For many organizations, IT operations are driven by regulatory compliance requirements. Systems containing sensitive data must be secured and maintained in a way that adheres to the regulatory requirements. Industry specific applications, such Electronic Health Records systems, are commonly designed with regulatory compliance in mind. After all, the application vendor knows which industry will use the application, and what the regulatory requirements are for that industry, and can therefore design the application to meet those requirements. However, maintaining regulatory compliance for general purpose IT systems tends to be far more challenging.
The problem with general purpose IT systems, such as file servers, is that they are not purpose built for a specific industry. As such, regulatory compliance probably wasn’t at the forefront of the design process. In fact, some of the most commonly used file servers were originally designed decades ago, and although they have evolved over time, the basic architecture predates any applicable regulations.
This can be a problem for IT pros working in regulated industries. Almost every organization uses file servers, so IT pros must work to ensure that file servers are configured, audited, and used in a way that will be acceptable to regulators.
Although each set of regulations has its own nuances, regulations generally require that IT resources such as file servers be secured, and that activities such as creating, modifying, reading, or deleting files be audited. Essentially, the IT department needs to be able to show regulators who has accessed the file server, when the access occurred, and what the user did.
Although file servers are typically equipped with basic security and logging capabilities, the native access control and auditing features may be inadequate from a regulatory standpoint. Organizations in regulated industries should consider a third party solution such as the Lepide Auditor Suite.
As previously mentioned, regulatory requirements vary by industry. However, there are three main things that IT pros should look for in a file server auditing solution.
First, the solution should be able to examine and report on effective permissions for files and folders. It is important to be able to prove to auditors that only authorized users have access to sensitive data. An effective permissions report can track both assigned and inherited permissions for files and folders.
A second capability that is important to have in a file server auditing solution is the ability to track permissions changes over time. Regulations such as HIPAA require covered entities to be able to detect and correct security violations. In the case of a file server, this means (among other things) maintaining a historical report of changes to the assignment of permissions.
Finally, a File Server auditing solution needs to provide a historical activity record. In other words, the software should report on file access, modification, creation, and deletion. It is also important for such a solution to report on file copy operations.
File servers have always presented a challenge to those organizations that are subject to regulatory requirements. Although most file servers include basic security and auditing capabilities, these native capabilities are often inadequate from a regulatory standpoint, and a third party solution may be necessary.
About Author – Brien Posey is a freelance author, technical speaker and Microsoft MVP.