VARONIS WHITEPAPER Fixing the "Everyone" Problem
Contents INTRODUCTION 3 HOW THE EVERYONE PROBLEM HAPPENS 4 THE REAL ISSUE 4 PAST OPTIONS 5 A NEW OPTION: THE VARONIS Solutions 5 2
INTRODUCTION Digital collaboration is at the heart of every business process files are created, stored and shared at a rapid clip to keep pace with customers and competitors. IDC estimates that the volume of unstructured data (e.g., documents, spreadsheets, presentations, images, etc.) is growing at a pace of 50% year over year. There s so much of this unstructured information, in fact, that it accounts for more than 80% of all enterprise data in most organizations. Even with regulations, industry best-practices and the purest of intentions, it seems nearly impossible to keep track of who has and needs access to all of this information, and who doesn t. And, as news articles continue to remind us, the unfortunate truth is that employees, contractors and consultants don t always do the right thing with their access privileges.regulations concerning Personally Identifiable Information, credit card information, munitions, and health information have upped the stakes. Organizations can face hefty fines (as well as damage to reputation) when files containing this type of content are exposed or stolen. Even in the securities and financial industries, if you think your IT organization has data access permissions under control, you may want to dig a little deeper. Most IT organizations grant access readily, yet revoke it infrequently. So, don t assume that only the human resources group can see the human resources data, or that an employee who left the company last week had all her permissions revoked. The permissions to access the data on your file servers, SharePoint sites, and mailboxes are very likely too permissive. This situation is not an oversight, nor the sign of a lax IT organization. It is just that the technology to solve this in a practical, manageable way did not exist until recently. While there are many ways this situation comes to pass, built right into the operating system is a contributing factor that nearly every Administrator knows about. And, while they know about it and there s nothing they did to cause it, they cannot ix it with conventional tools and techniques. We re talking about folder permissions for the Everyone group on Windows file systems, the world-writable problem on UNIX/Linux, authenticated users on SharePoint, and anonymous on Exchange. 3
HOW THE EVERYONE PROBLEM HAPPENS With all of the expertise and technology safeguards in place, how is it possible that a major risk to unstructured data on shared file systems cannot be easily reversed? Well it goes something like this. As an administrator, you or maybe your predecessor set up a couple of file systems or shared drives. Some of the folders on those file shares were left wide open, and you relied on data owners to define the access permissions. On other folders, you locked things down by assigning access permissions only to certain groups. Over time, though, even the locked-down folders opened up. That s because Windows Server is designed to facilitate access. When a new folder is created, the Microsoft Windows (up until very recently) default is to assign the Everyone group access permission to this folder, meaning that the folder is wide open to all users in the organization. That is not a problem as long as the folder creator goes back and reassigns the permissions or if you, as an administrator, become aware of the new folder in time and restrict access permissions. But, that s not a practical reality given the pace of information creation and the dynamic nature of projects and teams in most organizations. So, chances are very good that you won t know about this new folder. And, because they are not Windows experts, the users that create these folders know nothing about the Everyone group. It s similar on SharePoint end users often set SharePoint permissions on their own, and are often under pressure to set them quickly. Unfortunately, end users often push the tempting button to grant access to all authenticated users, giving access to everyone in the domain. All UNIX administrators have at one time or another run chmod 777 [dir] in an effort to get something working. Exchange administrators know (and worry) that the more senior the executive in the company, the more accessible their mailbox is likely to be to their supporting staff and other employees. THE REAL ISSUE What s the result of Everyone, World, and Authenticated Users access? Over time, sensitive data including intellectual property, client information or other sensitive data makes its way into folders open to way too many people. Not only is this valuable data, it is also critical to the business, so it is accessed a lot. As part of your quarterly file clean-up, or in preparation for a data entitlement audit review, you d love to get rid of the Everyone problem. But, you ve spoken with everyone you know and there is no good way to do it. 4
PAST OPTIONS Remove the Everyone group from the folders and wait for calls from angry users to pour in as they try to access the data they need. At least that will tell you who within Everyone is accessing this stuff! Turn on Windows Server Auditing (which Microsoft warns against because of the performance impact), SharePoint auditing, UNIX/Linux auditing (bsm, etc.), Exchange Journaling, and comb through reams of logs to find out who is accessing the data, see if they have access to the folder some other way (e.g. through a different domain group), and if not, grant them access via a new group, or an existing one that (hopefully) doesn t grant them access to something else they shouldn t have. There is another option and most administrators (no, you are not alone) take this unspoken option 3 : do nothing and hope that business proceeds without incident. After all, nothing has happened yet, right? The first two options are just not realistic. There would be business disruption with either choice, not to mention weeks or months of work that no one has planned for, let-alone asked you to do. But you know that this situation should not persist, especially in an environment where securities and financial data are potentially at risk. And, of course, when it comes to audit time, this will all be highlighted. A NEW OPTION: THE VARONIS SOLUTION There is a solution to the Everyone problem that has emerged and is gaining traction. It s a software solution based on metadata that can take care of the problem not in weeks or months, but in mouse clicks. It s by Varonis, and it can quickly: List all of the folders/sites in your file systems, SharePoint, and Exchange open to global access groups like everyone Prioritize the folders that need remediating based on the amount of sensitive data, activity and exposure Show you the names of the users accessing those folders/sites that have no other way to access them Let you simulate and fix the permissions on all platforms through a single interface. The folders most at risk get fixed first, the rest get fixed in order of priority, and there is no disruption to the business, and no panicked or angry phone calls. In addition to solving the historical problem, Varonis Solutions also help keep your environment cleaned-up in an ongoing way. If new folders are created with the Everyone group assignment, it lets you know so you can deal with it swiftly. And, fixing the Everyone problem is just one of the myriad of features you get out-of-the-box with Varonis. 5
About Varonis Varonis is the leader in unstructured and semi-structured data governance software. Based on patented technology and a highly accurate analytics engine, Varonis solutions give organizations total visibility and control over their data, ensuring that only the right users have access to the right data at all times from all devices, all use is monitored, and abuse is flagged. Varonis makes digital collaboration secure, effortless and efficient so that people can create and share content easily with whom they must, and organizations can be confident their content is protected and managed efficiently. Free 30-day assessment: Within hours of installation You can instantly conduct a permissions audit: File and folder access permissions and how those map to specific users and groups. You can even generate reports. Within a day of installation Varonis DatAdvantage will begin to show you which users are accessing the data, and how. Within 3 weeks of installation Varonis DatAdvantage will actually make highly reliable recommendations about how to limit access to files and folders to just those users who need it for their jobs. Worldwide Headquarters 1250 Broadway, 31st Floor, New York, NY 10001 T 877-292-8767 E sales@varonis.com United Kingdom and Ireland Varonis UK Ltd. Warnford Court 29 Throgmorton Street London, UK EC2N 2AT T 020 3402 6044 E sales-uk@varonis.com Western Europe Varonis France SAS 4, rue Villaret de Joyeuse 75017 Paris France T +33 (0)1.82.88.90.96 E sales-france@varonis.com Germany, Austria and Switzerland Varonis Deutschland GmbH Robert Bosch Strasse 7 64293 Darmstadt T + 49-0-6257 9639728 E sales-germany@varonis.com 6