Both IT and the government share similar views on protecting confidential data. For example, state and federal courts expect companies to take “reasonable” measures to protect their trade secrets; otherwise they’ll assume the information can’t be that top secret in the first place. These measures include letting employees know they’ll be handling proprietary information, explicitly marking documents as confidential, and having overall technical and physical controls in place. It’s the kind of best-practices advice you’d expect coming from your CIO.

The FBI also has great tips on how to prevent IP theft. Here’s a list of characteristics that they’ve found common in trade secret theft by insiders:

• The insider has too much access
• Proprietary and confidential information isn’t labeled as such (and therefore doesn’t get the protection it needs)
• It’s too easy to walk out the door (or network) with proprietary information
• Lack of policy defining where proprietary materials can be stored (e.g., on personal devices)

The FBI’s tips effectively make the point that good data protection policies are good deterrents to IP thievery—without even bringing in the 007-factor of foreign agents. Of course, there’s a lot of company IP outside of what’s considered a trade secret that’s still worth protecting and keeping confidential. This can include customer lists, sales intelligence, company procedures, and, say, product roadmaps. But the same rules for protecting secret, non-public information still apply, including, for example, limiting authorization on a need-to-know basis, and monitoring access to this critical content.

If access to confidential information is too restrictive, employees won’t be able to get their jobs done—some people will ultimately need access. This is where auditing and monitoring data use, and confidentiality agreements, which most of us have had to sign over the years, come into play. The legalese in confidentiality agreements places an obligation on employees to not reveal certain information they’ll come across—usually specified in the agreement—to third-parties.

No one, of course, is naïve enough to believe that the threat of legal action in a corporate NDA will stop hacker-spies and corporate double-agents from stealing secrets.  True enough. However, if you implement standard data protection and privacy best practices, you’ll go a long way towards keeping your IP out of the hands of data thieves—both foreign and domestic.

The post What IT Departments Can Learn From the FBI appeared first on The Metadata Era | Varonis.

I’ve been using DatAnywhere every day since the early alpha version was handed to us a few months ago.  Along with an amazing group of beta customers, we were able to provide engineering with the feedback they needed to iterate fast and furiously and, ultimately, create a product we love to use.

Some reasons why I love DatAnywhere:

DatAnywhere stays out of the way.

I’ve used Box and Dropbox for personal data and both products are a pleasure to use.  I have a folder, I put stuff in it, and it syncs.  That’s it.  DatAnywhere is exactly the same experience.  From a user’s perspective, it could be a cloud app.  Or a hybrid app.  I wouldn’t know the difference.  But my IT department and CEO can rest assured that our company IP won’t leave our corporate infrastructure.

It’s mobile.

I can get to my files from iOS, Android, Mac or PC.

I can easily share files with third parties.

I can right-click and instantly generate a pin-coded URL where parties and customers can download or upload files from a web UI.

It’s secure and auditable.

Everything is encrypted over the wire, I don’t need to connect to a VPN to sync, all data is stored in our data center—not in a third-party cloud—and IT can monitor user activity and shared links.

It doesn’t change our existing infrastructure.

We got up and running fast because we didn’t have to move our data to a dedicated server.  As Terri McClure, Senior Analyst at Enterprise Strategy Group puts it:

“With Varonis DatAnywhere, organizations don’t have to modify their processes, infrastructure or permissions in order to give end users the functionalities they crave.  Access controls stay the same, data classification continues to function, and data doesn’t need to be moved to a new server.”

We left everything on the NAS with its existing NTFS permissions in-tact.  We use Active Directory authentication, so there was no need to create additional users and groups.

If this sounds good to you, sign-up to try DatAnywhere for free today.

The post Varonis Launches DatAnywhere: Secure File Sharing for Enterprises appeared first on The Metadata Era | Varonis.

Over the past couple of years we’ve gathered a rich set of data from both IT and non-IT people, and through research and analysis, we’ve come to some eye-opening conclusions about the state of organizational data protection.

The video below shows how organizations self-report the protection levels of sensitive data such as credit card numbers, health information, legal records, and financials.  Take a look.

Varonis is committed to helping organizations manage and protect their critical data with a new breed of automated data governance solutions. To see more videos like this one, visit our video gallery.

The post [VIDEO] The Data Maturity Model appeared first on The Metadata Era | Varonis.

