SPHERE Insights is an ongoing column written by various members of the SPHERE team, highlighting unique viewpoints and expertise. This article comes to us from our favorite techie and SPHERE MVP of the year, Jeremy Chung.
This is the last one. Open access…removed…and…done!!
What a triumph!! After 2 years of after-hours changes, weekend changes, and tens of thousands of reports, phone calls and e-mails, we finally did it. All the open access on the file shares are gone! We had to make changes to nearly half of the folders in the environment but after remediating the permissions on a half billion folders, the security risk is now gone, along with my social life.
“Now that we have completed the open access cleanup, we are now following the least privilege model. We’d like to hand-off those shares to our Identity and Access Management team so they can manage the business as usual process of granting and removing access to users.”
Wait…what?!! That wasn’t the goal or a part of the project charter. We wanted to remove the audit finding of open access, not some half-baked approach to accomplishing least privilege access, let alone hand all of our hard work off to the IAM team...
Does this scenario sound familiar? Concentrated focus on a particular issue like open access can help simplify goals but can also come at the cost of losing sight of the bigger picture.
Today, we will review how simply remediating open access does not mean you are following a least privilege access model or even that you can even manage the data effectively after the cleanup.
What is Open Access?
Open access or global access is where everyone or nearly everyone within the company has access to a set of unstructured data such as a file share, folder or files. This type of access is most often granted through 3 different security groups on the folder’s access control list (ACL). These groups are:
- Authenticated Users
- Domain Users *
*Pro Tip: the Domain Users group can be nested inside other groups including local groups leading to a much larger list of open access groups to watch out for. Remember, due to heavy or complex nesting structures inside AD and local groups, these “other” open groups can be very hard to find.
How to Remediate Open Access Correctly
Remediating open access across unstructured data is a time-consuming, complex, and error-prone process that can remove a major audit headache when done correctly.
Proven steps to accomplish this task follow the following cadence:
- An extensive discovery exercise to identify exactly where the issue exists
- Running a few thousand access reports including:
- Identify who has access to the data including all access deviations on sub-folders
- Identify who has been using their access
- Identify who has been using access through the open access group
- Identify all changes that need to be made to maintain current permission deviations
- A method to permission users who have been accessing through the open access group
- A method to remove the open access group on all offending folders
Although every environment is different, following this approach will reduce the scope of cleanup to only folders with the issue, limit business involvement, and even provide opportunities for automation to potentially resolve the open access quickly.
However, this process does not accomplish the necessary steps to hand-off the data to an IAM team and usually complicates the hand-off process even further.
Why You Can’t Hand-Off
Open Access Remediations focus on the issue of open access, not the issue of business-friendly on-going access management. Because of this, an open access remediation process that focuses only on that issue can:
- Complicate the remediation process by cleaning up millions of individual folders
- Cause inheritance complexities that were not there before
- Create additional entry points to gain access to a set of folders
- Complicate the permission structure beyond what an IAM platform can handle
- Cause confusion about what AD groups provide access to what set of folders
- Hide access from access governance platforms that look at only AD group memberships
- Legitimize access from bad actors
- Create excessive access, breaking the least privilege model
- Overall, cause more work to make the data BAU-ready than before the open access project
Fixing a problem to create a new problem is taking one step forward and two steps back. This back and forth needs to be eliminated.
How to Holistically Remediate
To ensure remediations are done in a way that prepares them for a data governance or IAM platform, consider adding the following steps to your remediation exercise:
- Identify where to manage data based on business need, not technical properties
- Identify who can make decisions about the data to approve BAU access requests
- Confirm who should have access to that data instead of guessing
- Standardize the permissions, not just remove open access
By adding these steps into your remediation process, you will be able to easily add the data into your on-going data governance and IAM processes without any additional headache.
Please check back on this series to see details of each of the holistic remediation steps.
Be on the look out for my presentation on May 15th where I will be addressing the topic of Broken ACL's.