Category Archives: Data Access Governance

SharePoint Access a Key Factor in Bradley Manning Leaks

Posted on December 18, 2011 | Leave a comment

According to the Army’s digital forensic expert, accused WikiLeaker Bradley Manning obtained classified Guantanamo Bay detainee assessments from a SharePoint site, and subsequently leaked them to WikiLeaks. Wired magazine states that the forensic analyst discovered “scripts on Manning’s computer that pointed to a Microsoft SharePoint server holding the Gitmo documents. He ran the scripts to download the documents, then downloaded the ones that WikiLeaks had published and found they were the same” [1]

Unauthorized SharePoint access is a common security gap, in many organizations.  We’ve seen numerous customers struggling with this, unable to get their arms around who has access to which SharePoint site, and what types of data (classification, risk level, and content) are thus accessible.

While most organizations don’t need to worry about employee access to classified information, rogue access to confidential corporate information can nonetheless be damaging and expensive – as clearly demonstrated by the RSA and Sony incidents this year.

I’m sure there will be additional Information Security-related aspects of the ongoing Manning hearing, and we’ll continue to cover them here.

→ Leave a comment

Posted in Bradley Manning, Data Access Governance, SharePoint, WikiLeaks

Tagged , , ,

“Dark Reading” on SQL Injection Attacks

Posted on August 2, 2011 | Leave a comment

Interesting overview of SQL injection attacks, in the current issue of Dark Reading (http://www.darkreading.com/ – look for it in the Supplement portion of Current Issue [registration required] )

I found this to be an easy read, and a good (and modestly technical) overview of the kinds of weaknesses that often exist in websites that utilize SQL behind a form.   While most of the recommendations are tailored to the SQL developer (such as #1: Input Validation, or  #3: Parameterized Queries), the one that’s different, and should be embraced by a broader audience is #5: Least Privileged Principle : “Give users only the access and privileges that they absolutely need to perform their jobs”.

And in order to do so, you clearly need visibility of who has access to what, and control of the process for evaluating, granting, and revoking access. In short, you need access governance.

 

→ Leave a comment

Posted in Data Access Governance, Security Breaches

Tagged , ,

Introducing Data Access Governance

Posted on June 2, 2011 | Leave a comment

Today, Aveksa announced our newest module, extending Access Governance to unstructured data (read the press release here).  This new Data Access Governance module gives organizations the same level of access visibility and control over data resources that they currently have over applications and platforms.

We’re very pleased to be able to offer this to the market, especially given the many recent, well-publicized security breaches. These very clearly show the need for organizations to put in place well-structured and sustainable security programs, and visibility and control of access to sensitive data is absolutely a key part of this.   Ensuring that only authorized users have proper access to data can significantly reduce the likelihood that data will be lost – compare this to what is often the case, where any user can access data.

With the new module, customers can collect fine-grained entitlement information about SharePoint sites and Windows file shares (plus Windows servers and SQL Server databases as well).  These resources typically house a large portion of organizations’ data, especially the unstructured files that audit & compliance teams are justifiably concerned about.    Now, the InfoSec team can add these resources to their certification processes, include access to them in their Roles, and have users request access through a self-service Access Request portal.

Take a look, and tell us what you think!

→ Leave a comment

Posted in Access Governance, Data Access Governance

Tagged

NetworkWorld Highlights SharePoint Data as a Source of Risk

Posted on May 9, 2011 | Leave a comment

According to a recent survey summarized in Network World, 48% of respondents indicate that they share privileged company information via SharePoint, while 64% indicate that they do not maintain an audit log around their SharePoint installations. These numbers, while not terribly surprising, should at least raise some eyebrows, and prompt some analysis and thinking about the widespread use of SharePoint.

It comes down to some simple questions – do you know who has access to what data on your SharePoint sites? Is this something that’s going to be of interest to your auditors?  Would you better off with a clear view of this, so that the business-people (who publish the shared documents, and manage the users who access it) can make informed decisions about who has access to what?

→ Leave a comment

Posted in Access Governance, Data Access Governance

Tagged , ,

WikiFallout: The OMB Gets Serious about Security

Posted on February 16, 2011 | Leave a comment

Catching up on some reading, I see that in response to the recent WikiLeaks publication of classified US State Department  cables, the US Office of Management and Budget has issued a memo, reiterating the instructions that agencies perform a self-assessment of how well they handle and protect classified information.   Clearly, the WikiLeaks incident has significantly elevated security concerns for government agencies (and should also raise concerns for corporations).
The good news is that the OMB guidelines (published here by MSNBC), provide 11 pages of clearly-worded questions, which should serve as a good starting point for agencies as they begin to better secure their systems.   While the questions cover a broad set of topics (including “Safeguarding” and “Counterintelligence”), the first section (“Management & Oversight”) contains the following key questions, right up front:

  • Does your agency have sufficient measures in place to determine appropriate access for employees to classified information in automated systems:
  • During initial account activation/setup?
  • Periodically to determine if access is adequate to perform the assigned tasks or exceeds those necessary to perform assigned tasks, and adjust them accordingly?

These are great questions, which get to the heart of the matter of obtaining visibility and control of user access.  I’m glad to see the increasing recognition that establishing and operationalizing access governance policies and processes are key to achieving a healthy balance between security control and user productivity.

While the OMB does not regulate private enterprises, we should nonetheless learn from their recommendations, and embrace their approach to access governance.

→ Leave a comment

Posted in Access Governance, Data Access Governance, Security Breaches

Tagged ,

Access governance control failure leads to data loss & lawsuit

Posted on April 8, 2010 | Leave a comment

Interesting to see what may be the beginnings of a consumer legal groundswell around data breaches that lead to identity theft.  While many organizations haven’t felt the wrath of customers taking action against them for the loss of personally identifiable information, that may now be changing as evident by this recent Dark Reading coverage of the class action lawsuit of Countrywide Financial.  The importance of implementing good access governance controls should be of paramount importance, especially for business-to-consumer organizations.  This clearly demonstrates that organizations need to think about how they better manage the business risks associated with providing access to sensitive information resources as what’s at stake is more than just a loss of consumer data, customer trust and reputation - the legal risks and operational costs are going to be substantially higher moving forward.

http://www.darkreading.com/database_security/security/privacy/showArticle.jhtml?articleID=224201969&cid=nl_DR_DAILY_2010-04-08_h

→ Leave a comment

Posted in Access Governance, Data Access Governance

Tagged ,