A quick triage of your emails tells you that today is not going to be a good day. There has been a data leak. Your company has lost control of its PII, PHI, CUI – take your pick.
Data is up for sale on the internet and you need to figure out why.
Depending on the business goals and any compliance standards that your company has, there is always a need to protect high value information. Whether that information be the specification of a Navy drone, employee payroll files, or customer credit card information, maintaining its confidentiality is of utmost importance to you.
This is not unusual. Confidentiality is the first of the three pieces within the CIA triad.
Confidentiality — Integrity — Availability
You may have several questions around preserving the confidentiality of data, including:
- How do I protect high business impact data?
- How do I lock it down, making it available to only those with a need to know?
- How do I know if and when it has been accessed and by whom?
Although it's beyond the scope of this article to answer these questions comprehensively for every type of IT infrastructure, I will provide some suggestions; particularly focusing on directory and file level security within a Microsoft environment.
Step One – Scope of Confidential Information
It all begins with data classification. Public data that is available to all via your websites, proprietary data that is for employee consumption only, and confidential data restricted to a group of users for a specific purpose.
The importance of this step cannot be over emphasized. All data is not created equal, and securing it all in the exact same way will impact your ability to do business and increase your costs.
Identify the data within your company that must be secured and where it is located. Then, reduce the number of these locations.
Identify the people that need access to the information. There should be a business need for every one of them. For example, system administrators typically have no need to access payroll information on the HR server.
Step Two – Secure the Confidential Information
All of Microsoft's supported operating systems now use the NTFS file system and so should you. FAT16 and FAT32 were great in the 90's, but have no place in a modern enterprise. NTFS allows for the granular access control and monitoring that is needed.
Now that you have identified the directories that are in scope and the users that need access, assign them the minimum necessary permissions they require.
- Assign users to a security group.
- Within the Discretionary Access Control List (DACL), grant each security group access permissions to the relevant directory or files.
- Remove all other users and security groups from the DACL.
- If necessary, in the future, a local or domain administrator can add themselves back or take ownership (auditable event).
Step Three – Monitor and Audit
While there are more complex security models out there, I often like to fall back on the simple model:
Protect — Detect — Respond
In step two you have protected your data. Now, just as importantly, you need to detect.
By monitoring and auditing, detection will lead to and facilitate any necessary response. Auditing within Microsoft Windows is controlled using System Access Control Lists (SACL) that are assigned to objects, such as directories and files.
The assignment of what to monitor within a SACL is often difficult. While it is great to monitor all types of access to a directory and its files (list/read/write/delete/create), there is a cost for that effort, the cost being the number of logs that are created.
Hence, we have circled back to the importance of scope.
If you are monitoring all access for all files you will quickly use up your disk space budget. In addition, any later attempt to find something within this flood of logs will be much more difficult.
Back to step one, if only for a moment.
Follow these steps:
- Identify data that needs to be protected. (What is required by HIPAA, NIST, or PCI?)
- Protect and audit it at the highest level.
- If data is "out of scope," scale down what you are auditing. Monitor only modifications or deletions.
Leveraging a SIEM Solution
Another tool that can be useful to protect data is a SIEM solution (security information and event management). A SIEM solution can provide advanced searching, filtering, and alerting capabilities. It will enable you to make sense of the many logs that will be gathered and provide early indicators if something is amiss.
Best of all, a managed SIEM as a service solution can give you enterprise level cybersecurity at a fixed monthly cost, with expert monitoring 24x7x365.
The remediation aspect of a managed SIEM solution can provide the third piece of the security model (Protect, Detect, Respond).
Getting Closer to a Secure Environment
By implementing the strategies in this article, you are one step closer to a secure environment.
Good luck as you continue to lock down your company's data. May all your days be good days.