DULUTH, GA—August 15, 2012—Connectivity Wireless Solutions, a nationwide leader in in-building wireless solutions, today announced the deployment of additional distributed antenna system (DAS) networks to expand in-building wireless capacity and coverage to 6.5 million square feet of hotel, convention and public venue space in Tampa, Florida and Charlotte, North Carolina markets in preparation for the 2012 Republican National Convention (RNC) and the 2012 Democratic National Convention (DNC).

During August 27-30, 2012, the RNC is expecting nearly 50,000 visitors to the Tampa Bay area to help support the nomination of the republican candidate for the next president of the United States. Likewise, 35,000 visitors are expected at the DNC in Charlotte, North Carolina during September 4-6, 2012.

In Tampa, Connectivity Wireless has deployed indoor DAS networks extending wireless capacity and coverage into three million square feet of space inside convention centers, hotels and public venues. Moreover, in Charlotte, 3.5 million square feet of space inside of hotels, meeting centers and other public venues will be able to handle higher traffic loading of wireless voice and data services.

“As one would expect, the wireless voice and data demands of both parties and their supporters drives the need for in-building wireless capacity and coverage solutions in these cities,” said Greg Jacobs, chief executive officer of Connectivity Wireless. “Convention delegates and visitors expect their wireless phones and smart devices to work inside of buildings. Our indoor DAS networks in convention centers, hotels and public venues were deployed to do just that—enable wireless voice and data services inside of buildings.”

“As a part of our turnkey design and implementation process, we work closely with third-party operators to deploy DAS and all of the major wireless carriers to ensure that our in-building DAS networks are integrated and optimized with their macro networks,” said David Hartin, vice president of radio frequency (RF) solutions at Connectivity Wireless.

STEALTHbits Introduces Enhancements To Real-Time Behavioral Analytics Platform

HAWTHORNE, NJ–August 28, 2018 – STEALTHbits Technologies Inc., a cybersecurity software company focused on protecting an organization’s sensitive data and the credentials attackers

use to steal that data, today announced the latest version of their real-time threat analytics and alerting platform, StealthDEFEND.

As a stand-alone solution or an integrated component of STEALTHbits’ Data Access Governance suite, StealthDEFEND approaches data security through the mindset of an adversary, focusing on attack methods used in enterprise breaches to protect customers against a variety of

sophisticated attacks, insider threats, account compromise, and malware. Using unsupervised machine learning, StealthDEFEND 1.2’s intelligent indicators produces contextualized data so security professionals not only get the highly advanced analysis of data activity provided natively in the product but the ability to automatically contain and respond to threats with the use of the built-in Incident Response Playbooks.

Insider threats rely heavily, almost exclusively, on remaining undetected. This allows them to progress through the Kill Chain and discover sensitive systems, accounts, and data to be used throughout their attack. The introduction of StealthDEFEND 1.2 marks significant improvements in our ability to reduce insider dwell time with built-in Incident Response Playbooks that automate multi-stage actions ranging from basic alerting to triggering step-up authentication –reducing what threat actors need the most to progress through the Kill Chain,” said Gabriel Gumbs, STEALTHbits VP of Product Strategy.

Built on more than a decade of Data Access Governance experience and expertise, StealthDEFEND analyzes millions of access events daily in real-time, without reliance on lagging indicators such as native logs, to quickly identify abnormal user behavior and activity, especially around sensitive data. StealthDEFEND then presents this information through interactive dashboards as it happens, with contextual visualizations like heat maps and the ability to feed this enriched data into SIEM solutions for further analysis.

The full original press release is here.

DULUTH, GA—October 9, 2012—Connectivity Wireless Solutions, a nationwide leader in in-building wireless solutions, today announced the achievement of a major milestone by deploying distributed antenna systems (DAS) to expand in-building wireless coverage and capacity to 15 facilities, covering more than 20 million square feet of space in hospitals and healthcare settings in year to date 2012.

“According to Manhattan Research, 81 percent of physicians own a smartphone and 62 percent own a tablet computer,” said Bryce Bregen, vice president of sales and marketing of Connectivity Wireless Solutions. “Increased wireless data usage is continuing to drive demand for capacity and coverage solutions in the healthcare setting, and as a result, demand for in-building wireless solutions such as distributed antenna systems.”

