Administrators Have Limited Access

Identify and Re-Permission Folders Where Administrators Have Limited Access

EXECUTIVE SUMMARY

Administrative groups such as Technology Services, Information Security, Records Management, and Internal Audit require continuous access to files, folders, libraries, etc. If these groups are incorrectly locked out of parts of the file system, then they are unable to fulfill their responsibilities. This exposes the organization to unnecessary risks and costs.

Northern’s software solution (NSS) can be quickly configured to identify folders that administrative groups cannot access, and guide the re-permissioning of these objects. Very large data footprints can be parsed, across geographical regions, and including multiple platforms (traditional on-premise file storage, SharePoint, SharePoint Online, O365, other cloud platforms, etc.).

By identifying and re-permissioning folders where administrative groups do not have the expected level of access, the organization will:

  • Enable administrative groups to migrate, manage, protect, audit, etc. all data as expected
  • Simplify data migration processes; they will not be suddenly derailed by an inability to move files
  • Improve compliance as audit processes are confirmed to encompass all data
  • Map sensitive data throughout the organization and protect it accordingly
  • Be able to identify users who are changing permissions configurations, and investigate
  • Reveal and act on unwanted activities, previously hidden behind permissions configurations
  • Be able to plan administrative tasks knowing that permissions issues will not disrupt activities

Northern is currently providing some of the world’s leading organizations with this type of solution, and enabling them to realize these values. Contact your Account Manager or the Professional Services team to schedule configuration in your environment.

SITUATION

Users may have sufficient file system privileges to change permissions on files, folders, sites, etc. They may, for innocent or malicious reasons, remove default permissions configurations and lock administrative groups out of parts of the file system.

CONSEQUENCES

The organization can be exposed to unnecessary and unmanaged costs and risks:

  • Without access to all data, functional groups are unable to fulfill their responsibilities
  • Compliance risk is increased as data is excluded from audit processes
  • Records may be overlooked and exposed to illegal handling
  • Sensitive data may be put at risk; left outside of secure areas as its sensitivity cannot be established
  • Users can carry-out clandestine activities such as staging sensitive data for theft or exposure
  • A lack of sufficient privileges can de-rail migration projects through interruptions and failed file operations
  • Task time-lines are unpredictable as permissions problems may require additional, unexpected, effort

COMMON CHALLENGES

This situation continues to exist in most organizations due to specific challenges:

  • Finding libraries, files, and folders that administrative groups cannot access is time-consuming and complex
  • Implementing processes, ensuring periodical review and mitigation, can be resource intensive

Northern offers a way to overcome these challenges.

SOLUTION

The diagram and explanation below shows the workflow implemented in the organization, using NSS, to identify and guide the re-permissioning of folders that administrative groups cannot access:

  1. NSS Scans the file system to identify folders where administrative groups do not have the ‘Full Control’ permission, and stores the results in the SQL database.
  2. Administrators are notified when the scan is complete.
  3. Administrators, Security Staff, can view analyses results in NSS’ self-service web interface
  4. Analyses results are used to guide re-permissioning

Key Risk Indicator Established

The number of folders where administrative groups do not have the expected level of access is established as a Key Risk Indicator (KRI). This KRI can be used to establish a control; requiring action when set thresholds are reached. It is also tracked over-time to allow comparison and measure levels of success.

IMPLEMENTATION

The table below shows the tasks involved in implementing this Northern solution, the time required, and who is responsible to perform each task:

Action Time Owner
1 Import configuration settings 0.5 hours Northern
2 Run analyses in environment and verify results Varies* Automated
3 Determine which folders should have their permissions corrected 1-4 hours Customer and Northern
4 Change permissions where necessary Varies† Customer
5 Measure success by evaluating how many folders had their permissions corrected 1 hour Northern
* Approximately 200 folders are scanned per second. A file system with 10 million folders will take approximately 14 hours to scan.
† If there are many folders to be updated, it is recommended to script the required changes.

ANTICIPATED VALUE

The implementation of this solution requires minimal investment by the organization and, by identifying and re-permissioning folders that are incorrectly hidden from administrative groups, the organization will achieve real value.

  • Administrative groups are able to protect, manage, audit, etc. all data as expected
  • Data migration processes are simplified as all relevant data can be migrated
  • Improved compliance as audit processes are confirmed to encompass all data
  • Sensitive data is mapped throughout the organization and protected accordingly
  • Malicious activities, previously hidden behind permissions configurations, is revealed
  • Administrative tasks can be planned knowing that permissions issues will not disrupt activities

REQUIREMENTS

Requirement Details
NSS Deployed Version 9.91 or later
SQL Database SQL Server 2012 or later
NSS Solution Area(s) Centralized File Service Management (CFSM)
Information Governance and Compliance (IGC)

GET STARTED

If you wish to start using NSS to identify and re-permission folders where administrative groups have limited access, please contact your Account Manager, or the Professional Services team, to schedule the first action: import configuration settings.