maybe expand that job to 5000 servers. Obviously, scanning 5000 servers takes considerably more time than 500, but there may be a valid business justification to get it all done at once.

Our customers report that they feel most successful when they can break jobs into chunks and review results along the way. 250 - 500 servers at a time seems like a sweet spot for many. One customer had an immediate need and we scanned close to 20,000 servers for a specific requirement in about 10 minutes. That’s the power of a multi-threaded approach and a flexible architecture. And In some cases, for global scalability, we might recommend deploying regional instances of the StealthAUDIT console that could manage data collection jobs locally and then deliver that information to a central reporting console.

The key to all of the above was our decision to design technology that will scale and enable flexibility in implementation so that decisions can be made that meet any requirements that come up, whether it be to finish quickly, handle large numbers, or just to keep things simple. It’s not a one-size-fits-all approach.

Coverage

The second consideration is coverage. If you care about “Who has access to what?” you should care about it wherever the data lives. The StealthAUDIT Management Platform can report on access to many areas where unstructured data may live, including file systems, SharePoint sites, and Exchange Mailboxes and Public Folders. And, by the way, even though various applications may control access to data in database (structured data) and that seems secure, DBA access to SQL Server is one of the most common insider threat scenarios. And that should be on your mind as well. Of course, we can help with that too.

We’d love an opportunity to discuss how the largest companies in the world are deploying STEALTHbits’ solution for Data & Access Governance. Let us know if you’d like to hear more.

So, in the "new and upcoming news" category, StealthINTERCEPT is due out shortly here at STEALTHbits. With a name like that, we're not suprisingly referring to it as SI internally right now. And since I'm sitting up here in Canada going through some webpage design for the roll-out, I think of it as CSI. And then I get to thinking - CSI - well, it may not be bones and blood tests, but it's sure useful for Corporate System Investigation. Some poor OU goes missing? Get CSI on the case. Got a bad one, Tony - three critical users were just deleted. Better get CSI.

And from talking to a few of our friends/customers out there let me tell you - people need CSI. I heard from one guy how he discovered as part of an ad-hoc cleanup process that the permissions on the CEO's mailboxes had "acquired" several different unwarranted security principals. After a quick panic lockdown, and the removal of all of the unwanted access, everything seemed fine - until the CEO couldn't log on to his mailbox either. Then the stuff really hit the fan. Worst of all, they couldn't find out who had made the unwanted changes in the first place. The only guy they had a name for was the guy who tried to clean it up. Guess who got in trouble? Bleah.

Another of our clients has a problem where OUs keep moving around. They think it's caused by accidental drag-and-drops by admins using ADUC, but they don't really know for sure. They're looking for a tool to tell them who is making changes to their OU names. And what they'd really love is to be able to stop them *before* it happens. Moving OUs causes all kinds of messy ripple effects with DNs changing and applied GPOs getting mis-applied, they'd like to prevent all that before it hits.

So, look for [C]SI coming out soon from STEALTHbits. It may not be as sexy as Jorja Fox (what a name!), but it's just as good for finding out the whodunnit and making sure those responsible pay for their (electronic) crimes. And it can do some prevention too - so unwanted changes to critical objects don't happen in the first place. Pretty cool stuff.

Managing user access within SharePoint is a chore, but reducing permissions sprawl (way too many people having access) and keeping access organized and up-to-date is critical if you want to really understand what SharePoint resources are being used, and who is using them.

Unfortunately, due to a variety of reasons, SharePoint is often out-of-date when it comes to permissions.

Factors like:

1. Lots of users with management permissions having the rights to change permissions and assign permissions to other users

2. No native reporting tools within SharePoint that allow admins to detect effective rights to head off problems

both contribute to the SharePoint "zoo."

At the very least, admins need a tool that allows them to baseline permissions, certify ownership, evaluate effective rights, and take immediate action to fix security holes. But wouldn't it be nice if SharePoint admins / users had a "self-service" model for SharePoint clean-up?

SMP for SharePoint, STEALTHbits' solution, features a comprehensive, 4-step workflow to do just that:

1. We baseline the permissions.

2. We identify the probable owners of sites.

3. We talk to the probable owners to get answers to permissions questions.

4. We analyze the results and recommend next steps based on them.

And it's all done from within a single tool.

If you want to learn more about the SharePoint governance challenge, as well as our Self-Service features, check out our STEALTHsession on SharePoint Self-Service. (Please note - you must be logged in to view extended videos).

We keep our eyes and ears peeled on your behalf here at STEALTHbits Headquarters, and we recently overheard some really cool news about an Active Directory project that’s under way (and under wraps). We convinced Adam Laub, VP of Marketing, to sit down with us for just 5 questions about this mystery solution.