According to HIMSS, mHealth is the rapidly growing practice of medicine and public health supported by mobile devices. Hospitals and healthcare facilities are adopting mobile health strategies such as:

• Point of care delivery and workflow enhancements
• Access to patient records and delivery of test results
• Smartphones and augmentation of VoIP communications
• Telemetry and wireless IV pumps
• Connectivity to health information exchanges (HIE) and other care providers
• Mobile medication management and prescription information
• Remote monitoring and diagnostics
• Engagement between consumers and care providers
• Access to health disparate populations via telemedicine

David Hartin, vice president of RF solutions at Connectivity Wireless Solutions adds, “We see the government mandates for adoption of electronic health records (EHR) as a precursor driving adoption of mobile health applications to care providers and patients alike. The more electronic and mobile we become, the higher the capacity and coverage demands on our cellular wireless networks. The wireless carriers are already mobilizing for 4G/LTE in preparation for the continued rise in wireless data usage. It’s just a matter of time and many healthcare facilities are prudent to be taking steps now to prepare for their wireless data needs.”

San Francisco, CA—April 16, 2013—Connectivity Wireless Solutions, a nationwide leader in providing in-building wireless solutions, today announced the achievement of a major milestone by deploying distributed antenna systems (DAS) to expand higher education campus wireless coverage, enveloping more than 26 million square feet of higher education campus space since 2011.

“According Nielson’s research, 54 percent of 18-24 year olds own a smartphone and 37 percent plan to upgrade to 4G within the next year,” said Bryce Bregen, VP of Sales and Marketing at Connectivity Wireless Solutions. “Increased wireless data consumption, and the continuous shift toward an online classroom via mobile devices on higher education campuses are a driving factor for the need to increase wireless coverage.”

According to In Stat, new DAS deployments in universities and campuses are experiencing an average of 20% growth since 2009. This growth has been stimulated by:

• The reduction of landline based phones in dormitory rooms
• Increased delivery of classroom sessions online including access to lectures in both live streaming and video archive format
• The heightened need to ensure campus safety alert notifications while students are mobile
• The volume of people on campus simultaneously during major campus events such as sporting events, exam weeks, etc.

Bregen adds, “It’s evident that there will be continuous wireless network usage as more and more mobile devices infiltrate the market. The colleges and universities have to start working on a budget to accommodate the shift in data and voice usage dynamics. This is why we do educational speaking engagements and attend shows like ACUTA, so we can educate the IT administrators for colleges and universities on their options to fund their DAS projects, and how it will improve communication on campuses for staff, students, visitors, and parents.”

Full original press release found here.

HAWTHORNE, N.J., June 05, 2018 (GLOBE NEWSWIRE) – STEALTHbits Technologies Inc., a cybersecurity software company focused on protecting an organization’s sensitive data and the credentials attackers use to steal that data, today announced the release of STEALTHbits Activity Monitor 3.0.

The sheer volume of unstructured data created by most enterprises presents significant monitoring challenges. Understanding who is accessing data and how it is being accessed is one of the largest gaps in data security protection programs. Activity monitoring provides the robust compliance and security coverage necessary for protecting your data, without the drawbacks associated with native auditing. To control the critical information stored in Windows file shares, SharePoint and Network-Attached Storage (NAS) devices such as NetApp, Dell EMC, Hitachi and Nasuni, it is necessary to be able to track the access and change events that are constantly occurring.

STEALTHbits Activity Monitor 3.0 provides operational efficiencies and visibility into a wide spectrum of human and machine data interactions with a standardized format. With the introduction of SharePoint into STEALTHbits Activity Monitor, customers are able to meet a new level of operational and security intelligence that is not available natively within SharePoint.

“Providing our customers with increased visibility into human and machine activities has been a core goal of ours, so they can track the activity within large data stores, protect data from unauthorized access, and enrich their SIEMs with activity data,” said Gabriel Gumbs, STEALTHbits VP of Product Strategy.

