Inside Out Security Blog   /  

5 Data Governance Reports for Data Owners

5 Data Governance Reports for Data Owners

Contents

    This blog will cover five Varonis reports that you can automatically generate for data owners to promote strong data governance practices. We will show you how to create, customize, schedule, and interpret these reports.

    Why Data Owners Should Pay Attention to Their Data

    Business users often don’t have any idea who can and does access the data relevant to their department. While IT often has tools to analyze permissions, grant and revoke access, and troubleshoot issues, data owners are left in the dark.

    Data is a business asset, not an IT asset. We want our business users to grant/revoke access when appropriate, spot unauthorized or suspicious access and, help manage the data lifecycle—getting rid of stale, risky data that we no longer need.

    Varonis reports are a great way to put actionable information in front of the users that are in the best position to make smart decisions to protect the organization’s data.

    The Reports

    Here are the five reports in DatAdvantage that your data owners can use to meet the objectives we discussed above.

    Reports-Subscription-1200x529

    The key is to set the subscription delivery parameters to “Report Server Email (Data-Driven).” In this context, “Data-driven” means that the report contains results based on data ownership in Varonis. Varonis will create reports for each data owner about their data, so data owners only see results about the information they actually care about. That way, administrators can set up a single subscription in Varonis, and send out a copy of that report to each owner about their relevant data activity.

    For all of the reports discussed, schedule a Data-Driven subscription and select the delivery format for the report. My personal preference is to export reports as Excel files so I can manipulate the data so find what I need to see as quickly as possible. Your users might prefer PDF reports, or .CSV files. For ease of managing subscriptions, you will probably just want to settle on one standard format.

    Reports-Subscription-files

    There are different ways to schedule and configure subscription reports depending on the size of your organization, the number of Varonis monitored resources, and the number of data owners. We will go over two basic options, but please consult your Varonis Sales Engineer or Professional Services for more customized guidance.

    The first option – for large shops – is to schedule different reports per monitored resource. This means you would set the file server filter to a specific resource at a unique time. Varonis will generate all the reports for each server during their scheduled run for each data owner on that server. Schedule the next server to run after the previous server completes.

    File server filter set to a single filer

     

    The second option – for smaller shops – is to remove the ‘File server’ filter and run the report with the filter Affected Objects -> Assigned Owner -> Management Status = Managed. This will create a report for all managed folders across all monitored resources in a single batch.

    Reports-Management-Status

    Again, please discuss with the Varonis support teams to determine the best strategy for your organization.

    2.a.01 Access Statistics

    What does it do? The Access Statistics report lists all the users who perform any activity in a folder or server. It’s an aggregation of how many file events a user generates over a certain period.

    What’s the business benefit? Data owners can look for any oddities in event usage over the past 30 days. Did one user create many more events than usual?

    Recommended schedule: Monthy

    Pro tip: Data owners can group the results by user with a pivot table to see the total events easily.

    Reports-Access-Statistics
    Access Statistics report grouped by User Name

    3.a.01 Group Members

    What does it do? The Group Members report presents a list of users that are in each data owner’s group(s).

    What’s the business benefit? Data owners can use this report to spot-check their group’s members between entitlement reviews.

    Recommended schedule: Weekly

    Reports-Group-Members.jpg

    4.b.01 User or Group Permissions for Directory

    What does it do? The User or Group Permissions for Directory report is a complete list of all permissions on the data owners’ file shares.

    What’s the business benefit? Data owners can review this report to verify that there are no oddities in data access rights for each group on their file shares.

    Recommended schedule: Weekly

    Pro tip: Attackers add permissions to groups to move laterally across an organization and access more sensitive data.

    Group permissions reports

    4.g.01 Classification and Priorities

    What does it do? The Classification and Priorities report shows the most recent (within the Relative Mode value) classification matches in the data owners’ file shares. Classification matches might exist in newly created files, new sensitive data in modified files, or matches from a previous scan.

    What’s the business benefit? Data owners can review classified sensitive files in their shares to determine if they need to accept the risk as necessary for business use, and move, encrypt, or delete files that could become compliance risks.

    Recommended schedule: Bi-monthly or Monthly

    Pro tip: Add the Classification Results View role to data owners so they can use the DatAdvantage UI to see classification results in their shares.

    Reports-Classification.jpg

    7.b.01 Inactive Directories by Size

    What does it do? The Inactive Directories by Size report will show data owners the folders in their shares that users don’t access.

    What’s the business benefit? Data owners can use this report to determine if they can archive or delete data that their team no longer needs and has gone stale. Stale sensitive data is a treasure trove for attackers because people might not notice that they access it.

    Recommended schedule: Monthly

    Reports-Inactive-folders

    Start The Varonis Operational Journey

    Good data governance is not an accident. Organizations that take the necessary steps can get there. What we discuss here is a later stage of the Varonis Operational Journey. There are many steps that organizations must take to get to this level of data governance. You have to achieve least-privilege access, remediate Global Access, and then identify and assign data owners before implementing these reports.

    Click here to schedule a meeting and start your Varonis Operational Journey so you can reach this level of data governance.

    What you should do now

    Below are three ways we can help you begin your journey to reducing data risk at your company:

    1. Schedule a demo session with us, where we can show you around, answer your questions, and help you see if Varonis is right for you.
    2. Download our free report and learn the risks associated with SaaS data exposure.
    3. Share this blog post with someone you know who'd enjoy reading it. Share it with them via email, LinkedIn, Twitter, Reddit, or Facebook.

    We're Varonis.

    We've been keeping the world's most valuable data out of enemy hands since 2005 with our market-leading data security platform.

    How it works