There is a fun little question-asking technique called the 5 Whys. It was developed by Sakichi Toyoda at Toyota to determine the root cause — and solution — to any given problem in the manufacturing process. The technique has been borrowed by coders, sysadmins and executives alike. Let’s say a CIO just learned that a data breach occurred in which 50,000 sensitive files had been stolen from the company. Below is the 5 Whys exercise that this exec worked out:
Problem: 50,000 files were stolen.
Why? The files were accessible to everyone in the company, even guests.
Why? The folder’s access control list was configured incorrectly.
Why? Chuck the intern configured that file server in 2007 and it hasn’t been reviewed since.
Why? We don’t have a process to review file system permissions.
Why? Because manually reviewing every folder’s ACL for problems is like searching for a needle in a haystack . . . and THERE’S ONLY THREE OF US AND A THOUSAND FILE SERVERS! SHEESH!
See, behind every technical problem is usually a human problem!
It seems like the above fictional security incident was technical in nature — the ACL was configured incorrectly. The value of the 5 Whys technique is that it encourages us to really understand the underlying cause: a nonexistent entitlement review policy.
We hope this post has started you thinking about your entitlement procedures.
Varonis DatAdvantage and DataPrivilege improve your company’s breach mitigation solutions by automating the entitlement review and permissions audit process.