|
Successful securities organizations excel at adapting to change, and Information Technology typically plays an important role in this agility. Data drives much of the securities business, and it has to be created, stored and shared at a rapid clip to keep pace with customers and competitors. Gartner, Inc. estimates that the volume of “unstructured” data (e.g., documents, spreadsheets, presentations, images, etc.) in an organization doubles every three months or so. There’s so much of this unstructured information, in fact, that it accounts for more than 80% of all enterprise data in most organizations.
Even with regulations, industry best-practices and the purest of intentions, it seems nearly impossible to keep track of who has – and needs – access to all of this information, and who doesn’t. And, as news articles continue to remind us, the unfortunate truth is that employees, contractors and consultants don’t always do the right thing with their access privileges.
Even in the securities and financial industries, if you think your IT organization has data access permissions under control, you may want to dig a little deeper. Most IT organizations grant access readily, yet revoke it infrequently. So, don’t assume that only the human resources group can see the human resources data, or that an employee who left the company last week had all her permissions revoked. The permissions to access the data on your file servers are very likely too permissive. This situation is not an oversight, nor the sign of a lax IT organization. It is just that the technology to solve this in a practical, manageable way did not exist until recently.
While there are many ways this situation comes to pass, built right into the operating system is a contributing factor that nearly every Windows Server Administrator knows about. And, while they know about it and there’s nothing they did to cause it, they cannot fix it with conventional tools and techniques. We’re talking about folder permissions for the “Everyone” group on Windows file systems.
How the “Everyone” Problem Happens
With all of the expertise and technology safeguards in place, how is it possible that a major risk to unstructured data on shared file systems cannot be easily reversed? Well it goes something like this. As an administrator, you—or maybe your predecessor—set up a couple of file systems or shared drives. Some of the folders on those file shares were left wide open, and you relied on data owners to define the access permissions. On other folders, you locked things down by assigning access permissions only to certain groups. Over time, though, even the locked-down folders opened up. That’s because Windows Server is designed to facilitate access.
Enter “Everyone”
When a new folder is created, the Microsoft Windows default is to assign the “Everyone” group access permission to this folder, meaning that the folder is wide open to all users in the organization. That is not a problem as long as the folder creator goes back and reassigns the permissions or if you, as an administrator, become aware of the new folder in time and restrict access permissions. But, that’s not a practical reality given the pace of information creation and the dynamic nature of projects and teams in most organizations. So, chances are very good that you won’t know about this new folder. And, because they are not Windows experts, the users that create these folders know nothing about the “Everyone” group.
The real issue
What’s the result of “Everyone” access? Over time, sensitive data—including intellectual property, client information or other sensitive data—makes its way into folders just like this one. Not only is this valuable data, it is also critical to the business, so it is accessed…a lot. As part of your quarterly file clean-up, or in preparation for a data entitlement audit review, you’d love to get rid of the “Everyone” problem. But, you’ve spoken with everyone you know and there is no good way to do it.
|
