Varonis: The Information Access Mafia
October 2011 by Varonis
Responding to an Information Week feature on the trials and tribulations of a fictitious chief information officer, data governance specialist Varonis Systems says that least privilege automation is clearly the way forward and the controls on handling that data are an essential part of the Governance, Risk and Compliance (GRC) jigsaw, specifying who can do what, where and when with an organisation’s information.
Mr. Laura is not alone—the employees in most organizations are over-entitled, and 90% is a pretty typical figure based on our experience. He is also not the only CIO whose business needs to collaborate digitally in order to survive (and thrive). Lastly, he points out that some data assets that are so sensitive that they “will never allow to escalate. But there’s an enormous amount of data that is ‘gray’…”
If I’m interpreting Mr. Laura’s new approach correctly, he will be to make it easier for individuals to get access to data (that falls into the “gray” category), observe their use of that data, and then “come down very hard after the fact on those who abuse the privilege.”
This approach is not vastly different from the approach we have helped many organizations shape, but I would offer some hope for those that have been operating under the hope that least privilege access is possible and effective: It’s not that least access doesn’t work, it’s that least access doesn’t work without the right automation, and correct use of that automation.
Automation is required because the amount of existing and new data that needs protection is enormous, the access control and group relationships are numerous and complex, and the rate of change has increased in the context of team collaboration with digital assets. Too many complex decisions need to be made too frequently in order to maintain a least privilege model through traditional, manual means.
Least access has also been difficult because organizations have lost track of which data belongs to whom—no one knows who is supposed to even make the decision on correct access. Furthermore, monitoring actual data access activity has been, until fairly recently, unrealistic or impossible for most organizations. Without an audit trail, use cannot be monitored, abuse cannot be observed, and access control effectiveness cannot be validated.
Luckily, automation now exists that can audit all data access activity, spot abuse, identify data owners, provide automated recommendations on how to reduce access, and automate the access approval and review processes. With this kind of automation, secure collaboration—with least access— is not only possible, but will become standard.