The problem in detail
The value of data use auditing
Tracking exactly how users access unstructured data has many business benefits. For example, high level statistics provide an overview of data use patterns, making it possible to better manage storage and access control. A data access activity trail for a file makes troubleshooting problems – such as who last accessed or deleted the file, and when – much simpler. This trail also reveals information about which data is being used, and which is not, making it possible to identify data that should be archived. And, by understanding what data users are accessing, it is also possible to develop a business context for the data –- e.g., data the CFO regularly uses may very well be sensitive. There is also a whole class of data security and forensics information that is available from an activity trail as well. This is the kind of information that regulatory auditors or legal investigators want, or need, to do their work properly.
Windows Server auditing: not the answer
Windows Server auditing is turned off in most environments because of its performance impact. As a result, companies often postpone audits until an event (e.g., breach or data loss) warrants it. Of course, this after-the-fact approach does not catch the original activity, only new actions. So, unless someone is repeating the same behaviors, this approach provides “too little, too late”.
Unfortunately, organizations quickly learn that existing data access logging tools are lacking. The Windows Event Viewer is insufficient to provide the level of detail needed. Windows file server audit logs provide too much data, get large quickly and dramatically impede server operation. There are some products that can track access over limited data sets, but you still end up spending hours trying to answer simple questions about permission settings and activity. In general, these tools just give you a better way to search for the answers, but not the answers themselves. In the end, you need lots of time to use these tools, as well as a pair of expert eyes.
Status quo no more: automation now exists
Many companies will spend millions of dollars this year trying to get a handle on their unstructured data. This is data that takes the form of important documents and spreadsheets, blueprints and multi-media files. The challenge for IT administrators is that they know access to this data is poorly controlled because its rate of growth outpaces efforts to limit access. And, equally as challenging, is distinguishing what is important from information that is rarely used or outdated. This is where auditing data access is invaluable intelligence. But in the absence of available technology, companies have been trying to audit access by throwing people at the problem. The result is a very costly and lengthy effort. What this also brings is audit results that are not reliable and accurate.
This is not the case any longer. Technology is now available that gives enterprises intelligence into how critical business data is used. This is done on demand, without business impact and for a fraction of what it costs to conduct an audit today.
The discussion below gives detail on the ROI of automating data use auditing, highlighting the prudence of implementing it before undertaking any efforts to clean up file share data whether it is to archive, protect or control access to it.
How to fix the problem: comparative approaches
A company like the one profiled here can spend more than $143,229 annually for help desk file access analysis and restoration, and $5,000 for forensic analysis of data usage. There is a huge opportunity for cost savings through automation -- more than half a million dollars over five years. More importantly, if these critical activities are conducted in a timely fashion, the accuracy and speed of completion are greatly increased.
Procedure – help desk file retrieval
When looking for lost, deleted or altered data, various IT staff members will help users by attempting to find files by performing a search for missing files. In the event that they could not find these files on the local file server, they would retrieve the files from back-up media. The process typically will proceed as follows, for each file in question:
- Search for the file by looking for files with matching names or for files modified around the same date/time, etc. Assumption: This is successful 10 percent of the time.
- Search in adjacent folders and folders that the end-user accesses frequently
- If the file has not been found, restore the file from backup media. Assumption: The help desk will need to restore the file from backup media 90 percent of the time.
- More time will need to be allocated to provide this file back to the end-user.
- Initial query for missing/altered file. Assumption: This is successful 90 percent of the time.
- If the file has not been found, restore the file from backup media. Assumption: The help desk will need to restore the file from backup media 10 percent of the time
When auditing data access, companies must use Windows Auditing for short periods of time over a subset of data. Most companies will not turn on Windows Auditing due to the performance impact on the file server. Therefore, in most cases, companies cannot do forensics on file access events. In addition, gathering this log data is viable only if it is known in advance that a specific data set or user is under surveillance. Investigating events that have already occurred is not possible.
If the Windows administrator allows Windows auditing to be enabled, the following would be the procedure used for forensic analysis of data usage. Research has indicated that this process will take a minimum of 8 hours per investigation with a moderate degree of reliability.
Turn on Windows auditing for a particular file server or data set
- Copy and consolidate all of the relevant Windows audit logs to a separate analysis server (GB's of data)
- Use Active Directory to find the security identifier (SID) of each user of interest
- Using SID(s) from step 3, parse audit log and extract all relevant entries to a separate file
- Analyze the file produced in step 4 to interpret the relevant events
- Develop a report on the relevant events
When auditing data access with automated tools an administrator can simply select an end-user or dataset and produce a report. The entire process to do this takes approximately five minutes. In a given year, an organization faces 10 forensic incidents per every 1,000 users. With automation, the process of auditing data access can be dramatically reduced from 80 hours or more, to less than one hour.
Enterprises can now take advantage of automated continuous data access auditing and reporting to eliminate the time consuming and manual approaches associated with conducting IT operational activities such as forensic investigations and help desk file search/recovery. In most cases this will provide substantial costs savings and a dramatic increase in accuracy over methods that are employed today.