IT Ownership & Data Protection: A Security Roadmap
Earlier this week, our friends at Varonis Systems joined us for a webinar to talk about information technology ownership and hedge fund data protection. IT threats as a result of external hackers or internal security breaches are on the rise, and therefore firms are encouraged to protect and audit file data in order to answer two simple questions:
Who has access to my data?
Who has accessed my data?
Let’s take a closer look at how Varonis helps investment firms accomplish this.
Context is king
Firms can hasten data protection by achieving a greater amount of context awareness. Some contextual questions to ask are:
Who owns the data?
Who uses the data?
Who should have access?
Who should not have access?
Who granted access?
Who moved my data?
Firms have complex ecosystems in which there are many different people who will interact with data (business users, IT and data owners), formats through which data will be presented (PDFs, media, video), and IT infrastructures to manage data (Exchange, Windows, SharePoint). Answering the above questions is necessary for a firm to understand how it can efficiently protect its valuable and sensitive data. Companies should optimize metadata functionalities to answer these questions and protect data through accessibility, collaboration, self-service, analytics and modeling, retention and storage, metadata collection, access monitoring, and content classification.
Protecting data in the real world
In order to protect sensitive information, firms should employ a metadata framework that has the ability to expand when necessary. This framework, which must not interrupt daily office activities, should be used to gather and evaluate metadata, systemize workflows to be efficient, and auto-generate reports. There should also be a clear and dependable operational plan in place to guarantee that data is always assigned to a unique owner.
How does Varonis leverage metadata to raise context awareness?
Varonis uses metadata to identify risks, and in turn prevent the occurrence of data leaks. There are four types of metadata to be collected in a non-intrusive way:
File system and permissions information – Allows the company to understand who has access to which data
User and group information – Permits the company to understand the groups and users that have access to certain data
Access activity – Tells a company who is interacting with/accessing its data, and what they are doing with it
Sensitive content indicators – Helps a company to identify where its sensitive data is, where it is overexposed, and how it can be protected
All of the above can be used to gather actionable data governance information that can assist data owners in the generation of automatic entitlement reviews and allow them to play a role in the authorization of workflows.
The following five-step process is used by Varonis to reduce the risk of data leaks:
We recommend our clients use Varonis to protect and audit their data as a means to thwart impending security attacks (whether internal or external). Varonis bases their model on these three pillars:
Governance – Firms must monitor employee data access to constantly guarantee that the correct people have access to the right data. This will allow for these firms to clearly see when data privileges are being exploited.
Access/collaboration – Firms should use shared drives on existing servers to allow for file synchronization and management, mobile access, and a way to securely share information with a third party.
Retention – Firms must use information technology to optimize data disposition, archiving, and migration processes, utilizing metadata.
Photo credit: Varonis