In addition to STEALTHbits Activity Monitor, STEALTHbits is also excited to announce the release of StealthINTERCEPT 5.1, providing superior Active Directory protection from modern attacks such as DC SYNC and Forged Privileged Account Certificates (PACs), while also providing operational control of Active Directory. StealthINTERCEPT also incorporates policy driven controls to allow organizations to see threats, both malicious and accidental, as they happen – preventing accidental changes, blocking malicious activity and alerting in real-time.

Full original press release posted here.

School is back in session everywhere and every teacher knows to start the school year off on the right foot, you need to have your classroom organized. However you choose to manage your classroom, one thing is for certain, you should have all your classroom materials prepared and ready for the first weeks of school.

For most elementary teachers that means creating all the lists, charts, labels and bulletin boards you will need to establish order and repetition for your students. All of the labels and charts you make will set the tone for the school year. It’s what the kids will look to for guidance, how they track their progress, and it’s how you will reinforce your rules and planned activities. These are things like your transportation lists (bus riders vs walkers), behavior charts, desk labels, name strips, cubby labels, activity lists and more. Your classroom probably looks like this:

By now you probably have the basics all set up for the first few weeks of school, but holidays like Halloween and Thanksgiving are right around the corner. We know there will be many more activities that require names, pictures, and organization. Here are 3 things to help you get organized as you prepare your classroom for the year:

1. Make a list of all of the activities, charts, and places that require labels for rest the year. On your list consider all the things you’ll want to include like a picture, student’s full name, transportation, colors, table or group number, activity and more. Having all this information in one place will come in handy when you’re ready to start creating all your labels and charts.
2. Next, you can set up all your bulletin boards. If you’re looking for great bulletin board ideas, check out our Teacher Organization board on Pinterest for classroom organizational inspiration.
3. Last, you may want to use software to add your names to so you can save time by printing them onto labels and templates. For those of you who don’t want to have to search the internet for downloadable templates, we have an awesome time-saving tool called Class Management Tool (CMT). After loading student names once into CMT, you can easily manage student lists, organize student photos and print pre-loaded templates like Table Name Plates and Name Writing Practice.

So instead of using Microsoft Word or some other manual process to create basic classroom templates, CMT Templates provide hundreds of customizable ready-to-use templates that can be printed or downloaded. Once the class list is loaded, it takes seconds to print templates and lists that are as unique as your students.  You save time and can discover a variety of new classroom themes to personalize.

Check out this video below. Our very own Rochelle Pokorny shows you just how easy it is to use CMT templates to organize your classroom.

Just remember, no matter how you choose to prep your classroom for each season and each school year, you are doing your best and that’s all anyone can ask for. The kids and parents will be happy with all the effort you made. If you are looking to save yourself time, click here to try CMT for free for 60 days.

Find the original post here.

We know as teachers, you dread hearing another assessment or test is required for your students. Let’s face it, you already have very limited time to teach, assess, analyze, and report the results of all your hard work without something new being thrown into the mix.

When we heard the state of Illinois now requires school districts and kindergarten teachers to do the Kindergarten Individual Development Survey (KIDS) within the first 40 days of school, we knew we had to do something to help. Obviously, it’s possible to do these assessments within that narrow window of time, but not so likely to get done without teachers wanting to pull their hair out from all the stress added onto an already busy time of the school year!

If you are a kindergarten teacher in Illinois then you know the evidence for KIDS should be collected in the first 40 days of student attendance, beginning with the first day of school, and entered into KIDStech during a two-week window (one week prior to and one week after the 40th day of student attendance).

However, here’s something you probably didn’t know, something that will save you time and headaches with this new requirement going forward…

ESGI has partnered with Adam Peterson to add ESGI/ILKIDS aligned assessments to offer you a faster way to observe, monitor, track, and record the data needed for the required ILKIDS Domains.  Adam Peterson is a kindergarten teacher and vlogger known for his social media channel Teachers Learn Too (@teacherslearn2).  He has taught kindergarten for the past 13 years in Illinois and has recently started traveling the country as a presenter of all things K!