Over the past few months, I’ve mentioned that the EU’s Data Protection Directive is in the process of a major revision. The most controversial change to the DPD is the “Right to be Forgotten”, which has been making headlines recently. Last week, the European Parliament committee in charge of approving the proposed data protection regulations decided to delay their vote. Those who have been looking for an Internet delete button will have to wait longer.

Member state Ireland, which currently holds the EU Presidency, has been very public about wanting to see all EU countries vote by the end of its term in July 2013. That is looking more unlikely with the decision of the Civil Liberties, Justice, and Home Affairs Committee to delay its vote.

There is still more voting that needs to take place. Think of the EU Parliament as the US Congress, and member nations as US states. So even after the committee votes, the EU Parliament as a body would have to approve “DPD 2.0”, and then the new regulations would still have to be voted on by each EU country.

So we shouldn’t expect a GA date anytime soon if all goes to plan.

But it’s no secret that the “Right to be Forgotten”, as well as new rules on data retention, have been controversial for US and EU companies—both groups are heavily involved in lobbying to make changes to the regulations.

There also have been stirrings from one EU country in particular, the United Kingdom, about the burdensome nature of the new rules. The UK’s Information Commissioner’s Office (ICO)— the agency responsible for fulfilling the DPD requirements—just released a report noting that businesses are having difficulty estimating the cost of the new data protection rules.

In fact, the UK Government is seeking to opt-out of, if it’s ultimately approved, the Right to be Forgotten. The Government feels it gives consumers “unrealistic expectations” about the ability to control their personal data.

Meanwhile, back in the US, the Executive Chairman of Google, Eric Schmidt, raised eyebrows when he called for an Internet delete button at a conference held at New York University earlier this month.

He was clearly referring to the EU’s Right to be Forgotten, which Google has been actively lobbying against.

Will there be an EU-style Internet delete button? I don’t know the answer, but it’s clear that everything is still very unclear.

The post The Internet Delete Button appeared first on The Metadata Era | Varonis.

Today, I am happy to announce a new integration between Varonis DatAdvantage and Hitachi to provide unparalleled solutions for human generated big data.

We are grateful and proud that Varonis is increasingly seen as the de facto standard for monitoring large data stores. Historically, we’ve been approached by organizations considering the Hitachi platform that very much wanted to marry it with the full capability of DatAdvantage.

The truth is that, if you cannot monitor, then you cannot manage, and organizations are no longer willing to let their investments in unstructured data go unprotected.  That’s why they want Varonis there to collect metadata, provide information governance, and extract maximum value from their data. We’ve worked closely with Hitachi to make this a reality.

Download our datasheet for more information.

The post Varonis DatAdvantage Now Supports Hitachi NAS appeared first on The Metadata Era | Varonis.

Yes, hackers can be spies. Stay calm, all the same rules still apply.

Along with the rest of America, I read the headlines last week about the Chinese military hacking into US defense contractors’ computer systems. Though the words “cyber attack” take on a more ominous meaning when a government is involved, most of the press has correctly framed the news as a technology story, with the espionage part as an interesting footnote. It’s really just another example of cyber thieves, albeit working for a government, stealing data from corporate file servers.

My first instinct was to pore through the reporting to learn how this particular den of data thieves did their work—the threat actions or attack vectors used. There was very little to go on. The Pentagon’s Annual Report to Congress, which was the source of the headlines, was also silent on that aspect of the story. To shed some light, I went back to one of this blog’s favorite resources, Verizon’s Data Breach Investigations Report.

In analyzing breach data for 2012, the DBIR team points out that activity of state-affiliated actors—code words for spies and government intelligence agencies—was sharply up from previous years. Their analysis shows that foreign governments were involved in 121 of the DBIR’s tally of 621 validated breaches—their evaluation methodology, by the way, is quite strict. It is significant that 22% of all DBIR breaches were motivated by intelligence gathering of corporate IP and other sensitive data. But no need to panic.

As the report notes, the difference between government-sponsored intelligence gathering and ordinary hacking is that their exploits are multi-pronged, relying on a combination of email phishing, malware, and garden variety credential hacking.

By doing my own slicing of the raw data that DBIR generously provides, I got a little more insight into these government orchestrated attacks.  In the table above are listed the top six attack mechanisms used by state hackers. As the DBIR notes, these 121 breaches are based on well-rehearsed exploits in which certain actions almost always appear.