Daria: Word on the street has it that there's something called "Interceptor" technology that's coming. What is it?

Adam: How do you guys hear about these things?! I can't say much at this point, but I can tell you that StealthINTERCEPT is a hot new technology that will allow our customers to lock-down Active Directory from unauthorized changes, and to get real-time notifications.

D: What business benefits can users expect?

A: This is part of our larger data governance initiative, which helps our customers take back control of their unstructured data. Active Directory is a key and often overlooked piece of the puzzle. If you're not securing AD, then all you're leaving a door wide open.

D: So when can we expect to see this?
A: Soon! We have test sites running it already. You'll have to stay tuned for details.

D: Is this part of an upgrade to the StealthAUDIT Management Platform?
A: Yes and No. StealthINTERCEPT technology is new and stands on its own, but also integrates with the StealthAUDIT Management Platform.

D: Do you guys practice these vague answers?
A: Absolutely.

D: So how is this real-time technology going to work?
A: Sorry, that's five questions!

We're certainly intrigued. We'll be sure to keep you posted on this blog and in our monthly newsletter as this develops, so stay tuned. This is gonna be big.

Try this: go to your favorite search engine, and type in “high risk share.” Chances are, you’ll get the same thing I did: pages and pages of financial information dealing with risky shares as they pertain to stocks. The definition and even identification of a high risk stock is fairly straightforward (at least in theory). In the IT space, though, high risk shares are much broader in term, and can be difficult to identify (which, in turn, makes them difficult to govern). Unlike a stock market, which appears in a uniform way to all investors in that market, high risk data repositories vary across organizations based on individual access settings, permission needs, departmental requirements, and more.

One way to look at it is in terms of access. If a file or share is accessible by a very large number of users (through well-known security principles like “Everyone,” for instance) the chances increase that it would be considered at “high risk.” At the same time, organizations often purposely leave folders at the top level open because they’re commonly used across the board. So where’s the risk then, exactly?

Risk comes into play when open permissions at the top level filter down through effective rights to permissions several levels below. Because effective rights are difficult to identify (take our effective rights quiz to see how well you do), they can leave sensitive data open to many more people than need or should have access to it.

To learn more about high risk shares, and how to identify and remedy them, watch our STEALTHsession on Controlling the threat of High Risk Shares.

GLEN ROCK, NJ--(November 10, 2010) - STEALTHbits Technologies today announced that its StealthAUDIT Management Platform (SMP) was chosen as a winner in the Best of Connections 2010 awards program in the "Best Windows Product" category by Penton Media's DevConnections. SMP is a comprehensive framework featuring audit, reporting, compliance, and remediation capabilities across the Microsoft computing platform, including solutions for Exchange, ActiveSync, BlackBerry Enterprise Server, Active Directory, SharePoint, Windows Desktop and Server Operating Systems, Windows File Systems, and beyond.

"We are thrilled to have received the 'Best Windows Product' award recognizing StealthAUDIT's ability to answer the toughest IT questions across the Microsoft landscape," said Adam Laub, VP of Marketing and Technical Operations at STEALTHbits. "We're excited to have had the opportunity to showcase our unique approach to Microsoft infrastructure and application management which our customers have found so valuable, and are grateful to the Penton Media team for their acknowledgement of our achievement in this field."

The Best of Connections awards recognize companies based on their innovation, strategic importance to the market, competitive advantage and exceptional value to customers. The winners were chosen from more than 80 nominated products in six (6) categories. The field was narrowed to three finalists in each category. Finalists were interviewed at the DevConnections 2010 conference in Las Vegas, Nevada, November 2-3 to determine the winners in each category. Winners were announced live from the DevConnections 2010 exhibitor's floor at 2 pm on Thursday, November 4.

"Narrowing down the list of nominees to 18 finalists in the six Connections categories was a challenge, considering that we were faced with so many top-tier products and services," said Amy Eisenberg, Executive Editor for Windows IT Pro, "but in the end, we came up with six very deserving winners. We're proud of our selections, and we believe all our finalists and winners represent the best of the best in their categories."

About STEALTHbits Technologies, Inc.
STEALTHbits Technologies, Inc. is an innovative technology leader in the Microsoft Infrastructure and Application Management space. STEALTHbits' StealthAUDIT Management Platform bridges the gap between IT Management and Compliance, providing a unified framework by which to measure, manage, and maintain. STEALTHbits Technologies can be found online at stealthbits.com.

