3 - 4 OCTOBER 2018 / EXCEL LONDON

The Problems of Permissive Data Access

Thursday 21 September 2017

Matt Lock – Director of Sales Engineers, at Varonis

Despite heightened awareness of cyber threats, and more budget than ever devoted to cyber security, data breaches are occurring all too frequently. The stream of ongoing reports of wide-scale attacks or massive loss of customer records, give credence to the theory that data breaches are inevitable in our digital age. 

It’s clear from these incidents that instead of repeating the same defensive tactics – focussing on chasing down threats, or building the walls of their perimeter defences ever higher – organisations need to apply a new approach in order to thwart these attacks. This must start with controls around the data itself.

The fact is that, in many incidents involving the loss or theft of data, if basic data protections had been in place, many such breaches might have been avoided. With penalties for data breaches set to get much tougher next year, with the introduction of the EU General Data Protection Regulation (GDPR), it’s never been more important for organisations to get a handle on the data protection essentials; understanding where their sensitive information assets are located and enforcing the appropriate policies and security measures to control who is accessing them.   

Permission Creep

Data volumes are growing exponentially; organisations are generating, saving and sending unstructured data at an unprecedented rate.  Balancing security protections around this data, with  commercial objectives and convenience, can mean that access to this data is often over-subscribed.  

From our own research, we know that a significant proportion of users have access to more data than they need to do their jobs. This research found that, on average, 20% of all folders1 in an organisation were open to every employee.

One of the reasons for this is that IT departments simply can’t keep pace with the rate of change taking place, which means that access permissions can be set too broadly.  Access controls can fail to account for changes to workers’ current roles, or for acquisitions, mergers or other organisational re-structuring. 

This ‘permission creep’ creates security risks.

An Open Door to Data

Setting access controls too broadly leaves the door open for the cyber attackers. It means that organisations are more susceptible to threats such as insider attacks and the spread of ransomware. 

If we consider the main goal for most cyber attackers – either the opportunistic hacker or those criminals behind more sophisticated, advanced persistent threats – it is most likely that data is the target of their activities. This could be intellectual property, or files and emails containing PII (personally identifiable information), personnel records, credit card numbers or health records.

If they’ve breached the perimeter defenses, and the security measures around data are not adequate, then the door is wide open for them to access these high value assets through lateral movement, or by escalating privileges. 

Taking Control

Data that is un-monitored and broadly accessible is not only a security risk, but also poses problems for organisations that must comply with industry regulations. There’s now an added urgency to the need for improved controls around data protections and 2017 must be the year that organisations start taking control of their data protection policies. The EU GDPR is due to come into effect in less than a year; those organisations that don’t have a handle on where sensitive data sits within their organisations and who can access it, are most at risk of falling foul of the sanctions.

Worryingly, however, according to our own research, 75% of organisations have admitted they will struggle to be ready for the deadline. A further 42% say that it’s not a priority for their businesses, despite the threat of fines which could cost companies up to 4% of global turnover or €20 million (whichever is greater).

Our advice is straightforward: start taking control now.  Firstly, define where your data is, then examine user behaviour to understand the flow of data within the organisation, how it’s used and who needs access to it. Then it’s about putting in place defenses; define who has access to files and develop strategies to dispose of any stale data that isn’t needed.  Data access should be governed by a ‘least privilege’ model in which only those that ‘need to know’ have access.  The good news is that there are now ways to automate the management of access rights and permissions, saving time and improving efficiencies, so that these processes need not be a management burden for IT teams. 

Varonis will be exhibiting at IP EXPO Europe on October 4-5. Come check them out at Stand CC14.

Top