The breach incidents most likely go something like this: a user sitting at a desk somewhere—Fortune 500 company, defense contractor, research university—falls for an email phishing attack in which a backdoor is loaded onto the user’s computer. This bit of malware then contacts the foreign government’s command and control (C2) server. The C2 servers instruct the backdoor to perform some simple commands, which can include walking a file system and then exporting data that is considered interesting. Often the foreign government is also searching for the file of password hashes—password dumping—so that it can do a reverse lookup and then hack into these accounts remotely.

Of course, this is not an unusual scenario for a more sophisticated type of non-government hacker. The key point here is that traditional preventive methods and Plan B-type mitigation would still apply.

For example, the current DBIR yet again reminds readers—they’ve been saying this for years—that two-phase authentication would block 80% of attacks involving passwords. What works for ordinary cyber thieves does just as well for cyber spies logging in from mainland China. And auditing and monitoring of file activity would spot Jane military worker accessing documents and system files she doesn’t normally touch.

I’ve little doubt that the US military contractors who were compromised were victims of the scenario I sketched out. A more detailed account of an actual attack by the Chinese military can be found here. It roughly follows my scenario based on the DBIR data but has some interesting variations.

My advice to companies dealing with these types of attacks? Stay calm, carry on, and focus on the breach prevention and mitigation techniques—check out the 2013 DBIR for more ideas—you had always intended for using against standard cyber thieves.

The post The Top 6 Exploits Used by Government Hackers appeared first on The Metadata Era | Varonis.

• Gold Winner for Best Access Product – DatAnywhere
• Gold Winner for Best Compliance Product – DatAdvantage
• Bronze Winner for Best White Paper – Children of the Digital Revolution

As the demand for secure digital collaboration increases across all markets, data accessibility, protection and management continue to be three key issues for organization.  We’re very pleased that our technology solutions, as well as our thought leadership in this area, have been recognized with Network Products Guide Awards.

Thanks to Network Products Guide!

Want to read the winning whitepaper?

Children of the Digital Revolution discusses how, in a single generation, digital collaboration has completely changed the way we communicate and work.  Read it here.

The post Varonis Comes Up Big at 2013 Network Products Guide Awards appeared first on The Metadata Era | Varonis.

The Path settlement is just another lesson for those who think that the compliance laws on the books are just for show. Not only did the government nail Path for their deceptive advertising, but also for ignoring one of the few US online consumer data privacy laws: the Children’s Online Privacy Protection Act or COPPA.

Passed in 1998 (and recently updated), COPPA requires web site operators—in practice, child-oriented web services —to gain “verifiable parental consent” from their under-13-year-old users. This law also gives parents the right, at any time, to opt out of disclosures of their child’s personal information—PIIs and other sensitive data—to third-parties. The operators are then free, of course, to terminate the service.

For those parents who give approval, the web site is required by COPPA “to protect the confidentiality, security, and integrity” of the online data. With  most US  data privacy  laws focused on financial or medical information, this is a rare obligation to protect general consumer data.

Promoting itself as a “private messaging and sharing service”, Path failed to gain parental consent from their young subscribers. It was a blatant violation of COPPA.

For web site operators , COPAA is not necessarily an issue. Many services—most significantly Facebook—get around COPPA by not accepting minors. Of course, kids being kids will lie about their age when they register, but then the operators are not held responsible —though this leads to other privacy issues involving data mining of children’s online identities.

Where is privacy on social web sites heading?

One of the advantages of working in the NYC area with its active startup scene is the opportunity to attend hi-tech gatherings and mingle with the startup elite. Earlier this week I caught up with Mark Weinstein, a privacy expert and entrepreneur, at TechCrunch Disrupt, a showcase for new tech offerings. Weinstein has been on a mission to put some real teeth into privacy agreements. With his own private message and document sharing service, he’s testing the theory that consumers will pay more for true online privacy.

The key idea is that subscribers should  own the data through easy-to-use functions to explicitly control access, make corrections, and delete data—“right to be forgotten”—as needed. In chatting with Weinstein and his CTO, it seemed that his service comes very close to meeting the ultimate privacy standard—the EU’s stricter Data Protection Directive. He’s also a believer in a consumer privacy bill of rights—though he feels this will come from a free market solution rather than government rules.

In any case, while I may differ with him on that last point we both agreed that true ownership of data is important and worth paying some extra money.

Image Credit: GeographBot

The post Path’s Debacle Sheds Light on Children’s Privacy Online appeared first on The Metadata Era | Varonis.

The complete list of HIPAA’s PIIs is enumerated in the law’s Safe Harbor guidelines. In plain-speak, these guidelines tell health IT administrators what information is considered private, requiring special authorization to view or process. It includes the aforementioned identifiers, as well as medical record numbers, health insurance IDs, and some others. By the way, we’ve conveniently put this PII list in our omnibus data protection compliance whitepaper.

An unstated assumption made by many is that PII only lives in structured formats—in other words, fields in a database. Readers of this blog of course know that PIIs are often likely to be harvested from the massive amounts of human generated dark data found on corporate files servers.

The HIPAA regulators have understood this as well. In clarifying the rules for removing PII —“de-identifying”—data for publication and general usage, they explicitly cover the possibility that PII can also reside in free-form text. I’ve excerpted the key paragraph from their de-identification best practices below :

PHI [protected health information] may exist in different types of data in a multitude of forms and formats in a covered entity.  This data may reside in highly structured database tables, such as billing records. Yet, it may also be stored in a wide range of documents with less structure and written in natural language, such as discharge summaries, progress notes, and laboratory test interpretations … The de-identification standard makes no distinction between data entered into standardized fields and information entered as free text (i.e., structured and unstructured text)— an identifier listed in the Safe Harbor standard must be removed regardless of its location.

Got that? PHI, which is essentially PII along with other sensitive medical information, embedded in spreadsheets, docs, and presentations is just as worthy of HIPAA privacy protections as fields in databases.

So if we follow these ideas—PIIs can be anything that reasonably links to an individual, and this data can exist in text—to their logical conclusion, then we need to consider a new possibility. Suppose this sentence from a doctor’s notes were uploaded to a file server:

The patient, a technical content specialist at Varonis, a software company, has been complaining about tennis elbow.

The natural question to ask is whether “technical content specialist at Varonis” is a PII?

It’s not a PII in the sense of a uniquely coded key such as social security number or health insurance ID that links back to a person. But in another sense, it acts very much like PII. Don’t believe me? Try typing that phrase into Google and see what comes up.

We’re really talking more about the meaning of the text—or as experts would say, the semantic value—rather than actual letters, numbers, and other syntax. But HIPAA’s Safe Harbor rule even takes this into account: it specifically notes that the “knowledge” in free text can also be used to point back to a person.

As a practical matter, the HIPAA rules mean that any reference to a patient’s job title and company is a violation of the law’s privacy protections.

This leads to a broader discussion on what’s called the “semantic web”. In brief, Google and a few others are already doing leading edge work on extracting meaning and knowledge from web content. You can see for yourself how well Google does this by entering the keywords “height of the empire state building” in a search. You’ll get back an actual answer, 1454’, in addition to all the docs with that exact phrase.

The larger point is that along with stealing PIIs, hackers and cyber thieves are also getting better at mining and interpreting human generated text for personal details, and then building more convincing fake identities to be used in social attacks, such as phishing and pretexting.

Bottom line: these bits and pieces of personal information that are scattered across file servers in clear-text documents can be used to identify an individual with very high likelihood.

That’s important to keep in mind when someone in your company asks, “do we know what’s in our files and the risks involved if our servers are breached?”

The post Personally Identifiable Information Hides in Dark Data appeared first on The Metadata Era | Varonis.

As in past DBIRs, hacking and malware again make it into the top threat categories, and the difficulty level of the hack-craft employed is still very primitive. This is a polite way of saying that vanilla password cracking—guessing or re-using credentials—is by far the most popular way to pass through the security gate. According to Verizon, this particular type of attack accounted for four out of five breaches involving  hacked data.

The solution is, in Verizon’s words, “to overthrow single-factor passwords” with a new king, two-factor authentication. Varonis is also hoping that TFA will gain the throne.

There are some encouraging signs, however. In our just-published Privacy Survey, over 47% told us they use multi-factor authentication for their personal email accounts. If this trend can carry over to corporate email and intranet access, then we may finally see a dip in these low-skill, but still very effective, password-based hacks.  It’s a stat will check again next year.

Another critical point made by Verizon is that companies must think beyond prevention, and come up with a second line of defense involving rapid discovery and response. Prevention is still important, but no security barrier is hack-proof.

They note that for most breaches the lag between the initial hack and the first action is far too long: 67% of incidents take several months to be discovered.  And perhaps even more dispiriting is that companies more often than not—about 70% of the time—find out about breaches through their customers and third parties (law enforcement, government agencies) instead of their own IT departments.

The obvious (and depressing) brick-and-mortar analogy?  A jewelry store owner puts a toy lock on the door, fails to install an alarm system, and then waits for a customer to say that the diamond ring she was interested in is not in its case anymore.

I’ll end this post with a link to the SANS Institute’s security controls, which were mentioned in the DBIR and which we also recommend as well. The Account Monitoring Control is a good starting point in any breach mitigation program.

The principle in account tracking and auditing is simple to state, but practically impossible to implement efficiently with standard techniques: monitor who is accessing file data and alert administrators as soon as unusual patterns of behavior are detected, likely indicating a breach-in-progress.

And by the way, I just happen to know of software that efficiently handles this problem.

Image credit: Paligari

The post The State of the Breach appeared first on The Metadata Era | Varonis.

In a new study conducted by Varonis, 91% of respondents say they trust businesses to keep their data safe despite a rise in breaches that now affects nine out of ten companies. In addition to expecting absolute security from service providers, the survey shows that 53% of consumers would be willing to pay a premium for organizations that reliably protect their data.

At the same time, consumer online habits have room for improvement. Though almost three out of four password protect their mobile phones, an alarmingly high 67% say they send unencrypted personal information in their emails.

Download the full report to learn how consumers deal with security and privacy challenges in their digital lives.

Enjoy, share, embed our infographic:

Embed this infographic on your own site

Copy and paste the code below into your blog post or web page:

The post Varonis Privacy and Trust Report appeared first on The Metadata Era | Varonis.

Fate has finally intervened.

With the EU Commission’s complaint against Google’s privacy policies reaching a conclusion, I now have a teachable moment to convince the naysayers that this stuff is serious business.

When Google changed its privacy terms in early 2012, the fine print was also being looked at by EU regulators. Google may have thought it was making it easier for consumers with a single policy covering all its web services, but others felt a bit differently. The Article 29 Working Party is in charge of advising the EU Commission on their data security and privacy rules, which are contained in the Data Protection Directive or DPD. In late 2012, they filed a complaint against Google, and addressed a letter to Mr. Page.

In so many words, the Article 29 folks said the search engine company had not done enough to follow DPD rules on consumer privacy.

Security experts, compliance gurus, CIOs, and other interested players would normally have to get the real story about this intersection of legal and tech in niche publications or in the back pages of certain business sections, or perhaps in a blog of a major data governance player. Since this is Google, and it appears that the EU is willing to go to the mat on this one—in other words, there will be fines—the story is now moving up in importance and appearing more prominently in business sections of main-stream publications.

You can read from the regulator’s report to learn about the long list of Google’s privacy shortcomings, which are conveniently bold-faced. I offer a few of their choice phrases: “no valid consent”, “incomplete or approximate information”, and “retention periods must be appropriate in regards to the purpose.”

Whoa! The EU—technically the individual national data protection authorities led by France’s CNIL— will fine a major American online service provider over their …  data retention policy?

Of course, having data retention policies and procedures —what to keep, what to archive—in place is just IT common sense. But you’re probably thinking that just because an organization doesn’t have explicit data retention or migration plans doesn’t mean it has broken the law.

Actually, it’s not only the EU that takes this IT procedure seriously. Data retention limits also show up in the US’s HIPAA rules for personal health data and in some financial data security regulations. But usually the limits—measured in years—are the amount of time an electronic document must be kept.

The EU, though, views data collection and retention with a goal of “data minimization” in mind: companies should store the minimum amount of personal data and limit the duration to what “must be appropriate in regards to the purpose”. That’s essentially the language of the DPD law. In other words, you just can’t keep personal consumer data unless there’s a legitimate business reason, you have to say what that reason is, and you have to say how long you’re going to keep it.

According to France’s CNIL, Google has to this date refused to provide any information about its data retention policies after being requested to do so.

And the EU Commission has been very clear that there will be consequences for not following its rules. How bad could the fines be for violating, either willfully or negligently, the DPD? The head of the Commission is suggesting they could run as high as 2% of global sales.

Last year Google earned revenues of over $45 billion. You do the math on what it means for not taking data compliance regulations seriously.

