File Share Entitlement Review: Finding the Owner

One thing top of mind for information security professionals in 2012 is understanding who has access to what and being able to provide clear, concise reporting around it. We call it Access Governance or Data Governance and it consists of entitlement reviews, access reviews, or audit reporting. The terms overlap and the complete superset of product features around this challenge can seem overwhelming and difficult to comprehend. At STEALTHbits, we simplify things. We’ve developed quick-win solutions that get you from where you are today to the next step with a proven and pragmatic methodology.

Data Owners

One small example is how we’re able to identify owners of file shares and other resources. First, we have an algorithm that provides a list of probable owners based on a number of factors – who has rights, who is doing what, etc. The algorithm is adjustable to meet specific requirements, but we know that there isn’t an algorithm on earth that could determine ownership with 100% accuracy across large scale environments. So, we leverage the STEALTHAudit Platform survey modules to reach out to probable data owners to ask them if we’re right.

If we are, we provide a set of instructions on what we need them to do. If they’re not, we move on to the next probable owner to see if we can track down the right people. Each step of the way, we report on where things stand: which shares are high-risk, which have owners, which are still awaiting response, etc.

In large scale environments, there is no easy button. But there is experience and expertise. Experience counts. If you’re trying to figure out who owns your content, let’s chat and we’ll let you know what we’ve learned about this challenge as we’ve helped a number of the world’s largest organizations solve it.

Open File Shares: A Pragmatic Approach

A number of STEALTHbits’ customers have reported that their #1 audit challenge boils down to open file shares. Auditors are clearly concerned with access and while it’s difficult to understand access rights across millions of individual files, it’s immediately apparent when there are file shares that are open to anyone.

But, how do you approach a problem that spans across thousands of servers? Do you implement a monitoring solution for three months? Manually sift through each one? Well, you could do either of those things. And if you’re interested in activity monitoring, we’ve got the best solution on the market. But, I’d argue that the best way to deal with open shares is to move through a quick, pragmatic process that scopes resources, identifies high-risk, and automates cleanup without significant infrastructure or investment.

STEALTHbits has developed a step-by-step approach to closing down open file shares and has proven it out at a number of the world’s largest organizations. It’s simple to deploy, uses a just single server, can scan remotely, and it works. We’re able to provide real results in about one week. Give us 5 days, and we’ll have your arms comfortably around the problem and your mind at rest.

Data & Access Governance for the Masses (of servers)

We’ve been building and perfecting our solution for data and access governance over the past few years and we’ve learned that two of the biggest considerations for data governance solutions are (1) Scalability and (2) Coverage.

Scalability

Scalability is critical. Any solution that attempts to scan a server will take some amount of time depending on how big the server is and how deep the scan goes. We can’t control the number of servers or the fact that scanners take time to work. A few things we CAN control are the architecture of the solution and the flexibility of the approach. For example, the STEALTHbits solution is multi-threaded. So, we can scan 1, 10, 50, or 10,000 servers concurrently depending on the precise need. We can also scan a batch of 500 servers in a single job or maybe expand that job to 5000 servers. Obviously, scanning 5000 servers takes considerably more time than 500, but there may be a valid business justification to get it all done at once.

Our customers report that they feel most successful when they can break jobs into chunks and review results along the way. 250 - 500 servers at a time seems like a sweet spot for many. One customer had an immediate need and we scanned close to 20,000 servers for a specific requirement in about 10 minutes. That’s the power of a multi-threaded approach and a flexible architecture. And In some cases, for global scalability, we might recommend deploying regional instances of the StealthAUDIT console that could manage data collection jobs locally and then deliver that information to a central reporting console.

The key to all of the above was our decision to design technology that will scale and enable flexibility in implementation so that decisions can be made that meet any requirements that come up, whether it be to finish quickly, handle large numbers, or just to keep things simple. It’s not a one-size-fits-all approach.

Coverage

The second consideration is coverage. If you care about “Who has access to what?” you should care about it wherever the data lives. The StealthAUDIT Management Platform can report on access to many areas where unstructured data may live, including file systems, SharePoint sites, and Exchange Mailboxes and Public Folders. And, by the way, even though various applications may control access to data in database (structured data) and that seems secure, DBA access to SQL Server is one of the most common insider threat scenarios. And that should be on your mind as well. Of course, we can help with that too.

We’d love an opportunity to discuss how the largest companies in the world are deploying STEALTHbits’ solution for Data & Access Governance. Let us know if you’d like to hear more.

Managing user access within SharePoint is a chore, but reducing permissions sprawl (way too many people having access) and keeping access organized and up-to-date is critical if you want to really understand what SharePoint resources are being used, and who is using them.

Unfortunately, due to a variety of reasons, SharePoint is often out-of-date when it comes to permissions.

Factors like:

1. Lots of users with management permissions having the rights to change permissions and assign permissions to other users

2. No native reporting tools within SharePoint that allow admins to detect effective rights to head off problems

both contribute to the SharePoint "zoo."

At the very least, admins need a tool that allows them to baseline permissions, certify ownership, evaluate effective rights, and take immediate action to fix security holes. But wouldn't it be nice if SharePoint admins / users had a "self-service" model for SharePoint clean-up?

SMP for SharePoint, STEALTHbits' solution, features a comprehensive, 4-step workflow to do just that:

1. We baseline the permissions.

2. We identify the probable owners of sites.

3. We talk to the probable owners to get answers to permissions questions.

4. We analyze the results and recommend next steps based on them.

And it's all done from within a single tool.

If you want to learn more about the SharePoint governance challenge, as well as our Self-Service features, check out our STEALTHsession on SharePoint Self-Service. (Please note - you must be logged in to view extended videos).

Permissions get messy over time. Whether it's in Exchange, SharePoint, the File System, Active Directory, or elsewhere, people will enter and leave the organization, change roles, and require different levels of access as time goes on. Exchange mailbox permissions offer a particular challenge because of multiple layers of access: permissions associated to mailboxes, delegate rights assigned, and even mailbox rights in Active Directory on the user's account.

Multiple problems can result: Default and Anonymous access can be set incorrectly, default settings could have been changed, Stale and Zombie SIDs could be applied, or disabled accounts in AD could have been given access. Compounding the problem, effective rights are difficult to discern because of the various 'gates' that a person can use to get access.

Largely, the problem stems from the sheer amount of data, exacerbated by time and natural changes in personnel. It's that same vast number of settings that makes it difficult to solve the problem in an environment; imagine finding an access issue that exists in 500 users' accounts. Changing them one at a time could take days, and requires the use of precious IT resources.

A complete solution offers the option of making changes in bulk, in accord with data that exactly identifies an issue or anomaly. To learn more about Mailbox Management challenges, and see what STEALTHbits' SMP for Exchange can do to help, check out this video of our Mailbox Action Module STEALTHsession.