Jump to content

Solution for UNIX/Linux

UNIX/Linux present significant challenges to administrators. Permissions management, access auditing, data owner identification, and protecting sensitive data now require automation—there are simply too many files, folders, ACLs, and groups in LDAP to continue managing all of them manually.

Overview

The Challenge

Microsoft Windows file servers, including NAS devices like EMC Celerra and NetApp filers, present significant management and protection challenges to administrators:

  • Permissions: Determining who has access to a folder, which folders a user or group has access to, and identifying excess, unneeded permissions.
  • Access Auditing: IT can't answer pressing questions like, "Who accessed or deleted my data?"
  • Data Ownership: IT can't reliably identify business owners of data sets.
  • Operational: Manual permissions and group changes are unreliable.
  • High Risk: Stale, excess permissions are rarely revoked. Global access groups are out there—a problem that is hard to find and fix. Critical files and folders are exposed.

The Varonis Solution

Varonis® DatAdvantage® addresses these challenges by aggregating Active Directory user and group details, ACL information and all data access events—without requiring native OS auditing—to build a complete picture of who can and who is accessing data, and who should have their access revoked. It also leads IT to rightful data owners, so the right people can ensure appropriate access and usage.

UNIX/Linux Challenges

Questions

Permissions Challenges

  • Who has access to a directory?
  • Which directory does a user or group have access to?
  • Which ones are world writable?
  • POSIX ACLs, anyone?

Access Auditing Challenges

  • Who deleted my files?
  • Who has been accessing my folder?
  • What data has this user been accessing?

Operational Challenges

  • What folders are world-writable?
  • How do I fix those folders without disrupting my users?

Data Ownership Challenges

  • Who owns this data?
  • How can I help them make effective data protection and management decisions?

High Risks

  • Where do my users have excessive permissions?
  • How do I revoke permissions without disrupting my users?
  • Who has been accessing an unusual amount of data?

Why is this challenging?

UNIX: Permissions

On any given day, determining who has access to a directory isn't exactly easy, especially if groups on the folder's ACL contain one or more nested groups in LDAP, NIS, or even Active Directory. Determining which folders a given group provides access to requires at least a shell script that can enumerate both permissions and groups in LDAP, NIS, or /etc/groups. Determining who should and should not have access to any directory is simply impossible without automation.

Traditional UNIX style permissions only contain masks for one owner, one group, and the rest of the world. In order to grant multiple users and groups to a file or directory's ACL, POSIX ACLs were created. Unfortunately, unless you're in the habit of modifying these every day, you may end up running "man setfacl" a lot in order to use them with their command line switches. A common graphical interface is needed so that POSIX ACLs can be implemented efficiently and effectively across the enterprise.

UNIX: Auditing Challenges

More than 95% of file access activity is not audited by IT. Why? BSM in Solaris is resource intensive and difficult to decipher, so it is rarely enabled. Linux didn't have native kernel auditing until 2.6, and it suffers from the same barriers of other auditing subsystems. The result is that IT cannot answer fundamental questions like, "Who changed /etc/passwd? Who has been accessing my folder? Who deleted my data? What data has this person accessed?"

UNIX: Operational Challenges

Most permissions and group membership changes are performed manually and are untested prior to execution. Cleaning up world-writable files and folders is especially difficult. Without access auditing, IT needs to make a guess as to which users and applications access a data set, manually effect the changes, and hope they don't get a call from an end user that can no longer access data they require to do their job, or an administrator who is panicking because their application is no longer functional.

UNIX: Data Ownership Challenges

Organizational data owners should be making decisions about who gets access to their data and its proper use—not IT. Yet, 91% of organizations lack processes for determining who owns a given data set. Without a data owner that understands the sensitivity, importance, and organizational context, data cannot be managed and protected by the right people.

UNIX: High Risk

It is difficult to identify excessive permissions; remediating excessive permissions without disrupting organizational processes is even more difficult. As a result, access to data is rarely revoked. Excessive permissions and the lack of an audit trail leave data at risk for loss, theft, tampering and misuse—with no way to determine what happened after the fact.

Why Varonis

Data protection is necessary to safeguard an organization's customers, employees, business partners, and investors. It is fundamental in securing an organization's intellectual property and competitive edge, and for maintaining the organizational trust required for it to properly function. Ongoing, scalable data protection and management require technology designed to handle an ever-increasing volume and complexity—a metadata framework.

The Varonis Metadata Framework non-intrusively collects this critical metadata, generates metadata where existing metadata is lacking (e.g. its file system filters and content inspection technologies), pre-processes it, normalizes it, analyzes it, stores it, and presents it to IT administrators in an interactive, dynamic interface. Once data owners are identified, they are empowered to make informed authorization and permissions maintenance decisions through a configurable web-based interface—that are then executed—with no IT overhead or manual backend processes.

Resources

30-Day Trial

Our 30-Day Free Trial provides a full audit of your file system or your SharePoint environment. Audit permissions, auditing access, usage statistics, recommendations, impact analysis, and identification of business owners.

Within hours of installation

You can instantly conduct a permissions audit: File and folder access permissions and how those map to specific users and groups. You can even generate reports.

Within a day of installation

Varonis® DatAdvantage® will begin to show you which users are accessing the data, and how.

Within 3 weeks of installation

Varonis® DatAdvantage® will actually make highly reliable recommendations about how to limit access to files and folders to just those users who need it for their jobs.

Get the Varonis View. Sign up for the 30-Day Free Trial.