User delegation: The secret to improving file security
Why delegating auditing to company executives outside of IT makes for more accurate and secure results.
Published February 1, 2018Let’s just level set here — IT doesn’t have time to do it all. You’re already heads-down on more projects than you’d care to, making it impossible to take on frequent recurring audits of your file system security, nor even an annual external audit. You just don’t have time.
But file systems are the very basis for securing access to everything from Active Directory, to databases and applications, to the individual data files themselves — and everything in between.
If your audit of file-level security is wrong, not only should you fail a compliance audit with a data security standard attached to it, but, more importantly, you increase the risk of the organization becoming the victim of an attack.
Then reality sets in: who in IT really wants to perform audits of file system activity? Likely none of you? It’s not exciting, has no real “cool” technology edge to it, and feels a bit rudimentary, right?
Even so, it’s a necessary part of ensuring your organization’s security stance. As the business needs change, as employees come and go, and as applications, platforms, and systems change, the security of your file systems changes in turn, making it one of those foundational aspects of security that demands some level of attention.
So, what’s needed is a way to leverage those outside of IT to assist with auditing file system usage to determine the state of security.
Wait… what? Outside IT? Yes!!
Now, you’re not going to put the task of auditing the security of your environment into just anyone’s hands; we’re talking about tech-savvy, security-conscious, reasonably high-up-the-corporate-ladder users. Think department heads, line of business owners, application owners, and power users. All these users have a few advantages over you in ensuring file security.
IT may know that the “AP users” group should have access to the “AP” folder on a server, but you probably don’t even know the name of anyone in that department, making it really difficult to review the usage of the AP folder, looking for abnormal access, inappropriate users, or misuse of permissions. Delegating to users who work with the data daily, are a much better choice to determine if there’s an issue with who is using their data set.
In turn, these same delegated users know what “normal” access looks like. They can spot an anomaly far faster than you can.
As previously stated, you already don’t have the time. And while users close to a given data set are likely to have similarly infinitesimal amounts of free time, distributing the workload across multiple users makes each one’s workload small enough to be frequently addressable.
Then there’s the issue of annual or compliance audits.
In those cases, the auditors have some very specific questions they need answered and, it’s so much more efficient for you both if they have a way to do it themselves.
The reality is, those closest to the files have a much better sense of whether someone’s access — or use of permissions — is proper. IT are somewhat out of touch with which users need what access, and whether use of files is appropriate — and how all that changes over time.
So, by delegating the responsibility of auditing access to file systems to a set of users tasked with ensuring the security of their own department’s files, IT not only offloads the burden of the work to be done, but actually will end up with a more accurate and secure result.
You obviously can’t just start delegating responsibility to users — it’s a bit irresponsible, as this is about the security of your environment. And, by simply identifying users and delegating responsibility to them, you’ll never get those users to care enough to actually do the work delegated to them.
What’s necessary is to approach this from the business value perspective (and not the technical/security perspective). Delegation steps should include:
Get buy-in from the top: You’re essentially asking that IT not be entirely responsible for a system that, traditionally, IT has been the only one responsible. You’re going to need to explain the rationale, the methodology, and the benefit to the organization to your C-Suite and get their approval. That way, this becomes an organization-wide initiative, and not just some “IT’s trying to get out of doing their job” proposal.
Identify security-conscious users: Remember, you’re going to be asking whomever you choose to be responsible to be alerted to and review all file access to their respective part of the overall file storage. So, you want to be choosing users that understand the security ramifications if they don’t do their job, and that are tech-savvy enough to handle the task.
Establish ownership: This is more than just assigning a user to be in charge of reviewing audit logs every once in a while; this is truly about assigning the very security of a give subset of your file system to a given user. In essence, they will become the front lines of security for their portion of the file systems you use. And, we’re not talking about assigning them as owners in, say, NTFS; this is about slotting people into an IT process.
Establish a review frequency: There should be some regular audit reports sent to the respective owners, where they will review the activity within the frequency timeframe. And, depending on whether you use a third-party solution or not, it may be possible to simply have them log into a console periodically and review activity there as well.
Establish alerts: Since you have the attention of the file set owners, you might as well leverage them to review suspect activity. But be careful here; you don’t want to inundate them with a storm of false positives. Make this more about anything truly out of the norm.
Setup a feedback process: This applies to both the periodic reviews and the alerts. Users should have an established means by which to hand things back to IT saying “this activity over here is inappropriate” and allow IT to follow up.
Now you might ask, “Why only delegate auditing?” It’s a valid question — the simplest reason is it balances the accuracy gains through leveraging users that know whether access to files looks right, with the maintaining of security by only allowing IT to make changes to permission assignments.
It’s time for IT to leverage their user base to create a more secure environment. By utilizing users closest to a set of files (any resource, really) and providing them a way to quickly review and identify inappropriate activity, IT improves its own productivity which enhancing overall organizations security.
For a Windows System domain, company executives outside of IT or external auditors can take advantage of FileAudit features and ease-of-use to perform audits and controls autonomously without breaching security protocols.
Watch how to delegate file and folder auditing to external auditors or non-IT users.
Specific accounts can be created for people without administrative rights. Simply define the features you want to make available to them. They can also connect remotely to the auditing system to avoid having to give direct access to the system where FileAudit is installed.