Welcome!

Agile Computing Authors: Liz McMillan, Yeshim Deniz, Ed Featherston, Pat Romanski, Elizabeth White

Related Topics: Agile Computing, Microservices Expo, @CloudExpo

Agile Computing: Article

Ten Things IT Should Be Doing to Manage Unstructured Data – But Isn’t

‘To do’ list reduces the risk of unstructured data loss

When it comes to protecting unstructured data, such as spreadsheets, documents, images and other data on file servers, most organizations acknowledge that their existing processes and risk profiles are less than ideal. Unfortunately, IT personnel - rather than data owners - are typically the ones making many of the decisions about permissions, acceptable use, and acceptable access review. And because IT personnel aren't equipped with adequate business context around the growing volumes of unstructured data, they can only make a best effort guess as to how to manage and protect each data set.

Until organizations shift the decision making responsibility to business data owners, IT carries the burden of enforcing rules for who can access what on shared file systems, and for keeping those structures current through data growth and user role changes. IT needs to determine who can access unstructured data, who should and is accessing it, and what is likely to be sensitive.

To help streamline this process, here are 10 must-do actions for IT teams to carry out as part of a daily data management routine to maximize unstructured data protection:

1. Identify data owners
IT should keep a current list of data business owners and the folders and SharePoint sites that are their responsibility. By having this list the ready, IT can expedite a number of the previously identified tasks, including verifying permissions revocation and review, and identifying data for archival. The net effect is a marked increase in the accuracy of data entitlement permissions and, therefore, data protection.

2. Remove global group access control lists (ACLs) like ‘Everyone'
It is not uncommon for folders on file shares to have access control permissions allowing ‘everyone,' or all ‘domain users' (nearly everyone) to access the data contained. This creates a significant security risk, for any data placed in that folder will inherit those exposed permissions, and those who place data in these wide-open folders may not be aware of the lax access settings. Global access to folders should be removed and replaced with rules that give access to explicit groups that need it.

3. Perform data entitlement (ACL) reviews
Every file and folder on a Windows or Unix file system has access controls assigned to it that determine which users can access the data and how, i.e., read, write, execute, and list. These controls need to be reviewed on a regular basis and the settings documented so that they can be verified as accurate by data business owners and security policy auditors.

4. Revoke unused and unwarranted permissions
Users with access to data that is not material to their jobs constitute a security risk for organizations. Most users only need access to a small fraction of the data that resides on file servers. It is important to review and then remove or revoke permissions that are unused.

5. Audit permissions changes
Access Control Lists are the fundamental preventive control mechanism that's in place to protect data from loss, tampering, and exposure. IT requires the ability to capture and report on access control changes to data, especially for highly sensitive folders. If access is incorrectly assigned or changed to a more permissive state without a good business reason, IT and the data business owner must be alerted quickly and be able to remediate the situation.

6. Audit group membership changes
Directory Groups are the primary entities on access control lists (Active Directory, LDAP, NIS, etc.) with membership granting access to unstructured data as well as many applications, VPN gateways, etc. Users are added to existing and newly created groups on a daily basis. Without an audit trail of who is being added and removed from these groups, enforcing access control processes is impossible. Ideally group membership should be authorized and reviewed by the owner of the data or resource to which the group provides access.

7. Audit data access
Effective management of any data set is impossible without an access record. Unless you can reliably observe data use you cannot observe its misuse, abuse, or non-use. Even if IT could ask its organization's users if they used each data set, the end users would not be able to answer accurately - the scope of a typical user's access activity is far beyond what humans can recall. Without a record of data usage, you cannot determine the proper organizational owner for a data set, and neither the unfound owner nor IT can make informed decisions about protecting it, archiving it, or deleting it.

8. Prioritize data
While all data should be protected, some data needs to be protected much more urgently than others. Using data owners, data access patterns, and data classification technology, data that is considered sensitive, confidential, or internal should be tagged accordingly, and protected and reviewed frequently.

9. Align security groups to data
Whenever someone is placed in a group, they get file system access to all folders that list the group on its ACL. Unfortunately, organizations have completely lost track of what data folders contain which Active Directory, LDAP, SharePoint or NIS groups. This uncertainty undermines any access control review project, and any role-based access control (RBAC) initiative. In role-based access control methodology, each role has a list of associated groups into which the user is placed when they are assigned that role. It is impossible to align the role with the right data if the organization cannot verify what data a group provides access to.

