The State of Data Protection: Research Report

Size: px

Start display at page:

Download "The State of Data Protection: Research Report"

Warren Fletcher
5 years ago
Views:

The State of Data Protection: Research Report Contents Executive Summary... 2 Methodology... 2 Findings... 3 Data Protection Confidence... 4 Data Protection Activities.

1 The State of Data Protection: Research Report Contents Executive Summary... 2 Methodology... 2 Findings... 3 Data Protection Confidence... 4 Data Protection Activities... 6 How Confidence Correlates with Action... 8 Contrast: The Very Confident and the Not Confident at All... 9 IT Security Responses...11 Conclusions and Recommendations Appendix 1: Scoring Methodology Appendix 2: Responses regardless of confidence level... 15

2 Executive Summary Over the past year we have witnessed continuing accelerated growth of data, numerous data breaches and the introduction of legislation that mandates new data protection measures. Varonis Systems set out to explore organizational adoption of current data protection practices and confidence levels, and whether variance in protection practices correlated with variance in confidence levels by IT professionals. The results of our survey show that while 80% of organizations store data that belongs to their customers, clients, vendors, or business partners (third party data), only 30% of those organizations describe themselves as very confident that the data stored in their organization is protected. Those that do not store third party data fare even worse; only 15% say they are very confident that data held by their organization is protected. Furthermore, there is a clear correlation between basic data protection activities, controls and data protection confidence levels: those organizations that describe themselves as confident also report that they know where their 3rd party data resides, they audit data use, have defined owners for their data, and conduct regular reviews of access. Those that describe themselves as not confident at all are conspicuously opposite; they are unsure where 3rd party data resides, do not audit data use, do not have defined owners, and do not regularly review access. Methodology In March of 2012, Varonis introduced an online survey consisting of 13 questions. The survey was distributed to the IT community through online channels ( , social media, blog, etc.), and over 200 individuals participated in the survey from over 200 organizations. The survey s questions were constructed to: Determine the percentage of companies that knowingly store data that belongs to their customers, business partners, and other third parties Measure IT staff confidence in how well their organization protects data Assess what percentage of organizations sampled perform various data protection tasks Survey whether organizations have implemented specific technical controls The pages that follow contain findings and analysis by Varonis staff.

surveyed, 80% answered yes to the question, Do you store data from customers, clients,

3 Findings According to the respondents, the sizes of their respective organizations (by number of employees) fell into the following distribution: Of all the organizations surveyed, 80% answered yes to the question, Do you store data from customers, clients, vendors, or business partners? Do you store data from customers, clients, vendors, or business partners?

most organizations felt fairly confident, 26% were very confident, and 18% were not confident at all: How confident are you that the data

4 Data Protection Confidence When asked, How confident are you that the data stored within your organization is protected? and provided a choice of very confident, somewhat confident, not confident at all, or unsure, the answers fell into a distribution where most organizations felt fairly confident, 26% were very confident, and 18% were not confident at all: How confident are you that the data stored within your organization is protected? In order to more easily compare one segment of the respondents with another, here are the same results in a bar graph:

Confidence levels varied somewhat between those that reported storing third party data and those that didn t, with those that store third party data reporting somewhat higher

size, as follows:the confidence level varied depending on company size, as follows: Twenty-seven respondents reported that their organizations employ 5,000-10,000 people.

5 Confidence levels varied somewhat between those that reported storing third party data and those that didn t, with those that store third party data reporting somewhat higher confidence levels than those that do not: Those that store 3rd party data Those that do not store 3rd party data The variance in confidence level varied depending on company size, as follows:the confidence level varied depending on company size, as follows: Twenty-seven respondents reported that their organizations employ 5,000-10,000 people. Seven of these (35%) respondents claimed to be not confident at all about their organizations data protection noticeably worse than organizations on either side of the size spectrum.

