The role of file auditing in compliance
Learn how file auditing can help you meet compliance objectives, secure your data on Windows and cloud servers, and avoid costly penalties.
Updated June 12, 2024At the core of any compliance mandate is a desire to keep protected data secure. Allowing access only to those who need it to do their job. To both know and prove you do this for your organization’s protected data, you need visibility on what's happening to your protected data: who has access, who is using access, and what's being done.
File access auditing involves tracking who accessed what, when, and what they did with it. In a Windows environment, we usually talk about files, folders, and Windows file server auditing.
The main goal of file server auditing is to track all folder and file access events in one place.
Trying to meet compliance objectives is often a mind-bending process. It's frustrating. You have to try to understand the cryptically worded standard, then translate it to human speak, and then extrapolate how all that applies to your environment.
The problem is, standards are generally written to apply to any operating system, any network, and any infrastructure. And it makes sense — no one can write a nation- or industry-wide standard that applies specifically to the way your organization operates.
Authors have had to be more technically specific in recent years to hone in on what’s required of regulated businesses.
Most compliance standards revolve around a particular protected data set (health records, credit card details, personal information, and more), guiding both optional and mandatory controls used to ensure proper access to, and usage of, that data.
Some standards remain “ancient” by IT standards, being even a few years old. With controls as unhelpful as “establish and maintain levels of security”, it’s no wonder IT organizations are left wondering if they’re meeting the requirement or not. The best examples of compliance mandates with easily applicable standards are the Payment Card Industry Data Security Standard (PCI DSS) v3.0 and the European Union’s forthcoming General Data Protection Regulation (GDPR).
But even with well-written standards, there’s still no way for the author to know exactly where each organization is storing its protected data. Thus, the standards, while written with technical specifications around the use of encryption, authentication methods, levels of access, and more, still require IT to determine the best way to ensure the intent of the standard is met.
To determine how to tactically best meet a given compliance standard, IT needs to look at what systems, applications, and platforms are used to store protected data.
Many Windows-based networks continue to host protected data server-based file systems, making these servers a primary target for external attackers resolved to exfiltrate data. And for those of you keeping protected data within a database, keep in mind those databases, at the end of the day, are still files – files that can be stolen and accessed offsite.
And, that’s where file auditing comes into play.
Let’s first look at what capabilities should be a part of file auditing that can apply to both native Windows tools, as well as third-party Windows file access auditing software.
Logging: All access and changes to files and folders, including data and permissions should be logged.
Visibility: All audit log data should be easily accessible to be reviewed, filtered, searched, etc.
Alerting: Notifications should be sent based on matching criteria to actions deemed suspect.
Reporting: This gets a bit tricky, but even native tools can export log data. So, even if it’s not pretty, the ability to generate sharable “reports” should be a part of file auditing.
In many cases, compliance requirements establish the security objective and then provide detail on how to test that the objective is being met. File auditing is your testing method to ensure the security you think you have around your protected data is doing its job.
So, how can you use file auditing to help meet your compliance objectives?
The activity detail collected and monitored, as part of ongoing file auditing, is useful to meet several kinds of compliance objectives. Because this paper is not being written to demonstrate file auditing’s application to a specific mandate, let’s cover four generic use cases, discussing the role File Auditing plays in each.
Nearly every compliance mandate starts with putting protection in place around files containing protected data. Tactically this includes scrutinizing the establishment and assignment of least privilege permissions to users and groups. Are the permissions assigned correct for the job function/role? Is the right user or group being chosen during assignment? Is the user making the change approved to do so?
Note: At a time where external attackers seek to enjoy the maximum access possible within your network, one of the many possible steps taken is to create multiple users and assign them elevated permissions. This is done to ensure a level of persistent access within the network — should one account be discovered, there are 20 more accounts behind it the attacker can utilize.
File Auditing monitors changes — and attempted changes — to file or folder permissions, usually documenting what permissions have been changed, the object path, the user making the assignment, and other identifiable factors like machine name, IP address, etc. Alerting and reporting on changes made can provide both real-time and historical detail.
