A Practical Guide to Eœ ective Data Governance

WHITE PAPER

A Practical Guide to E� ective Data Governance

White Paper: A Practical Guide to Effective Data Governance 1

© 2011 Quest Software, Inc.

ALL RIGHTS RESERVED.

This document contains proprietary information protected by copyright. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording, for any purpose without the written permission of Quest Software, Inc. (“Quest”).

The information in this document is provided in connection with Quest products. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this document or in connection with the sale of Quest products. EXCEPT AS SET FORTH IN QUEST'S TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT, QUEST ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL QUEST BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF QUEST HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Quest makes no representations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make changes to specifications and product descriptions at any time without notice. Quest does not make any commitment to update the information contained in this document.

If you have any questions regarding your potential use of this material, contact:

Quest Software, Inc.

Attn: Legal Department

5 Polaris Way

Aliso Viejo, CA 92656

www.quest.com

email: [email protected]

Refer to our Web site for regional and international office information.

Trademarks

Quest, Quest Software, the Quest Software logo, AccessManager, ActiveRoles, Aelita, Akonix, AppAssure, Benchmark Factory, Big Brother, BridgeAccess, BridgeAutoEscalate, BridgeSearch, BridgeTrak, BusinessInsight, ChangeAuditor, ChangeManager, Defender, DeployDirector, Desktop Authority, DirectoryAnalyzer, DirectoryTroubleshooter, DS Analyzer, DS Expert, Foglight, GPOADmin, Help Desk Authority, Imceda, IntelliProfile, InTrust, Invirtus, iToken, I/Watch, JClass, Jint, JProbe, LeccoTech, LiteSpeed, LiveReorg, LogADmin, MessageStats, Monosphere, MultSess, NBSpool, NetBase, NetControl, Npulse, NetPro, PassGo, PerformaSure, Point,Click,Done!, PowerGUI, Quest Central, Quest vToolkit, Quest vWorkSpace, ReportADmin, RestoreADmin, ScriptLogic, Security Lifecycle Map, SelfServiceADmin, SharePlex, Sitraka, SmartAlarm, Spotlight, SQL Navigator, SQL Watch, SQLab, Stat, StealthCollect, Storage Horizon, Tag and Follow, Toad, T.O.A.D., Toad World, vAutomator, vControl, vConverter, vFoglight, vOptimizer, vRanger, Vintela, Virtual DBA, VizionCore, Vizioncore vAutomation Suite, Vizioncore vBackup, Vizioncore vEssentials, Vizioncore vMigrator, Vizioncore vReplicator, WebDefender, Webthority, Xaffire, and XRT are trademarks and registered trademarks of Quest Software, Inc in the United States of America and other countries. Other trademarks and registered trademarks used in this guide are property of their respective owners.

http://www.quest.com/

mailto:[email protected]


Contents Abstract ......................................................................................................................................................... 3

Introduction.................................................................................................................................................... 4

Business Goals for Data Governance ........................................................................................................... 5

Challenges in Implementing Better Data Governance .................................................................................. 6

Keeping Track of Permissions ................................................................................................................... 6

Deciding Who Should Have Access to What ............................................................................................. 6

Getting from Where You Are to Where You Need to Be ........................................................................... 7

Techniques for Achieving Better Data Governance ..................................................................................... 8

Find Out What You Have ........................................................................................................................... 8

Identify Data Owners ................................................................................................................................. 8

Group Servers for Consistency .................................................................................................................. 8

Summary .................................................................................................................................................... 9

Access Manager 2.0: Data Governance for the Real World ....................................................................... 10

Get from Where You Are to Where You Need to Be ............................................................................... 10

Document Current Permissions ............................................................................................................... 10

Simplify Your Groups ............................................................................................................................... 11

Identify Resource Owners ....................................................................................................................... 11

Group File Servers ................................................................................................................................... 11

Track Resource Activity, Automate Access Management Tasks and More ........................................... 11

For More Information ............................................................................................................................... 11

Conclusion................................................................................................................................................... 12


Abstract This white paper details the key challenges that keep organizations from properly managing the access

rights to resources, discusses the techniques required to implement and maintain effective data

governance and explains how Quest Access Manager can help you get from your current, chaotic

environment to an efficient, centralized model of access management.


Introduction Data governance—that is, properly managing the access rights on resources throughout your

organization—is something that IT consultants and analysts love to talk about. After all, who wouldn't

want an environment that offers better access controls with less overhead?

Actually achieving better governance is another story. Given the relatively unmanaged state offered by

native file server security controls, inventorying your permissions, figuring out who owns them and

implementing better controls can seem like an uphill battle. But there's no need for that to be the case:

New tools and techniques are emerging that offer the exact capabilities you need. Learning what they

offer and how to use them can put you on the path to actually practicing better data governance, instead

of just reading about it.


Business Goals for Data Governance When we speak of data governance, what exactly do we mean? Generally speaking, the idea is to gain

better control over who owns and uses the various resources in the enterprise. For this discussion, we’ll

focus on unstructured data on file servers. While there’s absolutely a need to manage data stored in

databases, mail servers, and so on, each of those represents a unique set of techniques and challenges.

