From a business perspective, distribution lists (DLs) for email communications are a powerful and well-understood concept in IT. And they are popular: Exchange admins have voted with their right-clicks, creating lots of these Active Directory objects in their corporate domains. DLs speed up overall collaboration and leverage the power of groups to answer questions, share and inspire ideas, and announce news. For a number of years, the Linux operating system was developed and maintained by submitting patches via a mailing list.

I’ve received quite a few questions from both new and experienced sysadmins about networked filesystems and file sharing protocols. One question that comes up frequently is “What is the difference between CIFS and SMB ?”

Cindy and I had the good fortune of attending part of the Real World Cryptography Workshop held last week in New York City. We went primarily to listen to Bruce Schneier discuss the implications of the Snowden documents. But we quickly learned from others sessions that there was an underlying context to this conference. Over the last year, cryptography and data security have been completely shaken by malware, and specifically advanced persistent threats or APTs, leading some to say or at least imply that cryptography is dead.

In our “Tips from the Pros” series, we’ll be the presenting interviews we’ve conducted with working IT professionals. These are the admins and managers responsible for security, access, and control of human-generated data—the fast growing digital element in organizations today. In this inaugural post, we spoke recently with one of our customers about managing large file shares and permissions.

One of the important points we make in our recently published Information Entry

Any seasoned IT pro will tell you: auditing file and email activity is hard. You’ve got a production Exchange or SharePoint server being pounded on relentlessly by users all day long and now you want to turn on auditing to capture crucial metadata, but you’re worried about taxing the box and running out of disk space storing all the audit data. Dilemma.

Unlike business application data, like a billing database or CRM system, or machine-generated data, such as the log files that servers generate, human-generated data is comprised of the emails, Word documents, spreadsheets, presentations, images, audio, and video files that we create and share with other people every day.

To my mind, HIPAA has the most sophisticated view of PII of all the US laws on the books. Their working definition encompasses vanilla identifiers: social security and credit card numbers, and all the other usual suspects. With the additional words “reasonable basis to believe that the information can be used to identify the individual”, HIPAA’s definition takes in digital handles such as emails, IP addresses and even facial imagery. But there’s a little more to HIPAA’s PII definition, and it applies specifically to free form text (commonly found in word processing documents, spreadsheets, presentations, etc.)

Personally identifiable information or PII is pretty intuitive. If you know someone’s phone, social security, or credit card number, you have a direct link to their identity. Hackers use these identifiers, along with a few more personal details, as keys to unlock data, steal identities, and ultimately take your money. In some of my recent blogging, I’ve referred to the blurring of lines between PII and non-PII data. Case in point: it’s been known for at least 10 years that there are specific pieces of data, which in isolation may appear anonymous, but when taken together they’re just as effective at identifying a person as traditional PII.

Biometric data is at the limits of what current personal data privacy laws consider worthy of protection. This type of identifier covers fingerprints, voiceprints, and facial images. While the risk factors are not nearly as threatening to consumers as more traditional PII, they do exist. Until recently, the dangers of biometric identification using DNA were more theoretical than real. That has suddenly changed. An article in The New York Times last month put a spotlight on research that proved the feasibility of identifying a person—getting a specific name and address—all from a DNA sequence posted online.

(This one entry in a series of posts about the Varonis Operational Plan – a clear path to data governance. You can find the whole series here.)