Managing data access controls and permissions with Commvault® File Storage Optimization

By Matt Tyrer

So, what is entitlement management?

Sometimes simple changes can have significant impact, especially when it comes to changes in Active Directory groups, permissions and even file ownership and access.  Having the ability to filter and review who has access to what ensures that files containing sensitive, private, or business critical data are only visible to those that need it.  Entitlement management is a tool within Commvault File Storage Optimization that enables system and/or security administrators to not only easily audit user access permissions across on-premises and cloud data sources, but to action changes to those attributes should a change be needed.  This proactively helps you to avoid accidental data leaks due to incorrect access rights or controls or to simply swap ownership of a directory due to a change in the organizational structure.


68% of organizations feel moderately to extremely vulnerable to insider attacks. (1)
–2020 Insider Threat Report, Cybersecurity Insiders

Why would you need it?

Quite simply, Entitlement Manager helps you to verify that the right people have access to the right files.  Or conversely, it provides a means of access control to prevent unwanted users from seeing or touching data they shouldn’t – whether unintentionally or maliciously.  Often these permission anomalies are the result of human error, but the growing risks to your data from insider threats require a more proactive approach to securing sensitive data.

As an IT or security administrator within your organization, part of your role is to validate that data files have the correct privileges associated with them.  You often hear the example of the company payroll spreadsheet discovered with full control rights to “EVERYONE” (or 777 permissions for us UNIX/Linux folks), but I’m sure you can think of other private or sensitive data that doesn’t need to be seen by everyone. This is even more relevant to businesses with the continued evolution of global data privacy regulations and data governance policies.  Having the wrong data exposed to the world can not only make headlines, but can carry with it hefty fines, lawsuits and can affect the company’s reputation.

What can Commvault Entitlement Manager do for you?

With Entitlement Manager, a part of Commvault File Storage Optimization, you can make sure that access to groups, distribution lists and sensitive business data is consistently reviewed by the right individuals.  Using the concepts of the Policy of Least Privilege (POLP), administrators are given the ability to review and manage access controls and make (or reverse) changes through a fully auditable workflow and review process.  This not only reduces the risks to the data but supports company compliance and data governance initiatives.

With Entitlement Manager you can perform the following tasks:

  • Review Permissions: You can review permissions to determine who can access your data. You can also review the permissions that a user has inherited from the AD user groups.
  • Remediate Permissions: To protect sensitive data from loss, tampering and exposure, the permissions must be assigned correctly. If access rights are incorrect or in a more permissive state without a good business reason, the administrators can remediate quickly.   
    • Administrators can allow or deny:
      • Full control
      • Modify
      • Read & Execute
      • Read
      • Write
  • Audit Trail: Using the Audit trail, you can know who is being added and removed from accessing the files and folders. Review and remediation of the permissions are done by data owners or administrators. All permission changes done using the Entitlement dashboard are logged in the Entitlement audit trail, without the need for Windows operating system-level auditing. You can also use the audit trail to demonstrate adherence to governance policies.
  • Add Users: You can search and add new users whose permission you want to allow or deny.
  • Change Owners: You can change the owner of a specific set of files to another user.

Summary

With more scrutiny being placed on the security and privacy of our data, the need for managing and controlling who has access to that data is becoming more apparent.  The Entitlement Manager tools within Commvault File Storage Optimization offers Commvault users the ability to quickly review, remediate and audit the user permissions across data sets both on-premises and within multi-cloud environments.

Reference

1 https://www.cybersecurity-insiders.com/portfolio/2020-insider-threat-report-gurucul