We know what you’re thinking… “Hey ESGI, the 40 days are over, my tests are done, I survived!” Now, think back over the past few weeks and how much work it was to get your kindergarteners all settled into school, acclimated to your classroom, assessed and then you had to enter that data into the KIDSTech system. This probably involved lots of paper assessments and long hours outside of the school day to gather the data. Wouldn’t you like the process be much easier the next time around?

Well, our ESGI/ILKIDS aligned assessments have onscreen directions and images so you can breeze through your KIDS testing in no time! Plus, with our system, you can continue to assess your students the two or three additional times during the school year as the Illinois State Board of Education has recommended in their KIDS FAQ document here. ESGI is designed to inform instruction with real-time student data and show you progress over time as you continue to assess your students.

If you are a kindergarten teacher in Illinois and currently using ESGI, it’s very easy to add the IL KIDS aligned assessments to your ESGI instance. Our very own Rochelle walks you through the process of adding tests in the video below:

If you are not currently an ESGI user, you can try it for FREE for 60 days and save $40 off your first year’s subscription when you use the promo code TEACHERSLEARN2. Click here to start your free trial.

For more information on KIDS or to access the KIDSTech system to load your 14 State Readiness evidence for your classroom, visit the Illinois State Board of Education page here.

The original post is here.

Organizations are shifting their focus to a core set of principles around protecting their credentials and data, but they struggle with a starting point. In this 6-part ‘Checkbox Compliance to True Data Security’ blog series, we will provide a foundational blueprint. The series will cover an overview of Data Access Governance (DAG) and introduce the 5 phases that will help shape a true data security program.

In an interview with Dark Reading, Brian Christensen, head of global audit for Protiviti says, “Whether it is dealing with new cyber-attacks or changes in technology that makes things obsolete at a very fast pace, the ability to have conversations around that (risk) both from a business-process owner standpoint and from an auditor standpoint is a leading standard by which we would expect organizations to abide by.” Compliance should be the result of a well-executed data security program that balances the prioritization of protecting data with the needs of running the business.

With the abundance of data breaches and Equifax’s 2017 data breach being the largest to date, affecting approximately 147.9M people, there is an apparent need for true data security. Although this data breach was one of the most recent, it was certainly not the first and will not be the last.

Despite the prevalence of these data breaches, data security is an unaddressed to-do item for the Information Security community. Data Security is the last line of defense against theft of an organization’s data. Unfortunately, many organizations are treating data security as a checkbox exercise through the lens of compliance standards that are meant to simply provide a framework for the bare minimum. Compliance should fall under the jurisdiction of risk within your data governance program, rather than being the sole guideline that your data security program is built upon. Checkbox exercises quickly become outdated which results in inadequate data protection and fails to align to the spirit of the regulation.

Our CTO, Jonathan Sander, researched file system attacks where he uncovers the most common techniques adversaries use to steal your data. He also documented just how these fraudsters exploit your file system vulnerabilities to gain access to your company data. Every day those techniques evolve, which is why it is so dangerous to have a checkbox approach to data security derived from under-evolving regulations.

In this 6-part ‘Checkbox Compliance to True Data Security’ blog series, we’re going to help your organization chart a course to proper Data Access Governance (DAG). Here are the key areas of DAG the series will cover:

Discovery: Pinpoint where data lives to obtain a complete view of your data footprint

Sensitive data (PII, PHI, etc.) is a primary target in virtually every breach scenario so organizations are shifting their focus to truly understand their data footprint. Companies can’t begin to tackle the issues around data security until they know exactly where data resides across their entire organization. Starting the data discovery process for structured and unstructured data in file shares, servers and systems will help better prioritize DAG initiatives over time.

Collect and Analyze: Review relevant data points to answer critical questions (e.g. sensitivity, access, ownership, age, etc.)

Assess your structured and unstructured data you found during discovery to collect information and analyze it to see what is actually at risk and the conditions that make it risky. Understanding the access model your organization wants to move to is a big step in the direction of true and effective data security. The goal is to assess relevant data points to answer critical questions like what’s the sensitivity of the data, who has access to it, who owns it, and what’s the age of that data.

