Keeping the Wolves at Bay
The old biblical adage to “beware of the wolf in sheep’s clothing” in many cases applies to system administrators. Unfortunately, their mission sometimes conflicts with the security department. They must provide computing resources to users and they want to do it as quickly as possible. Business matters! So, when a user wants access to data (all legitimate) they do their best to help. Unfortunately, that sometimes means putting user permissions directly on folders, adding the Everyone group because they can’t figure out the correct permissions, or putting a folder containing sensitive data in a place that is open to many people.
Now that you have remediated a whole slew of folders with Varonis DatAdvantage, how do you protect your glorious handiwork? There are number of things that we can do. Here are some of the steps that we would take.
1) Document your new standards and train the system administrators. Working with standard Windows tools is like exploring a cave with a flashlight. Possible but difficult. Teach them how to view permissions in DatAdvantage.
2) Put in place detective controls (reports) to identify when changes are made that violate the new standards.
3) Utilize an automated provisioning solution for the security groups that you have applied to the folders. Varonis has DataPrivilege, and there are other Identity and Access management solutions such as SailPoint and RSA Identity and Access Management.
Here are some of the reports that we use to maintain the new permissions structure:
- Monitored Share – Global groups in Use (4b)
This lists all the folders where global groups are applied. It should be blank.
- Monitored Share – Individual Permissions (12d)
This lists all the folders where Individual Users are applied directly to a folder. It should be blank.
- Monitored Share – Folder Changes (1a)
This lists any permission changes or new folders created at the top-level of the monitored Share folder.
I know that you can run some of these reports across the entire environment, such as monitoring for global groups, but we set up them up as separate subscriptions for the most important shares and don’t deliver them if they are empty. That way you can send them to the system administrators as well as the security team. If they see violations of policy, we want to encourage them to repair them without anyone having to ask. After all, these wolves are on your side.
Good luck keeping the wolves at bay.