file storage control

The problem of controlling confidential data is relevant for almost all enterprises. Enterprise data comes in many different shapes and sizes. But, as a rule, they are usually divided into structured (database format) and unstructured (text files, videos, images, etc.).

According to Gartner research, 80% of enterprise data is unstructured. Of these, 60% do not bring any benefit (copies, unused files, etc.), while the annual growth of such data is about 30-40%.

Failure to structure information not only makes it difficult to analyze, but also reduces the degree of protection. Security policies are unable to ensure the secure storage of unanalyzed and unstudied information; failure to label files and accounts depending on their role in the corporate structure leads to serious leaks. Controlling access to unstructured data partially eliminates these risks.

Unstructured information can be stored on file servers, in cloud storage (private and public), SharePoint, etc. This whole process entails two global problems, one of which is related to information security, and the other to infrastructure.

Information Security

Infrastructure

Confidential data stored on public servers

Growing data volume. Storing outdated data

There is no understanding of who is working with what data

Giving employees access to the data they need

Answer the following questions:

  • Does your organization have unstructured data?

  • Do you know where exactly this data is stored?

  • Do you know which employee accesses such data and at what moment?

  • Is critical information (commercial offers, personal data and other information) stored among unstructured data?

  • Do you know how much irrelevant and unnecessary data is occupied?

The answers to these questions help determine the need for a DAG (DataAccess Governance) class system.

Data Access Governance – specialized solutions for controlling and managing access to unstructured data. These solutions provide the ability to identify, categorize and classify critical data, as well as centrally manage access to it.

Using systems of this class, the following tasks are solved:

  • Control over user actions with data, activity monitoring

  • Monitoring abnormal activity

  • Classification of valuable data

  • Obtaining the current access matrix by user and resource

  • Receive notifications about critical events

  • Track critical data

Three functions on which DAG class systems are based:

  1. Data classification

  2. View permissions

  3. Audit

Let us examine this class of solutions in more detail using the example of the system “Range”.

The Spectrum system, a Data Access Governance class solution from the domestic company CyberPeak, allows full control of company employees’ access to documents stored on unstructured data storage facilities, such as file servers running Windows OS, Linux, MS Exchange mail servers, MS SharePoint servers , as well as storage from Dell EMC, NetApp and others.

Problems that Spectrum solves:

1) Audit of requests and access rights to data

Spectrum controls all major types of corporate data storage, resulting in the ability to:

  • Configure flexible policies to control access to critical data;

  • Identify unused files, determine the business owners of the files;

  • Receive notifications about incidents and important system events via SIEM, e-mail, Telegram, Slack, etc.;

2) Data classification

The classification module of the “Spectrum” system allows you to determine where the most valuable data for an organization is located, as well as data noted in the federal laws of the Russian Federation and the requirements of various regulators (152 Federal Laws, GOST R 57580.1 – 2017, FSTEC Orders No. 17, 21, 239, GDPR, PCI DSS and others).

The “Spectrum” system allows you to define the following types of categories:

  • Personal Information

  • Financial information

  • Credit card holder data

At the same time, a distinctive feature is the possibility of optical character recognition and classification of scanned copies/photos of documents.

3) Quickly search for information

This functionality allows you to quickly find information in all controlled storages.

4) Behavioral analytics

The Spectrum system allows you to identify anomalous activity both for employee actions and for activity in storage facilities.

If the system detects unusual activity on the storage, this fact will be immediately recorded and the system operator will receive a notification.

Examples of abnormal activity of company users include:

  • Unusual number of files viewed/modified/renamed;

  • Access to documents of “foreign” departments;

  • Bulk deletion of documents

  • Working at atypical times, etc.

Now, let's move on to working with the system.

Storage

The Storage section contains information about protected systems.

From here you can move on to the storage structure. A general view of the system interface for working with the directory structure of protected servers, as well as the structure of the domain controller, is shown in the figure below.

1) Data classification

One of the key functions of DAG class systems is data classification. “Spectrum” works with a large number of document formats and allows you to classify documents into categories (about 200 categories):

In the system, you can filter documents into different categories and see if any of them are publicly available. For example, show all files that contain a passport or TIN:

You can open files in the system and view exactly where the categories you are looking for are contained:

One of the key features of Spectrum is the identification of critical data from scanned copies and photographs:

2) Risks

The Spectrum system, when scanning storage facilities, allows you to identify information security/IT risks in the system for assigning access rights to files and categories:

  • Folders/files with inheritance disabled

  • Public folders/files

  • Folders/files with direct permissions

  • Broken ACL

  • Unique rights

  • Unmanaged folders and files

  • Unknown SIDs

  • Permissions from other domains

Let's filter documents by categories “Passport”, “TIN” according to the risks associated with being in public folders and folders with direct permissions. Such directories require increased attention, because… they may contain data specified in the requirements of laws and regulatory requirements of the Russian Federation and other countries. For example, No. 152-FZ, PCI DSS, GDRP, as well as internal critical information. At the same time, you can immediately see the rights issued to employees.

It is also possible to export this information and transfer it to colleagues in the IT department.

Classifying data and viewing possible risks allows you to put things in order in storage.

Audit

“Spectrum” conducts a full audit of the actions of users of the organization's infrastructure in terms of access to files/directories of protected servers. The audit results can be viewed in the “Audit” – “Storages” tab

The audit system allows you to filter events. For example, an important file has been moved, you can filter events by moved files and determine the actual location of the file:

It is also possible to establish all the facts of access to the document. This can be useful when investigating incidents involving information leaks.

Incidents

An incident is one or more events and conditions that significantly increase information security risks and require a prompt response.

In order for the system to start recording incidents, you need to configure rules. About 15 rules are preset:

  • An abnormally large number of deleted files;

  • An abnormal number of data changes;

  • A large number of unsuccessful operations;

  • Mass data change;

  • Bulk data renaming;

  • Bulk deletion of files by one employee

  • Appeal to PD;

  • Suspicion of ransomware;

  • Appearance of a public folder/file;

  • Appearance of a folder/file with direct permissions;

  • Creating an executable script on Windows Server.

It is also possible to create your own rules. For example, it is necessary to identify facts of mass access to documents containing personal data:

Active reactions can be applied to identified incidents, thereby blocking access:

Anomalies

This module works based on Machine Learning algorithms and allows you to monitor anomalous activity from both users and protected servers.

Anomalous activity contains a list with information about all atypical actions:

Reports

The system contains a number of predefined reports:

The reports will be indicative not only for management, but also for IT optimization in general. For example, you can build a report on duplicate files, and thus clear up disk space.

The most interesting reports for IT department:

Integration with third party solutions

The Spectr system has the ability to integrate with almost all third-party solutions:

As a rule, DAG class systems are integrated with SIEM, IdM and DLP systems.

Conclusion

Data Access Governance class systems are designed not only to ensure security, but also to optimize the organization’s IT infrastructure. “Spectrum” demonstrates this functionality to the fullest.

In April 2023, the solution successfully passed tests for compliance with security requirements: T DOV documents for level 4 of confidence and technical conditions.

You can test Spectrum here

Author of the article: Dmitry Lebedev, information security engineer

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *