In this age of heightened security awareness, most companies take care to protect their databases, Web sites, data transmissions, financial applications and so forth. The one area of their IT infrastructure they tend to forget, however, is the oldest data repository of all, the file server.
"Year-on-year, an increasing amount of sensitive enterprise data gets written to unsecured and unmonitored file servers," says Hedley Hurwitz, MD of Magix Security. "These unstructured file stores largely comprise shared folders on Windows and Linux file servers and other network attached storage devices that are unwatched and poorly managed, if at all."
File servers are usually populated by anyone, and people store anything on them, from sensitive spreadsheets, salary and tax calculations, strategy plans, to jokes, personal pictures and the like. More importantly, these documents are usually forgotten and left idle for years, available to any sufficiently curious snoopers, and taking up lots of unnecessary space.
"There are tools available to manage file servers, to control who puts what, where and when, as well as who has access to it," notes Hurwitz. "While many people think this is overkill, the tendency to store important information on file servers, where it can be backed up and is easily accessible, will always be attractive to people worried about losing important documents, and even those looking for freely available storage. As such, it should be treated equally to other information stores, such as databases, in protecting information from unauthorised eyes."
Exchanging convenience for security
A similar situation exists with Exchange. "Microsoft Exchange is a business-critical application and has become the primary communication tool in many organisations," says Hurwitz. "Users can add almost any content to their e-mails, from simple, non-sensitive documents through to files that contain sensitive information."
Regular auditing and security assessments in the Exchange environment are necessary to ensure it remains healthy, secure and compliant. Constant monitoring will alert administrators when an employee tries to send sensitive information out of the company. It is equally imperative to monitor administrative changes to the environment, such as when one temporarily grants himself rights to another person's e-mail.
Securing corporate data does not have to be a dramatic process, but can be automated to ensure sensitive information is protected and access is only granted to authorised users. Leaving gaps in your security profile, such as through file or mail servers, is a careless oversight that could put information and the directors responsible for governance and compliance at risk.
Share