Unstructured data on file servers, being so generally accessible by an entire organization, presents a

special set of challenges.

The main business goals for better data governance tend to break down into three major areas:

Finding out what’s in place. Organizations have historically had a rather laid-back approach to

data governance, in large part because the (relatively primitive) native security controls haven’t

offered any other option. Moving forward, a critical first step is to find out exactly what’s in place

to begin with.

Minimizing IT’s role as gatekeeper. Because the IT team has historically been the only group of

people who could modify resource access permissions, they’ve been thrust into the role of

deciding who permissions are given to. That’s inappropriate, since IT rarely has the information

needed to properly govern access to resources. While IT may continue to be responsible for

implementing access controls, moving forward we need to remove them from the role of actually

governing, and instead put that burden on the people within the organization who actually own

the data.

Improving consistency. Inconsistent application of permissions and inconsistent configuration of

file servers are leading contributors to downtime, lost productivity, security breaches and more.

Organizations seek to create a single, consistently configured and consistently governed

environment that provides users with access to exactly the resources they need—no more and no

less. An example would be during a merger when bringing in another directory and permission

system very similar to the existing.

While these business goals are straightforward, their implementation and realization can be anything but.

Decades of limited manageability and weak native operating system tools have brought organizations to a

difficult place in terms of moving forward and improving their data governance. In fact, some

organizations look at what they’ve got, throw up their hands and assume nothing can be done.


Challenges in Implementing Better Data Governance Keeping Track of Permissions

A key challenge in improving data governance is that, quite simply, we don’t know what we’ve got.

Windows makes it very difficult to manage file and folder permissions, and most organizations end up

with a hodge-podge of permission strategies, creating an inconsistent and impossible-to-manage

environment that seems beyond the point of recovery.

A key part of the problem is the fact that Windows stores permissions on a per-resource basis, meaning

that each file and folder can have its own unique permission set. While it’s true that permissions can be

inherited from parent folders, that inheritance combines with, but does not replace, individually-assigned

permissions on a given file. Discovering what permissions are in place requires an administrator to look at

every single file, typically through a manual, dialog-based interface that is incredibly inefficient.

Discovering what access a given user has is completely impractical, since doing so would involve

manually examining every file and every folder on every file server.

Most organizations start out with the right idea, following Microsoft guidelines that permissions be

assigned only to user groups. Users can then be placed into groups to give them access to resources. As

the organization continues, new groups are constantly created to accommodate new security needs.

Because it’s impractical to actually see what permissions a given group has or to constantly maintain

encyclopedic documentation of those permissions, administrators invariably end up creating groups that

have significant, if not complete, overlap in their permissions needs. Given the ability to nest groups

within groups, it’s even impractical to figure out what groups a given user belongs to.

Then things get even worse. A user calls with an urgent need to access some particular folder, and a

less-skilled IT team member solves the problem by simply granting direct access to the user’s account.

Now, in addition to too many groups, you’re starting to get directly assigned permissions that are even

more difficult to document and maintain.

Deciding Who Should Have Access to What

Throughout this process, IT tends to be the main gatekeeper of permissions. The IT team realizes that

some resources are sensitive, and they try to maintain some idea of who should be approving each

access request, but that process is generally dependent upon them knowing (and remembering) who to

call for each resource. Start thinking about how many files your organization keeps, and how many

people might need to be contacted to see if an access request should be approved. Asking IT to keep

that information in their heads is like asking them all to compete on Jeopardy—and to all win big money

doing so. It’s an incredible amount of information, and it’s not surprising that few IT teams manage to do

so with zero mistakes.

Of course, it only takes one mistake, on the right resource, for the organization to be exposed, leading to

a data breach with potential losses. That’s why there has to be a better way.


Getting from Where You Are to Where You Need to Be

The problem is this: while there are certainly better ways of managing access to resources, getting from

where you are today to that better way is incredibly difficult. You have to figure out what you’ve got, take

IT a bit out of the loop from the governance angle, and somehow improve consistency. Vendors love to

pitch solutions that offer a better way of managing access, but most are quiet when it comes to actually

getting you there from your current state of affairs.


Techniques for Achieving Better Data Governance Just as there are three broad business goals for better data governance, there are three broad

techniques that we can adopt to overcome the historical challenges. These techniques are focused not

just on better data governance, but on actually helping you to achieve better data governance, given your

existing state of affairs.

Find Out What You Have

Begin by discovering what permissions you already have in place. This requires using tools, not manual

effort. You’ll need tools that can do all of the following:

Automatically scan all existing files and folders for permissions.

Resolve nested group memberships to determine each user’s actual access permissions.

Centralize the collected information into a centralized database.

Compare group memberships to locate overlapping and redundant groups.

Generate reports showing effective permissions on critical resources and total resources

accessible by specific users and groups.

Identify Data Owners

Use statistical analysis to create a “best guess” at each resource’s owners or custodians:

Analyze actual file usage as well as permissions. “Write” activity is a greater indicator of

ownership than “read” activity, and so is frequency of use.

Have “best guess” owners verify their data ownership or custodianship; if they aren’t the right

person, they will probably know who is.

Once resource ownership is established, have IT begin consulting with data owners before

granting other users access to their data. IT is thereby removed from the “gatekeeper” role and

takes over an implementation role.

Group Servers for Consistency

Establish a way to manage servers in groups:

Create centralized configuration policies that are automatically pushed out to servers.

Configure servers by group, rather than individually.

Reduce overhead while increasing consistency and reducing human error.


Summary

The goal is to move to a system where access permissions are not managed directly on files and folders,

but where governance actually takes place in a centralized location. Software automation then translates

the centrally-defined permissions into the file and folder permissions that Windows needs, essentially

creating an abstraction layer between the business level of governance and the underlying technical

implementation.

Tools that implement and enable these techniques exist today, and they’re your best bet for moving from

an inconsistently-managed, chaotic access control environment to a better-managed form of data

governance that meets your evolving business needs.


Access Manager 2.0: Data Governance for the Real World Get from Where You Are to Where You Need to Be

Quest Access Manager 2.0 is designed to not only provide centralized resource access management, but

to help you move to that centralized model from your current, chaotic environment.

Document Current Permissions

Access Manager starts with a comprehensive scan of your existing resources, simply documenting what

you have and pulling that information into a centralized database. Then you can use numerous pre-

defined reports (or create your own custom reports) to clearly document your existing environment and

provide direction for improvement. For example, being able to clearly compare group memberships,

including membership via indirect (nested) membership, as shown in Figure 1, can help identify

overlapping groups, users who have excessive or insufficient permissions and so forth.

Figure 1. Access Manager report showing direct and indirect group membership of users


Simplify Your Groups

With these reports, your IT team can begin using centralized management tools to reduce the number of

groups in the environment, combining and pruning as necessary to ease management and to

authoritatively document who has access to what.

Identify Resource Owners

Statistical analysis of not only permissions, but also actual access patterns, can help identify data owners

and custodians. By identifying these individuals and groups, you can begin removing IT from the

“gatekeeper” role and letting actual business data owners decide who should have access to their data.

Figure 2. Access Manager report showing likely owners of resources

Group File Servers

Finally, Access Manager 2.0 provides the ability to group file servers for management purposes. Access

Manager itself can then be used to initiate top-level configuration changes, automatically pushing those

changes out to specified server groups for a more consistent, secure and error-free environment.

Track Resource Activity, Automate Access Management Tasks and More

Access Manager 2.0 provides many other capabilities, including the ability to track and report on all

resource activity. This opens the door for improved access auditing, forensic investigation in the event of

a data breach, and so forth. Access Manager also provides Windows PowerShell integration, enabling

administrators to more easily automate key access management tasks.

For More Information

For more information about Quest Access Manager, visit www.quest.com/access-manager.

http://www.quest.com/access-manager


Conclusion Achieving the goals of data governance—knowing who has access to what, ensuring that resource

owners control the granting of access permissions and ensuring consistent application of permissions and

server configuration—can seem impossible. But with the right tools, you can have the consistently

configured and consistently governed environment you need and want. Quest Access Manager helps you

understand your current access permissions, simplify your groups, identify resource owners, group file

servers for better management and more.

5 Polaris Way, Aliso Viejo, CA 92656 | PHONE 800.306.9329 | WEB www.quest.com | EMAIL [email protected]

If you are located outside North America, you can � nd local o� ce information on our Web site.

WHITE PAPER

About Quest Software, Inc.

Quest Software (Nasdaq: QSFT) simplifies and reduces the cost of managing IT for more

than 100,000 customers worldwide. Our innovative solutions make solving the toughest IT

management problems easier, enabling customers to save time and money across physical,

virtual and cloud environments. For more information about Quest solutions for application

management, database management, Windows management, virtualization management

and IT management, go to www.quest.com.

Contacting Quest Software

PHONE 800.306.9329 (United States and Canada)

If you are located outside North America, you can find your

local office information on our Web site.

EMAIL [email protected]

MAIL Quest Software, Inc.

World Headquarters

5 Polaris Way

Aliso Viejo, CA 92656

USA

Contacting Quest Support

Quest Support is available to customers who have a trial version of a Quest product or who

have purchased a commercial version and have a valid maintenance contract.

Quest Support provides around-the-clock coverage with SupportLink, our Web self-service.

Visit SupportLink at https://support.quest.com.

SupportLink gives users of Quest Software products the ability to:

• Search Quest’s online Knowledgebase

• Download the latest releases, documentation and patches for Quest products

• Log support cases

• Manage existing support cases

View the Global Support Guide for a detailed explanation of support programs, online services,

contact information and policies and procedures.

© 2011 Quest Software, Inc.ALL RIGHTS RESERVED.

Quest, Quest Software, the Quest Software logo are registered trademarks of Quest Software, Inc. in the U.S.A. and/or other countries. All other trademarks and registered trademarks are property of their respective owners. WPW_PracticalGuideEffectiveDataGov_US_EC_20110520

A Practical Guide to Eœ ective Data Governance

Documents

Transcript of A Practical Guide to Eœ ective Data Governance