Preventing Data Breaches

Securing Sensitive Unstructured Data

Executive Summary

Companies of all kind and size are now faced with the responsibility of
securing access to sensitive data to prevent data breaches. With the
continued explosion of unstructured data, organizations are now forced to
secure access to files in multiple locations, user-controlled shares, and on
distributed devices. Failure to lock down sensitive information can lead to:

• Millions of dollars spent just to investigate a data breach

• Fines when found guilty of exposing private data
• Loss of corporate secrets
• Business disruption
• Tarnished reputation

With up to 80% of data residing on file servers, this whitepaper will focus on
the largest percentage of sensitive files (unstructured data). This whitepaper
will explore the risk, consequences, best practices and suggestions on how to
secure unstructured data.

A recent Aprigo study* found that:

• Over 85% of organizations have

!"#$%% medium to high data vulnerabilities
&'(")*%% • Over 63% of organization have high
+,-'% data vulnerabilities
• Only 13% of organizations have
none...
n=890

Companies that are subject to IT

Auditing, Compliance Laws, Consumer
Data Privacy Laws, SOX and HIPPA can
be hit with massive fines for failing to
properly secure sensitive data and
huge operational costs to remediate.
Preventing Data Breaches | aprigo.com 1
 Business Risk of Data Breaches
Companies that are subject to IT Auditing, Compliance Regulations (SOX,
HIPPA) and Consumer Data Privacy Laws can be hit with massive fines for
failing to properly secure sensitive data. Sensitive data leakage can cause:

• Litigation when employee or customer information is shared in

the public domain
• Compromised integrity when salary or HR files are leaked
• Competitive advantage loss when trade secrets are accessible to
competitors
• Degraded reputation when sensitive company information is made public

In a 2009 Ponemon Institute study entitled “Fifth Annual U.S. Cost of Data
Breach Study”citing breaches with about 5,000 to about 101,000 lost or stolen
customer records, the most expensive data breach cost nearly $31 million to
resolve, and the least expensive cost $750,000.

A Forrester Consulting Thought Leadership Paper in March 2010 entitled

“The Value of Corporate Secrets” calculated the cost related to data breaches
including:

Type of Incident Cost of Cost per

incidents, incident
last 2 years

A rogue employee stole sensitive company $380,701 $362,572

documents

A supply chain or business partner abused their $289,815 $362,269

privileges and obtained data they should hot have
had access to

A terminated employee stole information because $265,759 $160,096

they had not been adequately de-provisioned

A rogue employee used their privileges to access $246,641 $82,214

sensitive documents they had no business reason to
view/use

A customer service representative inappropriately $195,548 $54,929

accessed customer records

Preventing Data Breaches | aprigo.com 2

 Five Challenges Of Securing Unstructured Data

1. Multiple single-points of failure - With 80% of data being unstructured

and with the average TB having millions of files in it, the average customer
is faced with the epic challenge of protecting tens, hundreds and even
billions of data objects (files). Every one of these data objects - if not
protected appropriately - is a potential for a data breach event.

2. Effective access rights are not managed in one system - The file
system with the ACLs (Access control lists) and directory services (e.g
Active Directory) with objects and ACLs are two distinct, hierarchical
structures. The file server calculates effective access rights, but the end-
user has no visibility into this behind the scenes process.

3. Every user is a cook in the kitchen - Unlike structured DB environments,

where only the DBA has access to the actual data records, with
unstructured data every user in the organization can manipulate the data
and the permissions for accessing that data. For example, a user from the
finance group can potentially add an ACE for another user from a different
department, or even expose the folder or data all together by adding the
“Everyone” group ACE.

4. Distributed environment - Mid-size to large organizations have multiple

points of management - multiple file servers both physical and virtual as
well as multiple locations

5. Lack of auditing capability - Being able to understand the effective

permissions at present is one thing, but being able to audit how
permissions change in different points of time is an impossibility with
today’s systems. For the same reasons one wants to have multiple point-
in-time backups of their data, one should have the ability to have multiple
point-in-time snapshots of their access rights; at least those set for folders
and files containing sensitive data.

Preventing Data Breaches | aprigo.com 3

Business & Technical Consequences
Most organizations operate with a key asset - unstructured data - being
unprotected from unauthorized access. What’s worse is that most IT executives
and business owners operate under the assumption that their data is well
protected by the IT operations team.

The reality is that in most organizations:

• IT has no visibility into ‘Who has access to what’
• IT has no visibility into “What is accessible to whom”
• IT has no way of producing an audit trail of access rights in different
points in time
• IT has no way of validating that their data governance policy is effective

In a recent survey that included 890 companies of various sizes, when asked
about their level of data security, over 90% of organizations reported having a
formal data governance policy and operate under the belief that it is being
enforced.