Image credit: Dschwen

The post EU to Google: We Really Mean it About Data Retention Limits appeared first on The Metadata Era | Varonis.

In an excellent blog post, Gartner research director Anton Chuvakin poses the question: is an Excel spreadsheet full of credit card numbers on a poorly permissioned internal file share considered a data breach?

Many information security pros and even some DLP vendors would answer “no” because the risk of data loss is implied, not actual.  But I think that is an overly optimistic stance.  To me, this is equivalent to saying, “I know there’s a hole in my roof, but it hasn’t rained in a month, so it’s only an implied risk.”

Anton astutely points out that, in every large organization, you can bet your mortgage on there being unauthorized access to your environment, facilitated by any number of factors including, but not limited to: subpar authentication, BYOD, infected endpoints, or an Active Directory that looks like a rats nest.

Chuvakin says:

 ”The phenomenon of “internally lost data” is way more pervasive than most people think. I’d bet if you think that it is pretty pervasive, then it is EVEN MORE pervasive. Confidential, regulated and “merely” sensitive data on “all access” internal file shares, SharePoint boxes, team web servers, internal blogs, etc is literally all over the place.”

We can confirm this phenomenon as it’s one of the main reasons organizations evaluate Varonis.  We’ve written extensively on the Everyone Problem.  Trust us, this is actual risk.  So what do we do about it?

The Sniff → Scan Approach

Dr. Chuvakin talks about how well the Sniff → Scan approach has worked for some organizations: sniff the network to see what’s leaking and then scan your storage environment to figure out where that data lives:

“[Organizations] first saw *it* on the wire, got mad – and then got curious: just where exactly is it stored internally? “Oh, in 537 different places!”  Next they fought the battle for reducing the internal exposure and then – surprise! – the occurrences of that piece of data being seen on the wire decreased as well…”

The trouble with most DLP solutions that help with data discovery is that, once the data of interest is found, you’re on your own.  There’s no operator’s manual for reducing the exposure in a safe, methodical way without doing collateral damage to the business.  Once you’ve pinpointed where leaky data lives, wouldn’t you love to know: Who can access it? Who’s using it? Who is responsible/is the data owner? How to reduce access down to a least privilege model without cutting off people who need the data to do their jobs?

The only way to answer these questions is to combine other metadata streams with the classification information.  If you’re in the information security space, you’ll start to hear the term Context-Aware Data Loss Prevention, if you haven’t already.  Analysts have begun putting a lot of weight on the ability to determine the context of data and its usage in order to make intelligent decisions about protecting it.

Anton concludes:

“So, if you got [sic] a DLP tool, plan for using its discovery capabilities. Hit those shares, SharePoints, team servers, intranet web sites, etc, etc.  And, yes, you need a process, not just a tool!”

For an in-depth look at the Varonis process for preventing internal data loss, check out our operational plan blog series (which starts with data classification).  And if you’re interested to see how the Varonis Data Governance Suite brings context to DLP, let us show you!

Also, have a look at Anton Chuvakin’s blogs here and here.  He’s one of the most entertaining and prolific writers on data protection.

The post Internal Data Loss is Riskier Than You Think appeared first on The Metadata Era | Varonis.

With recent shifts in consumer data protection regulations and policies, both in the US and the EU, the stakes for not illuminating dark data have become even higher. For those new to the regulatory side of the fence, you can read about enhanced requirements for safeguarding patient medical data, and overall higher standards for personal data protections being asked of companies.

What risks and potential data sea monsters can one expect to find in a file system’s terra incognita? There are the known unknowns. This is essentially the personally identifiable  information (PII) and other sensitive data that hackers are looking to take. You can get a sense of the extent of this type of personal information hidden in file folders by examining one of this blog’s favorite resources: Verizon’s Data Breach Investigations Report (DBIR).

In their latest research based on data for 2011, the DBIR notes that credit card numbers were involved in 48% of all breaches, passwords and user names in 42%, social security numbers in 4%, and bank account numbers in 2%. These numbers shouldn’t come as too much of a surprise to anyone who follows the security scene, and if they do, you should start seriously exploring  your dark data.

I’ve also written about another type of threat in dark data, a kind of quasi personal-identifier, which doesn’t fit the standard definition of PII. The best known of this species is the combination of full birth date, zip code, and gender, which can be used to re-identify the consumer victim with very high likelihood.

Are there unknown unknowns in dark data?

