Security Experts:

Organizations Fail to Maintain Principle of Least Privilege

Security requires that confidential commercial data is protected; compliance requires the same for personal information. The difficulty for business is the sheer volume of data generated makes it difficult to know where all the data resides, and who has access to it. A new report shows that 47% of analyzed organizations in 2016 had at least 1,000 sensitive files open to every employee; and 22% had 12,000 or more.

These figures come from the Varonis 2016 Data Risk Assessments report. Each year Varonis conducts more than 1,000 risk assessments for both existing and potential customers. For its latest analysis of data risk, it has selected, at random, 80 of these assessments. They cover 33 industries in 12 different countries. Forty-two of the organizations have fewer than 1000 employees, and 38 have 1001 or more employees.

One of the problems highlighted by Varonis is that organizations fail to maintain the principle of least privilege in their access control. It found a total of 48 million folders, or an average of 20% of all folders, accessible to global groups. "Many data breaches are opportunistic or rudimentary in nature, and many originate from an insider, or an insider whose credentials or system has been hijacked," warns Varonis. "Excessive user access through global groups is a key failure point for many security and compliance audits."

That's not to say that all organizations fail. At one end of the scale, a government entity had only 29 of 290,000 folders open to everyone (with none containing sensitive files); while at the other end, an insurance firm had 35% of 86.4 million folders open to all employees.

Focusing more specifically on 'sensitive' files (potentially containing PII, PHI, card details, SSNs and intellectual property), Varonis found a similar range of access. One company in the construction trade had only 0.01% of almost 1000 sensitive files open to the everyone group. Conversely, a banking institution had 80% of more than 245,000 sensitive files accessible to every employee.

Apart from audit and compliance issues, Varonis points to the Panama Papers as an illustration of the dangers. In April 2016, 11.5 million confidential files belonging to the Panama law firm Mossack Fonseca were leaked to a German newspaper, revealing how its clients hid billions of dollars in tax havens.

Stale data is another risk highlighted in the report. Varonis defines stale data as any data that hasn't been touched in six months or more. "Stale data represents little value to the business while it's not being used, but still carries with it risk and potential financial liability if used inappropriately." It also adds a management and cost burden, especially if it is maintained on high-performance storage.

The amount of stale data found by Varonis ranged from just 0.03% (still 21 gigabytes of data) in an investment management firm, to 527 terabytes in more than 35,000 folders at an environment firm.

Varonis also found numerous problems with both permissions and passwords. Issues with permissions include protected folders found in deeper levels of the file system, which "may contain users and permissions which are not visible at the higher levels, leading an administrator to mistakenly assume that permissions to a folder are configured correctly."

Unresolved security identifiers are also a problem. These occur when a user on an ACL is deleted from Active Directory. "They can potentially give unauthorized users (like hackers) access to data," warns Varonis. 

One of the problems with passwords is the tendency to allow non-expiring passwords, which, warns Varonis, "allow unlimited time to brute force crack them and indefinite access to data via the account." An insurance firm had 58% of its 246,865 using non-expiring passwords. But an education organization had 100% of 257,000 using such passwords -- and 90% of these were stale enabled users.

Varonis believes that organizations spend too much time and money in defending specific threats to keep attackers off the network; rather than protecting the data itself from both opportunistic insiders and hackers that breach the 'perimeter'. In January of this year, a separate report (PDF) from Forrester (commissioned by Varonis) concluded that "an overwhelming majority of companies face technical and organizational challenges with data security, are focused on threats rather than their data, and do not have a good handle on understanding and controlling sensitive data."

"Many point products are designed to mitigate specific threats," said David Gibson, VP of strategy and market development with Varonis. "If they're used tactically, instead of supporting a strategy that improves the overall security of data, they can not only cost a lot of money, but also provide a false sense of security. Ransomware, for example, exploits the same internal deficiencies that a rogue or compromised insider might -- insufficient detective capabilities and over-subscribed access. Too many organizations look for tools that specifically address ransomware, but neglect to buttress core defenses that would mitigate more than just this specific threat."

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.