Most organizations surveyed

%#$ &'()*+$,$ operate under the assumption that
!"#$ -*+./*01/$ their data is well protected because
&'()*+$ they have a formal policy or
because theyʼre able to validate it
%!#$ 2/34'5$

However, a recent study* found that:

• Over 85% of organizations have medium

to high data vulnerabilities !"#$%%

• Over 63% of organization have High data &'(")*%%

vulnerabilities +,-'%

• Only 13% of organizations have none...

Preventing Data Breaches | aprigo.com 4

3 Methods for securing sensitive data
Generally speaking, an organization can take three steps towards protecting sensitive
unstructured data:

1. Physical Access Controls

2. Network Data Access Controls
3. Data Encryption

Physical Access Controls

This is the basic, ʻmust-haveʼ first level of defense. Making sure that your file servers
are kept in a location with limited physical access to only the appropriate IT staff.

Network Access controls

At this level, File System ACLs are being used along side directory services to ensure a
ʻleast privilegedʼ access policy - only the right people should have access to the relevant
data based on their role. This is equivalent to making sure that not only do your front
doors and windows have a lock, but also making sure that internal offices are only
accessible to the appropriate staff.

Data Encryption
The 3rd method is to actually encrypt the data at rest. The problem with this approach is
that itʼs invasive to the environment and complicates IT operations such as backup,
recovery and business continuity. Furthermore, data encryption works best on end-point
devices, however when it comes to encrypting data at-rest residing on centralized file
servers and NAS devices, todayʼs solutions are expensive, fragmented and complex to
manage, and as such have seen very low rates of adoption in the industry.

It remains that - for most organizations - the most cost effective data protection can be
realized by employing the first two methods, namely Physical Access Controls and
Network Data Access Controls.

Preventing Data Breaches | aprigo.com 5

The Practice of protecting sensitive data

Discover > Fix > Control

Any initiative focused on securing access to unstructured data should take a three step closed
feedback loop approach:

Discover Data Vulnerabilities

In order to get started, the IT Organization must understand what sensitive data they have,
what’s exposed, and which users and groups have access to it.

Having an aggregated, comprehensive dashboard showing an overview of all unstructured

data in the IT environment has eluded IT Professionals until now. But with new unstructured
data intelligence tools like Aprigo NINJA, it’s easy to have the equivalent of a NOC for your
data. All your organizational file servers and NAS devices can be managed from a central
location.

Data Vulnerabilities can manifest itself in multiple ways:

1. Public-Explicit Exposure- Data that’s exposed to the ‘Everyone’ group

2. Public-Implicit Exposure- Data that’s exposed to all the users in the domain via the
‘Domain Users’ group
3. Implicit Exposure - By not following best practices for managing file system
permissions - heavy use of explicit access rights granted to users vs using groups in
ACLs

Preventing Data Breaches | aprigo.com 6

 FIX

Email alert sent

from Aprigo NINJA
when problematic
changes are
detected.

Armed with the information provided in the dashboard which highlights:

1. What data vulnerabilities exist in the environment
2. What each vulnerability means to the organization

The 2nd step is to remediate the access rights policy violations.

Aprigo NINJA provides detailed analytics on the folders & files affected by these
vulnerabilities so that they can be remediated and IT can employ a “least-privileged”
access policy.

Preventing Data Breaches | aprigo.com 7

Monitor & Control Via Change Reporting
Once the access rights have been properly set on sensitive folders, it is important to
monitor access rights changes over time. This can be accomplished by:

1. Tagging sensitive folders

2. Getting alerts whenever a policy violation is taking place
3. Keeping an audit trail of those changes for future forensics

Email alert sent

from Aprigo NINJA
when problematic
changes are
detected.

A close feedback loop is critical to the practice of securing access to sensitive data.
since access rights to files & folders are continuously being created and modified,
new data files and folders are created, copied and changed, A change report
monitoring changes over time is critical in ensuring the proper security of
unstructured data.

Preventing Data Breaches | aprigo.com 8

About Aprigo
95% of the file servers in the world go unprotected from unauthorized access, both on
site as well as in the cloud.

Aprigo has developed a first of its kind suite of unified data governance applications
delivered in an easy-to-use SaaS model. The benefits provided are:

1. Gaining visibility into violations of user access policies

2. Remediation of those data vulnerabilities
3. Continuous monitoring and alerting to any changes in those access policies

***Sign up for a free trial of Aprigo NINJA Pro today

at http://www.aprigo.com

Preventing Data Breaches | aprigo.com 9

References Cited
“Data breach costs top $200 per customer record”,Ellen Messmer, Network World,
January 25, 2010 12:01 AM ET:
http://www.networkworld.com/news/2010/012510-data-breach-costs.html

“The Value Of Corporate Secrets”, Forrester Consulting, March 2010

“Internal Aprigo Data Security Survey”, Aprigo, April 2010

Preventing Data Breaches | aprigo.com 10