10. Lock down, delete, or archive stale, unused data
Not all of the data contained on shared file servers and network attached storage devices is in active use. By archiving stale or unused data to offline storage, or deleting it, IT makes the job of managing the remainder simpler and easier, while freeing up expensive resources.

The principal of least privilege is a well-accepted guideline for managing access controls - only those who have an organizational need to access information should be able to do so. However, for most organizations, a least-privilege model is not feasible, because data is generated far too quickly and personnel change rapidly. Even in small organizations the growing data set and pace of organizational changes exceed the IT department's ability to keep up with access control lists and group memberships. By automating and conducting the 10 management tasks outlined above frequently, organizations will gain the visibility and auditing required that determines who can access the unstructured data, who is accessing it and who should have access. This detailed data access behavior will benefit organizations in a plethora of ways, most significantly securing their data, ensuring compliance demands are met, and freeing up expensive storage resources.

More Stories By Wendy Yale

Wendy Yale leads marketing and brand development for Varonis’ global growth efforts. She is a veteran brand strategist with 16 years of marketing experience. Prior to Varonis, Wendy successfully managed the global integrated marketing communications team at Symantec. She joined Symantec from VERITAS, where she led the interactive media marketing team. Beginning her career as a freelance producer and writer, she has developed projects for organizations such as the University of Hawaii at Manoa, Film and Video Magazine, Aloha Airlines, the International Teleproduction Society and Unitel Video. Wendy has held senior posts at DMEC and ReplayTV, and holds a B.A. degree in Geography from Cal State Northridge. You can contact Wendy at [email protected]

