Unstructured data governance can be a chaotic mess. A new employee has access to 17,000,000 files the moment they walk in the door. Unmanaged data access represents a considerable risk to data security, which is why we built DataPrivilege and invented a methodology to define data owners to address this risk.
How Did We Get Here?
Historically, IT owned and managed the permissions to business data and applications, and there are several problems built into this paradigm.
IT Doesn’t Know Everything About the Data
It’s not uncommon for organizations to have millions of folders that contain hundreds of millions of files. Each of these folders requires someone to decide who can access the files within. Who makes those decisions for you today? Does IT know what files are in each folder and who should have access?
IT doesn’t have all the information they need to make the best decisions about who should access each folder. They commonly default to granting access at the department level, which leads to over permissive folders that only a few members of each department access.
Compliance Laws and Data Breaches Became a Concern
For a while, system administrators got away without implementing the least privileged permissions. But the world woke up and started to realize that the pendulum had shifted too far away from data security and privacy, and governments began to implement laws to protect citizens and impose penalties on organizations that fail to protect data. Compliance laws like HIPAA, GDPR, CCPA, POPIA, NIS, and PCI are ordinary conversations in data security organizations.
These laws require organizations to limit, control, and monitor who has access to protected data – the credit card numbers, social security numbers, and other personal information that attackers want to steal. What that meant for organizations is that they had to contend with the mess they created in their unstructured data permissions. Companies realized when they started this process that they will be working on this issue for years.
How Do We Fix This?
At Varonis, we believe that the business should manage who has access to their data. When teams manage access to their data and applications, the result is a tighter, more scalable security paradigm than when IT makes access decisions. The process we developed encourages organizations to assign a “data owner” for folders, applications, or distribution lists to be the point person who manages access. A data owner can also designate authorizers and create custom approval workflows if needed.
Finding Data Owners
There are two methods we use to help organizations determine who should be data owners. The first is the quantitative method, which is good for narrowing down the top users of the data. Then we recommend a qualitative approach of discussing with the business who they think should be the data owners.
Varonis monitors data usage over time, which means you know who regularly accesses each folder or SharePoint site. This kind of intelligence gives you a leg up in the search for the data owner. Varonis takes data ownership a level deeper than other solutions. Rather than suggesting file ownership based on the “file owner” property, Varonis looks at who is actually using the data.
DatAdvantage report 2.e.01 shows you a list of each folder’s top users based on their activity. You can set filters on this report to only see the folders where you need owners, limit the directory depth, and limit the number of results to the top ten users to keep it simple. These top users are typically great candidates for data owners.
You can also quickly see the top users of any resource in the Statistics tab of DatAdvantage under User Access – just double-click a resource on the left and get a pie chart showing the most active users:
The active users are the people who tend to know the most about the data, so they can be trusted to make the right decisions about who should have access to the data in the folders they use regularly, or they can tell you who that person should be. They will be your first stop to figure out who you want to assign as the data owner.
Once you have employed the quantitative methodology to narrow down your active users, you can work with them to validate your findings and make the final decision on who the data owners should be.
The right person could be a front-line manager, a senior team member, or a department director. There is no correct answer for all organizations or even each department. In our experience, the right person is a user with a comprehensive understanding of business processes that require the data.
A common pitfall that organizations encounter when they go to assign data owners is defaulting to the highest-ranking member of the team as a data owner. In some cases, the highest-ranking team members are too far away from day-to-day operations to make the best decisions about data access, which is why we prefer to assign an active daily user of the data as the data owner.
Implementing the New Process
With data owners established, you can implement processes to manage and approve user’s access requests and schedule regular entitlement reviews for each data owner.
Setting data owners with DatAdvantage is a simple process. You can assign them directly using the DatAdvantage UI, or you can use our automated Bulk Upload Utility to ingest a CSV file of data owners en masse. The Bulk Upload utility is a command-line tool that can perform multiple actions on your file structure ACLs like set data owners and add groups and permissions. Once you have the CSV file configured, the process to make the changes is super quick.
DataPrivilege is the customizable self-service portal data owners use to manage permissions and respond to entitlement reviews on their folders and applications and that users use to make data access requests. The entire process flows through DataPrivilege, from users requesting access to data owners’ approval or denial. End users or administrators don’t need to assign permissions directly to folders, which reduces errors.
With DataPrivilege, data owners can:
- View or schedule reports on their folders
- Approve access with a click or email reply
- Check on data usage or make ad-hoc changes to permissions
- Perform entitlement reviews
Additionally, DataPrivilege can manage group membership, email distribution lists, and application permissions.
Customers that have implemented DataPrivilege have a well-documented data access governance process that keeps data safe, saves money on IT costs and resources, and gets users the access they need to do their jobs quickly.
“We used to have a dozen people focused on nothing but permission management. Now, stakeholders have direct control over their data. Each department has its own drive with separate share permissions and security controls.”
–U.S. Community Hospital
Check out the DataPrivilege Masterclass to see a complete demo of how DataPrivilege can transform your data governance processes.