Monitor: Observe activity to understand user interactions with sensitive data

Once organizations have pinpointed where their greatest risks exist during the collect and analyze phase, they’ll need to monitor the activity to understand how users interact with that sensitive data. In DAG organizations will need to identify data stakeholders (e.g. HR, cross-functional teams, finance), owners and stewards, who mostly use the data. With their support companies will be able to determine why the data exists as well as who has access to it, who created it, what’s in there, and how it is being used. They will be the future data custodians that will assist organizations with their data governance efforts.

Restructure: Adjust permissions to achieve Least Privilege Access and position for effective governance

Restructuring permissions will help organizations achieve a Least Privilege Access model and will enable them to effectively govern their most valuable assets like intellectual property, financial information and customer data. Organizations can then begin to mitigate risk by removing high-risk conditions like Open Access and refining a better process for permissions. Implementing a least privilege access model enables employees outside of security to have controlled access to File Shares and other data repositories. This model will have them well positioned to perform the key tasks associated with any effective Data Access Governance program.

Govern: Control access to ensure security, compliance and operational standards are met

Once data custodians have been established in the monitor phase, and the access model has been restructured to allow for secure provisioning and de-provisioning of data access rights, true governance can begin. Periodic entitlement reviews, self-service access requests, and other workflows like sensitive data reviews and stale data clean-up can be instantiated to keep data and the places data lives clean, secure, and compliant with internal and external standards.

Doing all the above will lead to data specific compliance with virtually any regulation so that operational standards are being met. Each phase is crucial and should be followed prior to moving on to the next. The next blog post of the series will help you get a true understanding of your organization’s data footprint.

Original post found here.

Despite the prevalence of data breaches, Data Access Governance (DAG) is still security’s big unaddressed to-do item. In the first blog post of this 6-part Checkbox Compliance to True Data Security blog series, we discussed how DAG is a crucial aspect of security for companies because it is the last line of defense against theft of an organization’s data. Organizations are starting to shift their focus to establish a core set of principles around protecting their data, and they need a blueprint to help them get started. This series serves as the blueprint that will help your organization chart a course to proper data security. The first step in establishing a Data Access Governance program is Discovery.

In order to govern access to data, you must first understand where all of your data resides. The discovery process can help an organization begin to fully understand the depth and breadth of their data footprint. Then you can begin to understand the full scope of your DAG initiative and focus on the most sensitive data, which is where you’ll want to begin.  Discovery isn’t something you can do only once, it is a process you will need to continue to perform periodically to catch the inevitable changes made by stakeholders.

Find Your Structured Data First

Start by identifying and locating your structured data first. According to Datamation, structured data is “comprised of clearly defined data types whose pattern makes them easily searchable.” The location of structured data repositories are likely well-known within most organizations, as they’re backend-ing critical systems like ERP, HR, and CRM. However, more portable database solutions like Microsoft SQL Express can exist virtually anywhere, requiring organizations to scan desktop and server infrastructure for database instances of which they are otherwise unaware. Databases are really important, for obvious reasons, since what’s really at stake is sensitive data, like social security numbers and financial information for example, that are often stored in structured format. A lot of the older data breaches occurred because an attacker got access to sensitive information that is typically stored within your structured data.

At present, many companies have gotten better at protecting their structured data, so hackers had to find a new avenue to get the data they want. That’s why protecting your unstructured data is more important than ever before, because it is now the easiest target for external and insider threats.

The Real Challenge is Finding Unstructured Data

Locating your unstructured data may be a bit of a challenge. Organizations simply may not know where their unstructured data assets are. Most have an idea that the data lives in file shares and NAS devices, but may not be able to say exactly how many shares they have or how the NAS devices are organized from the end user’s perspective. There are also huge piles of data outside of standard file systems, in collaboration portals like SharePoint and cloud storage repositories like Dropbox and Box, for instance.  According to Deloitte, although it has long been said that 80% of an organization’s data is unstructured, that number is now estimated to be upwards of 90%. This will likely be the data most of your organization’s employees will be accessing and creating regularly, such as emails, Word documents, spreadsheets and images. The difficulty of tackling and locating unstructured data is also covered in our whitepaper which aims to help data security professionals control their unstructured data.