6 Data Protection Activities The following data protection questions asked the respondents to score their organizations knowledge of where third party data is stored, how completely it audits its use of data, whether it has designated someone to be responsible for data (data owners), whether data owners review access, and whether the organization regularly revokes access to data. 1. How confident are you that you know where all data containing information about customers, vendors, and other business partners resides? 2. Do you monitor actual access activity on file shares and SharePoint? (File opens, creates, moves, modifies, deletes) 3. Do you have owners assigned to folders/directories, and SharePoint sites? 4. Do data and/or group owners review permissions to their folders, and SharePoint sites, or members of their groups? a. If yes, how often do they review access? 5. How often do you revoke access to data, aside from when employees leave the organization? Each response was then assigned a point value from 0 to 12, with those reporting to excel at an activity scoring a 12, and those not doing the activity at all a 0. The highest possible score was 60 points. (To see the scoring methodology in detail, please refer to Appendix 1) For a respondent to get 60 points, they needed to be very confident their organization knows where third party data resides, monitor all access activity, have owners that review access to data more than twice a year, and revoke access regularly. The average score was 25, the median 24. Score Distribution

7 The averages for each data protection activity are in the radar plot below. Respondents averaged highest in identifying data owners and revoking access regularly and worst in monitoring access activity and having the data/group owners review activity. Average Score per Activity Most of those that described themselves as not confident at all also scored on the lower end of the distribution for data protection tasks, the fairly confident clustered in the middle, and the very confident gravitated toward the higher end of the spectrum. None of those that rated themselves as not confident at all scored in the point range. Score Distribution and Confidence Level

8 How Confidence Correlates with Action Those organizations that were not confident at all rated themselves much lower on all data protection activities relative to their very confident and fairly confident peers, with very wide gaps for knowing where 3rd party data resides, having owners for data, and monitoring access activity.

Contrast: The Very Confident and the Not Confident at All Overall, those

confident are you that the data stored within your organization is protected?

specific data protection and governance questions.

at all How confident are you that you know where all data containing

Do you monitor actual access activity on file shares and SharePoint?

9 Contrast: The Very Confident and the Not Confident at All Overall, those that described themselves as Very Confident in response to the question, How confident are you that the data stored within your organization is protected? differed from those that described themselves as Not Confident at all, on specific data protection and governance questions. Here are their responses side by side: The Very Confident The Not Confident at all How confident are you that you know where all data containing information about customers, vendors, and other business partners resides? Do you monitor actual access activity on file shares and SharePoint? (File opens, creates, moves, modifies, deletes) Do you have owners assigned to folders/directories, and SharePoint sites?

10 The Very Confident The Not Confident at all Do data and/or group owners review permissions to their folders, and SharePoint sites, or members of their groups? If yes, how often do they review access? How often do you revoke access to data, aside from when employees leave the organization? Do you use automation to identify sensitive data?

IT Security Responses One interesting statistic was the confidence level of IT security personnel their responses fell more into either extreme, with a higher percentage saying they are either very

11 IT Security Responses One interesting statistic was the confidence level of IT security personnel their responses fell more into either extreme, with a higher percentage saying they are either very confident (33%) or not confident at all (26%). 27 respondents described themselves as performing an IT security function. How confident are IT Security personnel? Interestingly, the gaps between the very confident and the other confidence levels were wider than for non-security personnel, especially in access activity monitoring, and knowing where 3rd party data resides. The gaps between the fairly confident and the not confident at all were narrower for security personnel than non-security personnel. IT Security Scores Per Activity

12 Conclusions and Recommendations If an auditor determined that your organization didn t know where its money was stored, no one reviewed (or even had) monthly statements, and no one was responsible for reviewing and deciding who should be able to withdraw funds, then neither you nor the auditor would have much reason to be confident that your organization s money is well managed or protected. The survey results show the same holds true for data: if you don t have a good handle on where your data resides, you re not monitoring who accesses it, and you don t have someone who is responsible for it that regularly reviews and revokes access, you don t have much reason to be confident that your data is well protected. Organizations that want to improve their data protection posture should: Make efforts to map where their third party and other sensitive data resides, either manually or with automation Audit all data use Assign people to be responsible for data (owners or stewards) Have owners review access to data regularly Revoke access when it is no longer required The good news is that most respondents report that their organizations have at least partially implemented fundamental processes and controls for data protection, and there is a clear blueprint for how organizations can increase their data protection maturity. The fairly confident report to have all of the fundamental processes and controls in place for at least some of their data they now need to expand their practice and use to move into the realm of the very confident. Those organizations that describe themselves as not confident at all have reason to worry, especially those that store data belonging to customers, clients, and business partners. The threat of data theft has been anything but decreasing and new regulations that mandate better consumer data protection are imminent, along with severe punitive measures for those that fail to can keep data secure. Even those that don t report to store third party data should think twice every organization stores personal information about its employees that deserves protection, and almost every organization is now data driven, meaning that data is too valuable an asset not to protect carefully.

