The Challenge of Safeguarding Sensitive Data
Today’s organizations are facing expansive requirements for safeguarding sensitive and confidential information. Whether it’s intellectual property, financial information, or PII (Personal Identifiable Information), there are data access risks that if not addressed properly, can be potentially devastating to an organization.
With the risk of having to pay huge fines for noncompliance, most organizations pay particular attention to privacy regulations such as HIPAA, FERPA, and GDPR by restricting access and certifying that only authorized users can access records containing PII. But these same organizations oftentimes don’t give the same diligence to restricting and certifying that only authorized users have access to other sensitive and confidential information such as legal or financial documents.
Sensitive Information in Stored Data
For most organizations, sensitive and confidential information can be found in data stored both in databases and the network file system. This distinction in data is respectively known as structured and unstructured data.
While conducting access reviews to applications and databases storing structured data is easily accomplished with an identity management or access governance system, these systems generally lack the ability to do so on the network file system.
The Risk of Unauthorized Access to Unstructured Data
As the repository of more than 80 percent of an organization’s data, the network file system is oftentimes the most vulnerable location for unauthorized access to sensitive and confidential files. Today, headline-baring data breaches of sensitive and confidential information accessed from network file systems at large corporations are the new norm.
A New Micro Focus Solution for Access Review of Unstructured Data
With the objective of better safeguarding sensitive and confidential information located in unstructured data, the development teams of Micro Focus File Reporter and Micro Focus Identity Governance began integration work together in 2018 to provide the means of conducting access reviews on network-stored unstructured data. In other words, enabling Identity Governance to perform the same certification and attestation of authorized access to unstructured data as it does to structured data.
The recent releases of Identity Governance 3.5 and File Reporter 3.6 was the fruition of this integration work. Alternatively, there is a version of File Reporter focused almost solely on this integration. An offering named Data Access Governance (DAG) was introduced to include Identity Governance integration and most of the security reporting features of File Reporter without all of the file system reporting or custom-query reporting capabilities. Both File Reporter 3.6 and DAG integrate with Identity Governance 3.5 and provide the means of enabling access reviews for unstructured data. Another way to think about it is that File Reporter 3.6 includes all capabilities of DAG.
How it Works
After File Reporter or DAG conducts a Permissions Scan and performs a permissions abstraction, it can be imported into Identity Governance for access review. You will first have to do some configuration work to get the two applications to communicate (it’s all in the documentation) and you’ll need to do a little bit of initial setup, but after that, integration between the two products is pretty straight forward.
The integrated solution between Identity Governance and File Reporter/DAG is almost exclusive in the market today because it uses Active Directory identities as the means of access review and management. For customers using an identity management system such as Micro Focus Identity Manger, this solution is a logical addition engineered to provide certification and attestation of compliance to security regulations and policies.
Part of a Comprehensive Data Access Governance Solution
The ability to conduct access reviews on unstructured data is just part of an overall data access governance solution from Micro Focus. Micro Focus File Dynamics recently introduced Security Notify policies that let you monitor network folders for any changes in access permissions and then notifies designated data owners immediately about these changes. Security Notify policies are just the first in a family of soon-to-be-released security-related policies.
These new policies will protect high-risk targets by enacting automated permissions remediation, protecting network folders from having access permissions changed, and much more.