Think about how hard it is to control the information your organization’s employees send through something as common as email. This article from Forbes reminds us of the time Colin Powell’s personal Gmail account was hacked and he had been sending proprietary information about Salesforce’s acquisition plans and M&A strategy because he was a board member with access to that information. Those emails were all leaked on Dclinks.com for the world to read.

That is one example of why it is important focus your attention on locating not only structured data, but also unstructured data. This discovery will become the foundation of your true data security program. In the next post of this 6-part series, we’ll show you how to collect and analyze the data you found to prioritize that which puts your organization at the most risk.

The original post can be found here.

As the amount of data managed by companies continues to grow both in volume and importance, so does the criticality of ensuring access to this data is controlled. In part 1 of this 6-part ‘Checkbox Compliance to True Data Security’ blog series, we took you through the Discovery process. Now that you know your organization’s data footprint, the next step to true data security is the Collect and Analyze phase.

The goal of the Collect and Analyze phase is to assess relevant data points to answer critical questions like what’s the sensitivity of the data, who has access to it, who owns it, and what’s the age of that data.  When you begin to understand the answers to these questions, you can then begin prioritizing the resources that are at most risk and limiting access to them as you work towards achieving a Least Privilege Access model.

The Principle of Least Privilege is THE Goal

The Principle of Least Privilege is essentially the idea that access to data and resources should be provisioned to the bare minimum permissions necessary to perform a job function. Think about it this way, you wouldn’t want to give a marketing manager access to the salaries of everyone in the company, right? Most organizations would want to limit that particular access to only HR representatives and the CEO/CFO, for example. Often, most administrators cannot easily answer the basic question of what an existing user currently has access to, let alone if that user needs that access in the first place.

The risk of ignoring the access issue is more critical today due to the increased scrutiny of auditors and compliance legislation. The EU GDPR regulation, for example, is probably top of mind for your security team. In order to be compliant with GDPR, you must know for certain where an EU citizen’s personal data is stored and who has access to it.

There’s also the ever-present risk of insider threat which has made the current lack of effective controls very apparent. To get to a proper access control system you need to collect and analyze relevant data points to figure out which data is considered sensitive. To help you think that through, here are a few questions to consider:

• Is your organization in a regulated industry (e.g. healthcare, finance, construction, oil)?
• Do you collect personally identifiable information (PII) like social security numbers, date of birth, or driver’s license numbers?
• Do you know if your organization has company-specific proprietary information?

Yes, Your Organization Has Sensitive Data

If you’ve answered yes to any or all of the above, then you have data that is considered sensitive. It’s also important to consider where you’re looking for this data.  When we went through the Discovery phase, we discussed structured data and unstructured data, and how it’s important to look for sensitive data across all of these repositories.  Unstructured data is especially challenging when you consider that sensitive data could be hiding in emails, spreadsheets, images, and hundreds of other file formats.

Another important set of data to collect about your data is file metadata.  Along with information about file authors and owners, last modified and last access dates, file names and types, you should also be collecting and analyzing existing classifications and tags.  All of this information helps to expedite the process of figuring out who owns this data (as will activity data collected during the “Monitor” phase of the process), how old it is, and what can or should eventually be done with it.

Stale Data Costs Just as Much Money as Active Data

Assessing and analyzing data usage is critical. Stale data can be very costly to your organization, as data storage is a major cost for most businesses. In fact, according to Business Insider, businesses around the world are spending an average of an estimated $62B on storage a year. In our research, we found that this high storage cost comes from the fact that most administrators aren’t reviewing and deleting stale data proactively, so it continues to take up space on an organization’s on-premises servers or cloud storage.

The ultimate goal in the Collect and Analyze phase is to understand what you need to do and in what order as you implement a true data security program. In the next blog post of the series, we’ll show you why it’s important to monitor file activity before you perform any remediation.

The original post can be found here.