Actually, there are. As hackers become cleverer in their ability to mine and correlate pieces of seemingly unrelated data, they’ll find new and exotic ways to link information back to individuals.

Recently, The New York Times profiled Carnegie Mellon University economist and privacy expert, Alessandro Acquisti. The article mentions one of Acquisti’s research projects, which proved it was possible to derive likely social security numbers from a photograph.

Long pause.

His technique involves two steps. In the first, he uses facial imaging software to connect a photo with a Facebook profile. This a re-identification hack that’s better understood, and even regulators have recently recognized the privacy issues involved with photo data.

The second step, though, is new to me and is based on work Acquisti has done in analyzing patterns in social security numbers. At a Black Hat conference back in 2009, he presented a paper that showed it was possible to predict these numbers based on just hometown and birth date.

So the photo image was used to find a Facebook or Linkedin account that had a face picture, and then using public information on the account profiles or from other on-line sources, he pulled out birth date and address information. Acquisti’s algorithms then generated likely social security numbers.

Acquisti has come up with a more technical name for these unknown unknowns, calling them personally predictable information or PPI. The larger point is that there are likely more PPIs out there than the ones Acquisti discovered.

As a general rule of thumb, though, files containing any information with location and dates, even without standard PII embedded, should be restricted.

By the way, do you know your file system’s data well enough to say that dates and addresses in customer records are protected from unauthorized users and are only viewed by those on an absolute need-to-know basis?  Just wondering.

The post Unknown Unknowns of the Dark Data Menace appeared first on The Metadata Era | Varonis.

 

BYOD, cloud computing and social media have a common thread – they all create data repositories that have been geared towards the non-IT consumer, where governance, management and retention have taken a backseat to ease of use.  With the introduction of these technologies into the enterprise, companies are obligated to develop backup, archiving, and classification strategies to ensure that relevant data is available in the event of litigation and a discovery request.

The Federal Rules of Civil Procedure state that the moment a company receives a legal hold request they must not dispose of data without having a clearly defined and demonstrable retention and disposal policy. These policies cannot be developed and implemented in the midst of litigation as an opposing  litigant could claim that destruction of data was intentional, resulting in damages and penalties awarded to the opposition.

In the article, eDiscovery Rules Applied to Social Media: What This Means in Practical Terms for Businesses, statistics show that the FRCP rules are being enforced— sanctions were ordered in 50% of the cases where sanctions were sought, with a few resulting in large monetary penalties. Needless to say, companies are compelled to comply.

While many companies have chosen the pack-rat approach – save and archive all of the data they manage, including customer data, personal data, etc., this approach is not practical due to ever increasing volumes of data, especially when considering the information generated by mobile devices and social media.

In the event that a company does need to develop a defined retention policy that takes these initiatives into account, their requirements should be part of a larger blueprint for securing their data, linking their retention strategies with governance and accessibility.  These 6 steps provide some basic guidelines:

1.  Determine the age at which each type of data that has not been accessed would be considered stale – 1 year?  2 years? 5 years?
2. Implement a solution that can identify where stale data is located based on actual usage (not just file timestamps)
3. Automate the classification of data based on content, activity, accessibility, data sensitivity and data owner involvement
4. Automatically archive or delete data that is meets your retention guidelines
5. Automatically migrate data that is stale but contains sensitive information to a secure folder or archive with access limited to only those people who need to have access (e.g. the General Counsel)
6. Make sure your solution can provide evidence (e.g. reports) of your defensible data retention and disposal policy

Image Credit: File Upload Bot (Magnus Manske)

The post Data Retention in the Social Media Era appeared first on The Metadata Era | Varonis.

What were the 3 key features PMI was looking for in a data protection solution?

Jan Billiet, Dir IS Security & Risk Management at Philip Morris International

The post 3 Key Features Philip Morris International was Looking for in a Data Protection Solution appeared first on The Metadata Era | Varonis.

Step 1: Take inventory of your data and confirm ownership

One of the first things data owners should do is review the data for which they are responsible; IT should provide them a report listing all the folders, SharePoint sites, etc. that they own. Owners should carefully review this report and confirm with IT that they are, in fact, the correct owners of this data. It is also important that they understand which, if any, of these folders contain sensitive data, which folders are open to other groups in the organization, and which teams they expect to collaborating with.

