Torsion – Who has access to what and should they? – Get control & be ready for anything
Defining the problem
It only takes one file containing sensitive information to get into the hands of the wrong person. A serious security breach or regulatory non-compliance can be catastrophic.
Over time, in information management and collaboration systems, knowing who has access to what tends to become out of control and impossible to manage. Serious security and compliance challenges arise when the staff has inappropriate access to information which is typically the root cause of many catastrophic security breaches.
This problem falls to IT to solve and is usually addressed in a manual way, often by individuals who do not understand the business processes and by extension who should own, and/or have access to specific information. Add to this the inherent ability within SharePoint for “ease of Sharing”, it becomes almost impossible to determine who should be sharing what.
We call this the “unlimited sharing problem”.
In order to solve this problem, responsibility needs to be given back to the business in an intelligent and empowering manner. Enter Torsion Information Security.
Does the above resonate with you? Ask yourself the following questions:
- Have you had a recent audit around file access and governance? (ISO27001 etc.)
- Do you have millions of files, multiple systems, and many staff?
- Can you confidently say, “Permissions to our company’s files and SharePoint sites are up to date”?
- Do you know who has access to your files? Will they still need access a month from now? Will you remember to take away access? Do you know how?
- Do users constantly share information with each other? (Unlimited sharing).
- Is it common for users in the business to change roles but retain access to information from their old role (John moves from finance to development, however for weeks after the move, still has access to the financial information)?
- Are you managing file governance in a manual manner, or relying on security groups within Active Directory to solve the problem?
- Have you recently completed a SharePoint or Teams rollout only to discover 6 months later file access and governance is a mess?
- Can you identify vulnerable data?
Tame the Beast
Imagine a world where you, as a business unit owner, or head of the department, with all the knowledge of how your business runs, and the best understanding of who should have access to relevant data can quickly and easily see who has access.
Where you can confirm, or revoke access based on rules you build. For example – Torsion, show me all people in department “Finance” who have the role of “Credit control”, and be provided with a list confirming who meets the criteria and has access to the data. Then provide you with the ability (for those with access, but not meeting your criteria) to revoke access immediately or decay over time with warnings.
By combining machine learning and data classification rules, the Torsion data governance platform can see all movement in the 365 tenants and look for anomalies of access - the user with inappropriate access to critical or sensitive data. Further, Torsion solves common problems found in SharePoint and collaboration platforms such as stale access – a user whose role has changed, or has moved departments, yet still has access to data in the previous SharePoint location.
How does Torsion do it?
Business or data owners can assess who should be the owner (based on the frequency of access, interaction, and behaviour, and then assign ownership. Then business owners can see:
- Who has access and, more importantly, why? (this is one of the biggest focus areas of an information governance audit)
- Their name, role, when they got access
- Who granted access, and "reason for access"
For users needing to share – the need to share with a user or group is replaced with the “Share with the reason for access” button. Based on logic from roles etc, and a resultant business rule, Torsion will then figure out "who" should have access and/or be granted access (based on security rules).
How does this approach reduce the “unlimited sharing problem?” - When sharing with an individual a "check" is performed to confirm the user should have access, and if a governance policy would be breached, if the check fails, an alert is provided stating the reason "why" the user cannot have access, conversely, if you want to approve access, you can:
- Provide access for a limited period, and select the reason for access
- Choose reasons for access based on their current role and attributes
How can we revoke access without impacting productivity? When access needs to be revoked Torsion can decay access over time with notifications sent incrementally to gradually remove access without impacting productivity
Why do other solutions fail to solve the problem? Most other tools empower IT and NOT the business. IT cannot keep up with changes in the business and are rarely in a position to know who should access what. Torsion empowers data owners in the business through learning behaviours and access patterns to determine who should be the rightful custodian of the information
What is wrong with the current "share" capability in SP? Anybody can share anything at any time, and the sharing process does not capture the reason "why" something is being shared. Without a business reason, there is no way to audit "why" people have access, therefore, it is impossible to justify if they "should" have access. Basic sharing has no mechanism to loop back and revisit permissions in place, should this person still have access?
Torsion replaces the sharing and permissions management buttons with the TorsionIS panel, which is embedded into the application or portal and shows How many people the site is shared with, Security Status (OK, etc.) and looks for anomalies (people with access to data which is not correct). Torsion also looks for outliers - people who still have access but should not. When a problem is found, the Business owner is notified of access, DLP label or classification rule breached alert.
Does Torsion disrupt or displace my current DLP or Information Protection Platform, or classifications? Torsion does not compete with existing solutions, Integration with existing classifications is achieved by simply attaching a "governance" policy to the existing classification
So, to Summarise
To solve the “unlimited sharing” problem, Torsion is capable of dynamically adjusting itself to any changes in organisational structure to ensure ‘who has access to what’ files and folders remain updated and maintained automatically. If there are any changes, such as a change in responsibility, position, or role, data governance, access, and security will be automatically updated.
Compliance is also made extremely simple, as ownership of the information is given back to the business where access can be certified or revoked, making validation of access and overall data governance much easier.
Periodic reviews are also implemented and so, data owners will have to regularly update certifications and access, making this an extremely intelligent approach to combat the data governance drawbacks of collaboration suites like Microsoft Teams and SharePoint.
Thus, solving the “unlimited sharing” problem.
Interested? Book your Torsion demo today.
Join the Insentra Community with the Insentragram Newsletter
Hungry for more?
Moving a Mail platform… five issues we encountered in a legacy Exchange archive to Google Vault migration
By [Mathew de-la-Hey]
This article is aimed at engineers, consultants or project managers to better provide an understanding of the issues that can occur in legacy Exchange archive migrations to G Suite and Google Vault (GV).