In part 4 of this 6-part blog series, ‘Moving from Checkbox Compliance to True Data Security,’ we discussed why it’s important to monitor file share activity before you begin to take any action so you can get a full understanding of:

• Who is leveraging their access privileges
• What types of operations each user performs
• Who is creating or contributing the most amount of content

If you’ve completed that step and those in the Discover and Collect & Analyze phases then you should now be able to determine the most probable owners of your data, which files are active (or inactive), and which resources need to be secured first. With this information available it is now time to begin the Restructure phase of Data Access Governance (DAG).

The ultimate goal of the Restructure phase of DAG is to adjust user permissions to achieve Least Privilege Access.  This essentially means to adjust permissions to the exact levels needed for a user to do their job. Historically, the approach to securing file systems has been the responsibility of IT professionals. Unfortunately, there are usually far too many file shares for the IT team to control properly, and they have little to no understanding in many cases of who should have or really needs access to the data. An ideal access model enables employees outside of IT, like the data custodians you’ve identified, to control access to the shares that store the data they’re responsible for.

WHERE TO START THE RESTRUCTURING PROCESS

A good place to start your Restructure process is to remove open access. In our research, we’ve found open access to unstructured data is consistently identified by IT professionals as a critical challenge for their organizations that is often considered too overwhelming and complex to tackle head-on. The good thing is, once you complete the first 3 phases of DAG (Discovery, Collect and Analyze, and Monitor) you’ll be in a position to remove open access – safely – and establish a baseline of user entitlements to support ongoing audit and review requirements.

With your data custodians identified and assigned to each resource, they will be well positioned to perform the key tasks associated with any proper Data Access Governance program, including:

• Self-Service Access Requests – This process allows end-user access requests to data resources to be routed directly to data custodians for approval, rather than to IT resources – saving lots of time and bolstering proper decision-making with regards to data access.
• Entitlement Reviews – This process allows for periodic review and adjustment of access rights by data custodians to ensure access privileges and permissions remain at proper levels.

While it is extremely beneficial to have data custodians, the challenge has always been how to enable them to wield that power without needing a degree in Information Technology and an understanding of Active Directory groups and resource Access Control Lists (ACLs). Solving that problem requires proper standards be implemented when securing file shares and other similar resources.

IMPLEMENTING THE IDEAL MODEL

Implementing a security model that puts the control of access into the hands of data custodians can be done in a repeatable, systematic approach. The driving force behind this approach is to make sure the data custodian can control the access to their file share without impacting access anywhere else within the organization. Also, this approach is designed to be achievable with zero impact to end user access. There are 8 steps to securing your file shares, but you have all the information you need to determine who needs access and the level of permissions they need, as well as who can or should be responsible for keeping access clean moving forward at this point.

Restructuring permissions will help organizations achieve a Least Privilege Access model and will enable them to effectively govern their most valuable assets like intellectual property, financial information and customer data.

THE CURRENT STATE OF DATA ACCESS PRIVILEGES

In many organizations, user privileges are often structured based on their role, such as the business unit they’re in (e.g. Finance, Human Resources, or IT) or a variety of other parameters (e.g. project groups, physical location, executives and decision makers, etc.). One of the unintended byproducts of this methodology is an over-provisioning of access rights.  Just because two or more people serve similar roles does not necessarily mean they need access to the same exact things.

THERE’S A BETTER WAY TO RESTRUCTURE PERMISSIONS

Based on the activity observed during the Monitor phase, the data custodians can restructure permissions to the exact level each user needs to perform their job duties. This task isn’t meant to be a guessing game as the level of access is based on existing behavior. The approach to achieving and maintaining fine-grained control over your share is through the use of Resource-Based Groups.  We recommend organizations create at least three (3) Resource-Based Groups per share, using a consistent and understandable naming convention like:

• [Server Name]_[Resource Name]_Full Control – Only Administrators ever go in this group
• [Server Name]_[Resource Name]_ReadWrite – Only Users that have demonstrated a need for access beyond Read
• [Server Name]_[Resource Name]_Read-Only – Users that have demonstrated a need for Read access

Once Groups are defined, administrators can populate them with the appropriate users. For example, a user who accesses a file, but never makes any edits to it has no need for ReadWrite access and can safely be reduced to Read-Only access without it interrupting their day to day job responsibilities. Once the groups are populated, they can then be permissioned to the file share’s Access Control List (ACL).

