Tracking Data Use
Print Issue: December 2011
A LITTLE OVER A YEAR AGO, those in charge of the IT network for Allen County, Ohio, faced a challenge. As the number of people accessing the network steadily increased, IT began to fear lapses in data control. For example, IT could not tell which users had accessed or changed specific documents. IT became concerned that, in a county government, this lack of transparency could lead to information leaks or internal sabotage.
To address the security of the county’s data networks, IT professionals in two different departments worked together to bolster the internal control process. They developed an access rights program by establishing a baseline of appropriate employee access to information and deploying technology to track that access on a daily basis.
Isaac Dunifon, head of the communication technology department for the IT staff in the Allen County Sheriff’s Office, explains that the county wanted to both control access rights and to track any changes in the system. These two features would help the county address a number of data security concerns.
“Privacy issues and government regulations are both concerns, but the biggest issue is liability,” says Dunifon.
With that in mind, the first step was to address administrative rights, which would help create controls and establish audit trails.
A primary part of the new program was being able to determine who released specific information and why. For example, Dunifon notes that the county auditor’s office stores financial data. Most of this data is a matter of public record and is accessible upon request. However, to obtain that information, someone must file a public records request. This request allows IT to track how and when that data gets released to the public. But if someone within the organization accessed that information without a public records request, that person could print it or put it on the Internet, and the county would have no way of knowing who did it.
Another concern was adjusting employee access rights when staff moved among departments. For example, it would be important to immediately terminate access to financial records if someone transferred out of a position where those rights were appropriate. To ensure that rights were altered under the old system, the heads of each department would have to submit the change to IT, which would then change that individual’s access rights. If either department head neglected to do this, the employee would maintain rights to data in both departments. IT needed a way to easily tell whether one employee had rights to multiple departments and to change those rights.
Yet another concern was that IT could not track administrative rights that were granted temporarily. For example, a newly hired 911 dispatcher might find that he or she did not have access to the documents needed to do the job. The dispatcher would contact IT, which would give the dispatcher administrative access rights temporarily. “The plan would be to go back, rescind those rights, and correct the original access rights to give that employee the necessary tools,” explains Dunifon. “However, sometimes those changes would not be made…. We wanted a way to quickly access and determine who has administrative rights at any given moment and why.”
With these goals in mind, IT set out to find a product that could help the organization manage access to its network. IT needed a Windows-based product that could help it control access to files and data on the network. It needed to be able to control permissions and change them on the network at any time.
Because data and personnel are in constant flux, IT needed a product that could give it access information in real time. This would allow IT to monitor the network and determine which employees were accessing data and whether they had the right to do so. By tracking such information, IT would greatly improve the auditing process as well.
With these criteria in mind, IT started looking for products in the fall of 2009. There were several options to choose from, but IT found two that met all of the county’s requirements. Ultimately, says Dunifon, the county went with a software product from NetVision of American Fork, Utah.
Though cost is always an issue, it was not the deciding factor, says Dunifon. “During the demo stage and when I was going over the features, I was struck by the knowledge level of NetVision,” he says.
NetVision also could preconfigure the system so that it would meet the county’s needs. That alleviated Dunifon’s concern that the system would need configuration on-site before it could be deployed.
The company was able to remotely enter the county’s system, get the information needed to configure the software, and show IT how to operate the system—all before deployment. “So, before NetVision shipped the product, they already had it tweaked for us, as it would actually work on our system.”
The county purchased the system in late 2009, and it was installed and operational by early 2010.
Once the software was installed, IT used it to establish an appropriate baseline for employee access rights. NetVision created a report of all county employees and a list of the information that each one was allowed to access.
IT also obtained lists according to a variety of criteria, including access rights based on directory accounts, status, group memberships, object types, and file access control lists. This allowed the team to cross reference the rights and ensure that they knew every type of data each employee had access to.
IT obtained these reports once a week for several weeks in a row. Then, IT contacted the head of each department and obtained written confirmation of the types of data to which each employee should have access. The team also reviewed county rules on data access issued by the county’s Data Processing Board. (The board consists of nine elected officials and makes recommendations to the various departments about security and data access rights.) The team wanted to make sure that the board’s intentions matched what departments were doing. “Our goal was to maintain a uniform policy across the entire county network,” says Dunifon.
All members of the IT department then sat down with this information and compared the access rights to the rules and regulations. According to Dunifon, the team spent weeks going through the reports with a highlighter determining whether the rights were assigned appropriately.
With this baseline in hand, the team modified each employee’s rights where necessary. They then programmed the software to notify IT automatically when those rights were changed or when attempts were made to access information without authorization.
The next step was for the IT team to implement real-time monitoring to track changes. NetVision installed client software on each of the county’s servers, and it set that software to monitor the servers in real time to see what rights were being changed and who changed them. Specifically, the system watches for activity such as new account creations, new document creation, account changes, file system changes, and file property changes.
Through the monitoring, IT can stay in compliance between audits. The team can also generate alerts or initiate remediation tasks when an event is flagged by the software.
The live monitoring of files is critical to controlling risk exposure, according to Dunifon. But file access need not necessarily be employee wrongdoing, he notes. “There may be a glitch in the system, making some files available that should not be.” Regardless, the important factor is that “when any files are compromised, we can be notified,” he says.
To establish a system of checks and balances, the IT administrator gets an e-mail every time the software detects a change. However, the whole IT team gets regular e-mail updates as well. “With this system, IT personnel can monitor the administrator,” says Dunifon.
The live monitoring feature has already proved its worth. Within months of deploying the NetVision software, the network was hit by malware for the first time in the county’s history. The virus was recreating files at a rate of 2,000 a day and was spreading rapidly through the network. Because the software was set to send an alert when a certain number of new files were created during a specific time period, the IT team all received warning e-mails.
The team then used the NetVision software to see where the files were being created so the damage could be mitigated. “Before NetVision, it may have taken us days to discover this, instead we knew in hours,” says Dunifon.
IT set up a 50-inch television screen and projected the NetVision reports onto it. IT then watched the reports live, tracked the movement of the virus, and tried to save the data. “We didn’t lose anything,” says Dunifon. “That is the return on the investment. How do you pin a value to that?”