Once they have reviewed their data assets, they will be able to start governing and protecting their data effectively. In addition, they should determine if other users will need to be involved in the authorization process (delegated “authorizers” for specific folders), and coordinate with them on how access requests will be processed.

Step 2: Review permissions/users with access

Once they’ve confirmed ownership and they understand the types of data contained in these folders, the next step would be to perform an initial Entitlement Review.  These can either be done manually with IT provided lists of people to review, or with automated solutions, like Varonis DatAdvantage and DataPrivilege.

During an initial entitlement review, data owners will review which users have access to which data and make decisions about which users should be removed or added. Solutions that provide automated entitlement reviews, like DataPrivilege, automate this task end to end, providing actionable information to data owners, (e.g. recommendations based on access activity and cluster analysis) and effect changes to the appropriate ACL’s and groups without IT intervention.

It is important that this step be carefully performed, whether manual or automated, as this will be the first step in cleaning up excess access and ensuring that only the right people have access to data.

Step 3: Ensure all requests are processed for the appropriate reasons

Once owners have performed their initial review, they should now be in “maintenance mode” and ongoing data ownership activities shouldn’t take much time– they’ll mostly need to approve/decline access requests as they come up, either with an automated solution (like DataPrivilege) or through a manual process. As a best practice, every access request should ask the requestor to enter a reason for requesting access, either selected from a menu of legitimate reasons, or manually entered.

Data owners should consider access requests carefully, especially when the data they’re managing is sensitive:

• What data are they requesting access to?
• If I grant access, is there anything in that folder that they should treat as confidential?
• Should access be granted permanently, or temporarily?
• If access should be granted temporarily, how will we remember to revoke it? (Manual process or with automation like DataPrivilege)

Step 4: Do periodic entitlement reviews

On a regular basis—once a quarter, every 6 months, etc.—IT should require owners to complete an attestation, or entitlement review. This will ensure data owners review any changes or new recommendations made since their last review and ensure that organizational changes have not granted unwarranted access. Owners should have the option to specify where access should be restricted or stay the same, and a record of their decisions should be kept. Entitlement reviews help organizations efficiently maintain a least privilege model.

Step 5: Review access statistics on your data

If available, data owners should have the ability to access a dashboard which includes permissions and access activity relevant to their data, as with DataPrivilege’s Self-Service Portal. Data owners can make better decisions if they are able to see who is accessing their data, which folders are most accessed, least accessed, or stale, and who is accessing folders that hold sensitive data.

Conclusion

While there are a lot more details on data ownership, we hope this list provides a starting point for Data Owners on how to govern their data effectively. For more information you can visit our collection of blogs on data ownership or download our whitepapers from our resource center.

Image credit: Electron

The post 5 Steps to Get Data Owners Started appeared first on The Metadata Era | Varonis.

Why? Because we know you’re busy putting out fires and answering 2am phone calls about downed servers and lost emails. You probably don’t have time to wade through 500 pages of HITECH rules trying to figure out what, if anything, applies to you. So, we put together a thoroughly crafted whitepaper covering the essentials of data protection legislation.

Grab it today…it’s free!

The post The Essential Guide to US Data Protection Compliance and Regulations appeared first on The Metadata Era | Varonis.

We’re extremely honored to have been named for Best Big Data Solution in this year’s CODiE Awards alongside great companies like Metamarkets and Tableau.

We consider the Varonis analytics and recommendations engine to be one of the most actionable, value-producing solutions for human generated big data available.  Without the need for Hadoop clusters or data scientists, the Varonis Metadata Framework monitors unstructured data activity, content, and permissions and uses sophisticated analytics to generate actionable intelligence—where data is at risk, how excess permissions can be safely eliminated via recommendations and simulation, and where statistically aberrant user activity should be examined.

A major contributing factor to Varonis’ success, especially within large enterprises, is the ability to horizontally scale out our deployments on commodity hardware.

This nomination is a testament to the hard work of our engineering and product development teams.  Their relentless pursuit to innovate is unmatched.

To learn more about the Metadata Framework, watch this quick video:

The post Varonis Named 2013 CODiE Finalist for Big Data appeared first on The Metadata Era | Varonis.

I started to think that we hadn’t really considered file syncing from space as a requirement for DatAnywhere ,and that astronauts need to collaborate, too, but then I realized this was a well-crafted April fool’s day prank by Google.

Check it out:

The post Astronauts Passing Time Browsing the Web appeared first on The Metadata Era | Varonis.