13 Appendix 1: Scoring Methodology The following questions contributed to the data protection scores for the respondents. Each response and point value is listed. Best efforts were made to assign higher scores to those whose responses demonstrated higher levels of control. How confident are you that you know where all data containing information about customers, vendors, and other business partners resides? Very Confident score: 12 Somewhat Confident score: 6 Not Confident score: 0 Unsure score: 0 Do you monitor actual access activity on file shares and SharePoint? (file opens, creates, moves, modifies, deletes) All access activity is monitored score: 12 Most access activity is monitored score: 8 Some access activity is monitored score: 4 No access activity is monitored score: 0 Do you have owners assigned to folders/directories, and SharePoint sites? All score: 12 Most score: 8 Some score: 4 None score: 0 Have Owners for Groups score: dependent on responses to group owner questions, below Do data and/or group owners review permissions to their folders, and SharePoint sites, or members of their groups? Yes score: depends on next question No score: 0 If yes, how often do they review access? More often than twice a year score: 12 Twice a year score: 9 Once a year score: 6 Less than once a year score: 3 If no, does someone other than data/group owners review access? Yes, score: depends on previous question No score: 0 How often do you revoke access to data, aside from when employees leave the organization? Regularly score: 12 Sometimes score: 6 Never score: 0

14 (Group Owner Questions) If you have owners for groups instead of data, can you reliably determine what data the groups have access to? Yes score: depends on next question No score: 0 If you answered yes, then how are you able to determine which groups have access to which data? All data is hidden and only visible by permissions granted - score: 2 Only three people in a group - score: 2 We control the Access to the data - score: 2 It s one click away in any document library in SharePoint score: 0 Specific groups own specific sites, admin of Site can add users - score: 4 AD group assignment - score: 2 Through recertification - score: 4 Via Ad directory control and through DLP data sharing control - score: 2 AD - score: 2 By looking at the security tab to see who has been assigned ownership and what permission level they have. slow and cumbersome process! - score: 2 The most subjective scoring was for 10 respondents who reported that they had owners for groups instead of data, and could determine which groups have access to which data. Scoring was performed by judging each individual response. None of the responses seemed to indicate that the organization could easily answer the question, what data does this group provide access to? Many responses, in fact, indicated a probable misunderstanding of the capabilities in Active Directory and SharePoint. Active Directory, for example, includes no indication of which specific folders and sites the groups are assigned to (via ACL), unless the organization updates and maintains a description field for each group, manually or otherwise. SharePoint may be able to list which groups have access to a site, but there is no way within SharePoint (to our knowledge), to easily report on every site or library that a given group has access to, either through direct ACL assignment or inheritance.

How confident are you that you know where all data containing information about customers, vendors, and other business

15 Appendix 2: Responses regardless of confidence level The following graphs illustrate the distribution of responses regardless of overall confidence level reported. How confident are you that you know where all data containing information about customers, vendors, and other business partners resides? Do you monitor actual access activity on file shares and SharePoint? (File opens, creates, moves, modifies, deletes) Do you have owners assigned to folders/directories, and SharePoint sites?

16 Do data and/or group owners review permissions to their folders, and SharePoint sites, or members of their groups? If yes, how often do they review access? How often do you revoke access to data, aside from when employees leave the organization? Do you use automation to identify sensitive data?

ABOUT VARONIS SYSTEMS Varonis is the leader in unstructured and semi-structured data governance for file systems, SharePoint and NAS devices, and Exchange servers.

Based on patented technology and a highly accurate analytics engine, Varonis solutions give organizations total visibility and control over their data, ensuring that only the right users have access

17 ABOUT VARONIS SYSTEMS Varonis is the leader in unstructured and semi-structured data governance for file systems, SharePoint and NAS devices, and Exchange servers. The company was named «Cool Vendor» in Risk Management and Compliance by Gartner, and voted one of the «Fast 50 Reader Favorites» on FastCompany.com. Varonis has over 3,000 installations worldwide. Based on patented technology and a highly accurate analytics engine, Varonis solutions give organizations total visibility and control over their data, ensuring that only the right users have access to the right data at all times. Varonis is headquartered in New York, with regional offices in Europe, Asia and Latin America. WORLDWIDE HEADQUARTERS 1250 Broadway, 31st Floor New York, NY Phone: sales@varonis.com EUROPE, MIDDLE EAST AND AFRICA 55 Old Broad Street London, United Kingdom EC2M 1RX Phone: +44(0) sales-europe@varonis.com