GSA UK - Ten Top Tips to Ensure Your Security: part 2

Founding Member of FormIGA – the global Industry for Good Alliance

Home
RESOURCES
Industry News
Ten Top Tips to Ensure Your Security: part 2

Ten Top Tips to Ensure Your Security: part 2

30 Aug 2012 12:00 AM | Anonymous

David Gibson, VP of strategy, Varonis continues to describe how 10 simple steps can be employed to prevent data from being misused or stolen in part 2 on security guidance.

5. Identify Data Owners

Once you’ve done these general ‘housekeeping’ tasks it is time to look at individual datasets to figure out who is qualified to make access decisions, and designate a data owner. The appropriate owner (or custodian) will often be one of the active users of that data, or their immediate supervisor. Automation can significantly reduce the time it takes to identify data owners, by analyzing access activity over time and indicate who the likely owners are. Ideally only the data owner should decide who should be allowed to access their data, and IT should only act as a facilitator. As an added bonus, the data owners are often well qualified to review stale data that can be archived to free up storage space (and by auditing access activity stale data is much easier to identify).

6. Perform Entitlement Reviews

Regular entitlement reviews, or attestations, provide an effective way to make sure that data access permissions are always buttoned up. As the organization changes and new data sets are created, it is imperative to review who has access to ensure that permissions are always aligned to business needs. Data owners should be a part of this process as they are the best qualified to determine which users no longer need (or should) have access to their data. Again, with the right technologies, time-consuming manual parts of the entitlement review process can be automated and data owners can be automatically prompted to conduct reviews at pre-defined intervals, and provided with recommendations about which users look like they no longer require access to their data.

7. Align Security Groups with Data

In organizations where access to data is controlled by security groups, it’s critical that the groups themselves are properly aligned with the data sets they’re meant to protect. Often this is easier said than done – roles change, groups are created for special circumstances but not reviewed, and pretty soon the whole system is a mess. Cleaning this up requires complete visibility into which data sets can be accessed by which groups. Automation is best suited to provide this visibility, and to programmatically create new groups and re-permission the data sets if necessary.