Real SMB IT – File Services

April 3, 2008

Every organization has one or more servers that are your electronic filing cabinets. All of those sales documents, spreadsheets, contracts, accounting files and other data are sitting on these servers.(hopefully getting properly backed up)

As an SMB manager, why should the following be of any interest to you? Plain and simple, the amount of time (therefor money) that is wasted in tracking down permissions errors, or setting up correct access for a new employee in a position as simple as a new receptionist is absolutely staggering.

Created correctly, this file server data is easy to maintain, simple to administer and will provide the correct security permissions to keep your data secure. Done incorrectly, the opposite is true, mistakes can leave a part time staffer with access to financial data, and adding a new employee and setting permissions to the data that they are permitted to access can take huge amounts of time.

The reason that many organizations have difficulty with this is our tendency to set up file servers using a business “functional” approach. For example, we create a storage area for FINANCE and another one for SALES, then LEGAL and on through the functional parts of the business. Then we put all documents related to these functional silos in their respective places. Finally we set security permissions so that only the accounting team has access to the FINANCE area, only the Executive team has access to contracts in the LEGAL area etc.

Here is where the problem will start, your Sales Manager needs access to one portion of the FINANCE area for sales forecasting information, so all of a sudden the FINANCE storage area has permissions to the accounting team, with one certain area with security permissions to the Sales Manager.Then a Human Resources Manager needs access to employment contracts in the LEGAL storage area, again another exception to the rules. Over time these types of exceptions leave the security and manageability of your documents and data very fragile. Fragile meaning easy to make mistakes in setting up the security permissions, and difficult to figure out why an individual cannot access something they should be able to access.

Rather than setting up these file servers using purely business functional breakdowns, I recommend reviewing your current data for common “security” breakdowns.

It can seem counter intuitive, but determining the security requirements of the data allows you to group data together that requires the same security configuration, and then use the security tools of your network to provide that security.

For example, one security category could be “Executive Only”. And in that Executive Only storage area could be the portions of FINANCE, LEGAL or SALES that are truly for members of the executive team.

A second security category could include both the Executive and Senior Management. Again, in this security area the portions of FINANCE, LEGAL or SALES that are for the Executive team plus the pieces that those Sales Managers or HR Managers need to see.

This continues right down to the bottom of the chain were you have permissions for all employees to access the least sensitive documents.

Because Microsoft is the 800 pound gorilla, I will assume that your network is based on Microsoft Active Directory. So we finish off this file system security configuration by ensuring that Windows Active Directory Security groups corresponding to the identified security groupings are made. an Active Directory Security Group of Executive exists; this security group is then granted permissions to the “Executive Only” file server root, automatically updating all required permissions, and so on through all of your security categories.

The benefits of this structure are;

1) As security is maintained at the shared Root directory, and corresponding Security Group, there is less risk of mistakes in applying security permissions to required data

2) As security groups are used rather than individual permissions, a new human resource requires that only the addition of the resource be added to the applicable security groups to automatically be granted all required permissions. This greatly reduces configuration and management time.

You can subscribe to this blog by clicking the RSS icon on the Home Page!

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s