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


@ThingsExpo Stories
From 2013, NTT Communications has been providing cPaaS service, SkyWay. Its customer’s expectations for leveraging WebRTC technology are not only typical real-time communication use cases such as Web conference, remote education, but also IoT use cases such as remote camera monitoring, smart-glass, and robotic. Because of this, NTT Communications has numerous IoT business use-cases that its customers are developing on top of PaaS. WebRTC will lead IoT businesses to be more innovative and address...
Charles Araujo is an industry analyst, internationally recognized authority on the Digital Enterprise and author of The Quantum Age of IT: Why Everything You Know About IT is About to Change. As Principal Analyst with Intellyx, he writes, speaks and advises organizations on how to navigate through this time of disruption. He is also the founder of The Institute for Digital Transformation and a sought after keynote speaker. He has been a regular contributor to both InformationWeek and CIO Insight...
Gemini is Yahoo’s native and search advertising platform. To ensure the quality of a complex distributed system that spans multiple products and components and across various desktop websites and mobile app and web experiences – both Yahoo owned and operated and third-party syndication (supply), with complex interaction with more than a billion users and numerous advertisers globally (demand) – it becomes imperative to automate a set of end-to-end tests 24x7 to detect bugs and regression. In th...
Michael Maximilien, better known as max or Dr. Max, is a computer scientist with IBM. At IBM Research Triangle Park, he was a principal engineer for the worldwide industry point-of-sale standard: JavaPOS. At IBM Research, some highlights include pioneering research on semantic Web services, mashups, and cloud computing, and platform-as-a-service. He joined the IBM Cloud Labs in 2014 and works closely with Pivotal Inc., to help make the Cloud Found the best PaaS.
Cloud-enabled transformation has evolved from cost saving measure to business innovation strategy -- one that combines the cloud with cognitive capabilities to drive market disruption. Learn how you can achieve the insight and agility you need to gain a competitive advantage. Industry-acclaimed CTO and cloud expert, Shankar Kalyana presents. Only the most exceptional IBMers are appointed with the rare distinction of IBM Fellow, the highest technical honor in the company. Shankar has also receive...
"Evatronix provides design services to companies that need to integrate the IoT technology in their products but they don't necessarily have the expertise, knowledge and design team to do so," explained Adam Morawiec, VP of Business Development at Evatronix, in this SYS-CON.tv interview at @ThingsExpo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
Business professionals no longer wonder if they'll migrate to the cloud; it's now a matter of when. The cloud environment has proved to be a major force in transitioning to an agile business model that enables quick decisions and fast implementation that solidify customer relationships. And when the cloud is combined with the power of cognitive computing, it drives innovation and transformation that achieves astounding competitive advantage.
The Founder of NostaLab and a member of the Google Health Advisory Board, John is a unique combination of strategic thinker, marketer and entrepreneur. His career was built on the "science of advertising" combining strategy, creativity and marketing for industry-leading results. Combined with his ability to communicate complicated scientific concepts in a way that consumers and scientists alike can appreciate, John is a sought-after speaker for conferences on the forefront of healthcare science,...
Data is the fuel that drives the machine learning algorithmic engines and ultimately provides the business value. In his session at Cloud Expo, Ed Featherston, a director and senior enterprise architect at Collaborative Consulting, discussed the key considerations around quality, volume, timeliness, and pedigree that must be dealt with in order to properly fuel that engine.
Explosive growth in connected devices. Enormous amounts of data for collection and analysis. Critical use of data for split-second decision making and actionable information. All three are factors in making the Internet of Things a reality. Yet, any one factor would have an IT organization pondering its infrastructure strategy. How should your organization enhance its IT framework to enable an Internet of Things implementation? In his session at @ThingsExpo, James Kirkland, Red Hat's Chief Archi...
The current age of digital transformation means that IT organizations must adapt their toolset to cover all digital experiences, beyond just the end users’. Today’s businesses can no longer focus solely on the digital interactions they manage with employees or customers; they must now contend with non-traditional factors. Whether it's the power of brand to make or break a company, the need to monitor across all locations 24/7, or the ability to proactively resolve issues, companies must adapt to...
In his keynote at 18th Cloud Expo, Andrew Keys, Co-Founder of ConsenSys Enterprise, provided an overview of the evolution of the Internet and the Database and the future of their combination – the Blockchain. Andrew Keys is Co-Founder of ConsenSys Enterprise. He comes to ConsenSys Enterprise with capital markets, technology and entrepreneurial experience. Previously, he worked for UBS investment bank in equities analysis. Later, he was responsible for the creation and distribution of life settl...
Organizations planning enterprise data center consolidation and modernization projects are faced with a challenging, costly reality. Requirements to deploy modern, cloud-native applications simultaneously with traditional client/server applications are almost impossible to achieve with hardware-centric enterprise infrastructure. Compute and network infrastructure are fast moving down a software-defined path, but storage has been a laggard. Until now.
In his general session at 19th Cloud Expo, Manish Dixit, VP of Product and Engineering at Dice, discussed how Dice leverages data insights and tools to help both tech professionals and recruiters better understand how skills relate to each other and which skills are in high demand using interactive visualizations and salary indicator tools to maximize earning potential. Manish Dixit is VP of Product and Engineering at Dice. As the leader of the Product, Engineering and Data Sciences team at D...
DXWorldEXPO LLC announced today that the upcoming DXWorldEXPO | CloudEXPO New York event will feature 10 companies from Poland to participate at the "Poland Digital Transformation Pavilion" on November 12-13, 2018.
Digital Transformation is much more than a buzzword. The radical shift to digital mechanisms for almost every process is evident across all industries and verticals. This is often especially true in financial services, where the legacy environment is many times unable to keep up with the rapidly shifting demands of the consumer. The constant pressure to provide complete, omnichannel delivery of customer-facing solutions to meet both regulatory and customer demands is putting enormous pressure on...
The best way to leverage your CloudEXPO | DXWorldEXPO presence as a sponsor and exhibitor is to plan your news announcements around our events. The press covering CloudEXPO | DXWorldEXPO will have access to these releases and will amplify your news announcements. More than two dozen Cloud companies either set deals at our shows or have announced their mergers and acquisitions at CloudEXPO. Product announcements during our show provide your company with the most reach through our targeted audienc...
JETRO showcased Japan Digital Transformation Pavilion at SYS-CON's 21st International Cloud Expo® at the Santa Clara Convention Center in Santa Clara, CA. The Japan External Trade Organization (JETRO) is a non-profit organization that provides business support services to companies expanding to Japan. With the support of JETRO's dedicated staff, clients can incorporate their business; receive visa, immigration, and HR support; find dedicated office space; identify local government subsidies; get...
DXWorldEXPO LLC announced today that All in Mobile, a mobile app development company from Poland, will exhibit at the 22nd International CloudEXPO | DXWorldEXPO. All In Mobile is a mobile app development company from Poland. Since 2014, they maintain passion for developing mobile applications for enterprises and startups worldwide.
@DevOpsSummit at Cloud Expo, taking place November 12-13 in New York City, NY, is co-located with 22nd international CloudEXPO | first international DXWorldEXPO and will feature technical sessions from a rock star conference faculty and the leading industry players in the world.