Editorial Contact
Adam Laub
VP, Marketing
+1.201.447.9308

Related Articles
Congratulations to the Best of Connections 2010 Winners! by Jason Bovberg, Windows IT Pro Magazine

GLEN ROCK, NJ and RESTON, VA--(Marketwire - March 2, 2011) - STEALTHbits Technologies, a leader in the IT security and compliance software space, and Carahsoft Technology Corporation, the trusted Government IT solutions provider, announced a partnership today that will enable Carahsoft to add the award-winning StealthAUDIT Management Platform (SMP) to its Intelligence Solutions offerings. The partnership will expand on STEALTHbits' decade of success in the private sector, where they provide innovative data collection, analysis, reporting, and remediation tools to the world's top organizations, including Fortune 500 companies and leading Wall Street firms.

"We are very excited about the opportunity to partner with Carahsoft in bringing a great solution into the US Public Sector," said David Gordon, VP of Business Development at STEALTHbits. "With WikiLeaks and hacker attacks in the headlines weekly, risk mitigation and security within the government space has never been more important than it is today."

SMP features comprehensive solutions spanning the Microsoft infrastructure and application stack, including Shared File Systems, Exchange, Active Directory, SharePoint, BlackBerry and ActiveSync, Desktops and Servers, and more.

"Government agencies are continually improving their efforts to protect the ever-increasing amount of data they must maintain to support their missions," said Craig P. Abod, Carahsoft President. "STEALTHbits' award-winning data security and compliance solutions supports those initiatives by detecting and locking down data access vulnerabilities, and we are pleased to add them to our Cyber Security Solutions portfolio."

About STEALTHbits Technologies, Inc.
STEALTHbits Technologies, Inc. is a leader in the Microsoft Infrastructure and Application Management space. Our mission is to provide solutions to the most difficult business problems across the Microsoft computing platform and beyond by allowing our customers to measure, manage, and understand multiple aspects of their environments using a single unified platform. Learn more at http://www.stealthbits.com.

About Carahsoft Technology Corporation
Carahsoft Technology Corp. is the trusted Government IT solutions provider. As a top-ranked GSA Schedule Contract holder, Carahsoft serves as the master government aggregator for many of its best-of-breed vendors, supporting an extensive ecosystem of manufacturers, resellers, and consulting partners committed to helping government agencies select and implement the best solution at the best value. Carahsoft is consistently recognized by its partners as a top revenue producer, and is listed annually among the industry's fastest growing firms. Visit us at http://www.carahsoft.com.

SharePoint is growing more and more prevalent in organizations, and offers a great way for users to interact and share content remotely for collaboration on projects. With the increasing use of SharePoint, however, SharePoint admins are facing the same issues that plagued (and, in many cases, continue to plague) administrators of the distributed file system. Increasingly, sites are growing stale, violating ethical wall regulations, and being deemed "high risk" in terms of access and permissions settings.

Each of these issues have their own steps for mitigating the risk associated with them, which we'll discuss in more detail below, but it's worth noting that what they all have in common is the need for data that will help identify the problem. After all, you can't fix it if you don't know that it's broken.

High Risk Repositories
Sites classified as being at high risk are those that are effectively open to your entire organization. This happens because site managers can assign trustees, who can, in turn, assign permission that expose content to too many people. Some examples of these kinds of permissions are Authenticated Users, Domain Users, and Anonymous Logons. When identifying high risk repositories, it's important to examine effective rights; just because a user does not have access through one set of permissions does not mean that all of their assigned permissions will keep them from being able to read, write, modify, or even delete content. Explore how users have access to identify what, exactly, is at risk, and then work to lock down permissions.

Controlling Stale Content
Stale content in SharePoint is similar to stale content within Active Directory and the File System: it hasn't been modified in a long time. Continuous monitoring is required to determine the last time a site was used, and working together with the data custodians who created the sites that you have identified as stale is important to ensure that it's okay to remove them. Keeping stale sites out of your SharePoint farms will help with simpler management. It's important to note here that, if a SharePoint site has child sites, SharePoint won't let you delete the parent site. This is why it's especially important to reach out to probable owners of sites to gather more information before proceeding.

Ethical Walls
Ethical walls differ by organizations, and apply to most collaborative file systems, including SharePoint. The need for ethical walls stems from the requirement to separate the data that discrete groups within the organization can see. Maybe your organization wants to keep the engineering department's plans for product upgrades out of the hands of the sales team, or your finance team shouldn't have access to the investment team's quarterly assessments. Whatever the reason, one way to identify if ethical wall violations occur is to see where SharePoint group have common access, then corroborate that access within Active Directory to ensure that trustees can only see what they are supposed to.

To learn more about how SMP makes managing SharePoint easy, please view our Controlling SharePoint Sites STEALTHsession, or request a fully-functional product trial.