Why is File Access Management important?

SailPoint’s Chief Product Officer, Paul Trulove, shares his insights on the importance of file access management. 

Visit Identity for Data to learn more about why your storage and identity teams need to work together.

Video Transcript

Hannah Giles: Hello to our viewers at home. We are joined today by Paul Truelove our Chief Product Officer and today we’re going to be talking about File Access Management. I have a few questions for you Paul so thanks for joining us and sharing your knowledge. Yeah. So for my first question to you is, why is governing access to data stored in files so important for enterprise security and compliance programs.

Paul Trulove: This is a hot topic for a lot of organizations, particularly as the amount of data stored and files continues to increase exponentially. And in a lot of ways the super sensitive data that we use on a day to day basis ultimately ends up stored in files, not necessarily in a more structured system like a database. And the reality is if you don’t put good controls around who has access to that information, you’re really leaving the organization open to a lot of not only regulatory compliance issues, but more generally just bad security hygiene and so if you don’t include you know that that type of system, your file storage systems and your overall identity governance program you’re really leaving the organization wide open to, to major issues.

Hannah Giles: Okay. And so, in your opinion, would you say that most organizations are doing a good job with this or do you think that they still kind of have work to do.

Paul Trulove: I unfortunately, I think most organizations still have work to do. There are definitely some that have attacked this problem, you know, front and center. I think one of the, the reality is, though is most organizations tend to bifurcate the responsibility of governing access to file storage often to a storage team, not the identity team. And I think what we’ve seen you know, be very successful is when those two teams come together and really you know the storage team is there to inform identity about how the storage platforms work and the identity team is there to really collaborate and provide you know controls and security best practices for how people should be granted access how that access you know, should evolve over time as as people, you know, go through their normal lifecycle with the organization and can help put in the audit and compliance controls to really prove that the organization has control over the, the access to file storage systems and the files themselves.

Hannah Giles: Okay, so it sounds like many could use some work. So if they wanted to start this process, what would your recommendation be on how they govern access in this area? How would they get started?

Paul Trulove: So generally, we recommend a couple of things. Number one, really understand where you’re storing your, your critical sensitive data on your file storage platforms. And that’s not necessarily easy thing to do. You can’t just go interview the business and necessarily get all the right answers. So there’s, there’s some great tools that allow you to actually go out, scan, figure out where you’ve got sensitive data stored across the organization. You know, could be on a Windows file share, it could be something like box or Dropbox, but you really need to nail down, you know, what systems ultimately need to come into the purview of your identity management organization, you know, not, not organization but program. And then once you’ve done that you can begin to establish controls.

What one of the biggest challenges that we see with governing access to these kinds of environments is the fact that a lot of them are protected by Active Directory and you can get into some very complex effective access modeling challenges and so one of the things that you’re also likely going to be doing when you’re starting to really dig in and try to protect your file shares is untangling the, the mess that a lot of organizations have gotten themselves into, you know, as it relates to kind of a bad hygiene in their Active Directory environment. So you know, find the data, understand, you know how you are ultimately granting access to it and then go through your regular identity governance processes of, you know regular certifications of who has access to what, good preventive controls around people requesting access and the approval cycles.

And ultimately, you know, you’ll find that you can very easily integrate that into your broader identity program and apply, you know, basically the same paradigm, just to the the file storage environments that most people have been, been ignoring for, you know, really probably ever since they existed.

Hannah Giles: Wow, well you’ve given our viewers, something to think about then, a little action item there. That’s great information. And thank you for sharing it, and we look forward to hearing from you soon.

Paul Trulove: Absolutely. Thanks. Bye.