Compliance is not a destination; it’s a continual journey where each day IT must be certain its environment remains compliant. Therefore, IT needs to have constant visibility into what protected data is being accessed, by whom, when, from where, etc. This real-time information is necessary to remain vigilant against inappropriate access by malicious insiders and external attackers leveraging compromised credentials.
Additionally, some auditors like to follow the audit trail beginning with those that have access all the way down to being shown specifically what actions were taken with the access provided. To provide this information, a historical record of all activity is required to satisfy auditor requirements.
File auditing detail is used to demonstrate only approved access has occurred. Alerting and reporting can provide both real-time and historical detail — including identifiable factors like machine name, IP address, etc. Robust filtering capabilities help quickly answer the questions posed by auditors.
It’s not unusual for IT to allow Active Directory to organically evolve on its own. Rarely are group memberships attested to, permissions even less so, and nested group memberships checked — all resulting in 71% of users stating they are over-permissioned and have access to data they should not see.
So, when it comes to assigning access controls, it’s possible that users who aren’t intentionally supposed to have access, actually do. And, given the need for least privilege in an environment housing protected data, it makes sense to identify which users are attempting access.
File auditing can provide details of user accounts that have taken steps to access protected data, documenting the actions taken and the files and folders impacted. This can be cross-referenced with the intended security controls to ensure they are correct.
While no organization wants to experience a data breach (and, therefore, a breach of compliance in the case of protected data being stolen), it remains a definite possibility. Should protected data reside on a file server, obvious leading indicators of a breach will exist. Abnormalities in file activity will occur such as nonstandard access times or large amounts of data accessed.
By watching the access and usage of protected data on file servers, it’s possible to detect a data breach based on unusual activity. The ability to analyze audit log data allows suspicious actions to be spotted, notifying IT of a potential breach and ensuring a quick reaction when necessary.
Unless you’re new to IT, you already know the ability to audit Windows file systems has been an integrated component of the Windows Server operating system for the last 20 years.
The Event Viewer tool provides functionality to centralize, view, filter, and sort file audit data. It even has a rudimentary ability to set up notifications.
So, why use a third-party file auditing solution?
The answer lies in the gaps in functionality, performance, and detail available with native Windows tools.
The native log data provides all the detail needed. In fact, many third-party solutions simply leverage the very same detail you can find in Event Viewer. But Microsoft isn’t in the auditing business, and so the log data is nothing but raw information.
For example, the moving of files from one partition to another takes up between 6-10 event entries and is seen as a copy and a delete – not a “move.” Third-party solutions turn information into intelligence, figuring out those 10 or so events are actually a single event, and display or alert on it as such.
Additionally, some solutions don’t just stop with intelligence; they analyze patterns of activity, looking for anything out of the ordinary, taking intelligence, and turning it into insight – empowering IT to make decisions around whether activity is appropriate or not, whether they are compliant or not, and what actions they need to take next.
We previously mentioned “Microsoft isn’t in the auditing business," and it’s true. They provide tools for those that only need the most basic of functionality. Third-party solutions focus on automating much of the auditing work, with augmented capabilities around collection, consolidation, presentation, searching, filtering, alerting, reporting, and even task automation.
All of these enhanced capabilities increase IT productivity, speeding up the auditing process, and assisting with improving the overall security of your protected data.
Unlike native tools, which simply address the task of consolidating and presenting event data, 3rd-party solutions are purpose-built, improving the audit experience by focusing on the specific needs around compliance audits, the use of solutions by IT and auditors alike, and the detail necessary to ensure compliance.
Being easy to use and intuitive, monitoring can even be delegated to non-IT colleagues who hold a better understanding of data across their business line. This helps ensure more effective auditing system.
While no compliance mandate is solely focused on auditing file systems or file server auditing, the fact that your organization hosts protected data on file servers forces you to be able to establish, maintain, and prove that compliance-specific access controls are in place.
Whether you choose to use native Windows file auditing solutions, or leverage a third-party solution, such as FileAudit, the need to have the provisioning, access to, and usage of protected data under close watch is critical to meeting relevant compliance objectives. By putting file auditing in place, you place your organization in a proactive stance where the security of your data is upheld, and adhering to compliance standards is simplified.