The result is a clean, instantly understandable, maintainable access model for your file share/s that provides the right users with the right level of permission to your data.  As new users want or need access to the data, they can be safely placed inside of the appropriate group for the exact share they intend to use. In the next blog post of the series, we’ll show you how to keep your new access model clean, and how to establish ongoing entitlement reviews.

The original post can be found here.

If you’ve been following along in this 6-part Checkbox Compliance to True Data Securityseries, you should have a better understanding of how to locate your data, pinpoint which data is considered sensitive or risky to your organization, and compile a priority list of the sensitive data you’ll want to govern first. You may be thinking that once you’re done with the above it’s time to start making changes to security and locking down the risky data you found, however, we’re not quite there yet.  In part 3 of this 6-part of the series, we’re going to explain why it’s important to begin monitoring the activity surrounding that data. As an Administrator, you cannot possibly know offhand exactly which people within your organization need access to all your data or what they’re actually doing with the data they have access to.  An audit trail of file activity is the treasure trove of information you need to figure that out.

In this series, we’ve established that data is the target in most data breaches, so the risk of having too many people with excessive access rights is far too high. We’ve also talked about how unstructured data makes up 90% of an organization’s data, and it’s also what end-users create and interact with the most. When it comes to unstructured data, we’ve found that users have access and permission levels that are much too high. As a result, attackers (whether internal or external) can get immediate access to far more data than the accounts they’ve compromised need, making attacks much easier to perpetrate.

If users only had access to the data they needed to do their job, and at the lowest permission levels possible (least privilege access), then the risk posed by any standard user’s account being compromised would be relatively low in comparison to what it would be otherwise. This would force attackers to compromise larger numbers of accounts to find the data they’re looking for, thus increasing their likelihood of detection.

Role-Based Groups are Not Working

Most commonly, administrators grant access to unstructured data using Role-based Groups organized along business and geographical lines or other company dimensions. There oftentimes is little consideration for whether or not each individual user within the group actually needs access to the data or the level of access they should have to that data. So now 90% of an organization’s data access has been granted in a haphazard way, which opens that data up to common threats like ransomware.  Ransomware relies on the privileges of the accounts they compromise, so fewer privileges will lead to less risk.   

Consider, for example, if the group that grants a user access to a resource you want to remove them from also grants them permissions to other resources the user regularly accesses to do their job. In that situation you cannot remove them from the group, because they will not only lose access to the resource you intended, they’ll also lose access to the additional resources needed to do their job. We haven’t even touched on the additional complications that arise when organizations go through M&A, internal reorganizations, technology migrations, and other business-driven initiatives which directly impact the makeup of these groups.

Why We Need to Monitor File Activity Before Taking Action

One common complexity that stands in the way of creating your ideal access model, and the reason we monitor first, is the lack of insight in determining who needs access to your file shares in the first place, and how much access they need. We suggest administrators start by trying to determine the most probable owners for a file share (data custodians), so they can help determine access. That process can be time-consuming and inefficient if you don’t prioritize analyzing basic information about the share such as:

• Who is accessing the files and how often they do so
• Who is creating or contributing the most amount of content
• Who manages the users accessing the files

Armed with the results of that analysis you’ll be ready to approach a targeted list of people and survey them to find out who is actually responsible. With all the data an organization manages, administrators need data custodians who understand the data in the file shares to tell you who should actually be able to access it. This person will likely be the person who created the data in the first place. This data custodian will help you make sure the access to the data is best aligned with the business needs.

Deciding who needs access and the level of permission that user needs will become obvious during this monitoring phase. In order to properly secure your file share, you will need to observe not only how users are interacting with the data, but also the specific operations they’re performing. You will notice that while many users may have access to data, they don’t always leverage the access or permissions they have. By observing file activity over time and comparing that activity to the list of users with access, you will quickly be able to determine who needs access and at what permission level.

In the next blog post of the series, we’ll tell you how to approach your possible data custodians to get them on board to help manage the file shares and the best way to maintain fine-grained control over your resources.

The original post can be found here.