We have a security/compliance audit that we are preparing for and since we deal with financial institutions, one of the potential flags mentioned was how we track/monitor files that are transferred between our Production and Non-Production environments.
We run a Windows shop. Our IT dept. (the Domain Admins) have access to both our PROD and Non-Prod (Corporate) domains. When builds or files need to be pushed to production, IT is required to perform any file transfers.
To satisfy this requirement we were asked to look at a number of DLP solutions which are turning out to be relatively costly.
We have also explored potentially requiring the IT team to use some sort of FTP or Managed File Transfer system in order to move files between the environments, but that just seems cumbersome.
Are there any other potential solutions we can explore here? The main requirement is that we have some sort of TRACKING or LOGGING of any files copied between the environments. Aside from doing a giant "DIFF" of the environments at the end of each day, not sure what we can do.
There are many ways to track file movement between systems and environments. However, this is not really a technology product situation. This is a business process and information security situation. Even if you buy a really expensive DLP, you need the policies, processes, and audits to make it meaningful. (See my closing note.)
Rather than waste a bunch of time and money researching shiny things to spend money on, I suggest you check out the Information Security Stack Exchange site to get more guidance on this topic.
Once you have a good grasp on the goals of a good segregation of dev, test, and ops environments and "separation of duties" you will likely recognize that the technical problems are not that hard. They sure don't sound hard for what you have described.
I would recommend:
Then you can go buy the shiny if it makes number 3 easier/faster/more cost effective.
< rant > An initial response of "let's buy something to satisfy an audit requirement" is almost always a long term business or security FAIL. It drives the compliance part of the IT industry, but it won't help you much with actual security and will probably cost you more in the long run.
You wouldn't be able to track a file from one server to another, but with Windows auditing you can see the access action on the source server and the creation action on the destination server.
Enable 'Object Access' auditing in the servers 'Advanced Security Audit Policy Settings' then apply Full Auditing on the folder structure you're monitoring. This will log in the Windows Security Event log.