Using Varonis: Involving Data Owners – Part II

February 13, 2013

(This is one entry in a series of posts about the Varonis Operational Plan – a clear path to data governance.  You can find the whole series here.)

If your doctor said “Your blood pressure is 120/95” would that mean anything to you?  Even if you could interpret that data as symptomatic of stage 1 high blood pressure, would it be actionable?  A helpful doctor would not only help you understand your vital stats, she’d also empower you to make informed decisions about your health.

Likewise, not only should we deliver targeted reports to data owners, we should ensure that the information is actionable and provokes intelligent, data-driven decisions.

The next step in the Operational Plan is to help owners make informed decisions about who should have access to their data, and make sure they’re decisions can be executed without bogging anyone down in paperwork. With DataPrivilege we can do exactly that.

Entitlement Reviews

One of the first actions data owners can take is to re-certify access to their data through an attestation, or entitlement review. At a high level, the owner will review the list of users who have access, and users who probably shouldn’t have access to their data, make any appropriate changes, and then commit those changes to file systems or directory services. What has typically been a very manual and time-intensive (for IT) task can be completely automated with DataPrivilege, the internal web-based interface into the Varonis Metadata Framework.

Once configured, DataPrivilege Entitlement Reviews offer automatic, web-based forms delivered on a regular basis that show data owners exactly who has access to their data, highlighting any users that DatAdvantage recommends for removal based on its automated analysis. These recommendations show owners those users who have likely moved on to other roles, left the company, or were added by mistake.  Varonis’ recommendation engine is like the doctor withextremely trustworthy advice on how to immediately improve your health.

These entitlement reviews can be set up for data sets—reviewing the users with access to a specific folder or share—and/or for security groups or mail-enabled distribution lists. This means an organization is able to effectively shift the burden for access reviews for all data to its rightful owner, as well as leverage the same system for application and other group reviews.

Authorization Workflow

While entitlement reviews are key to correcting and maintaining access controls, it’s also important to involve owners at the “point of sale,” when access is initially requested by a user. Traditionally, access control approval has often come from the manager of the requesting user, a group owner that may or may not be aware of what data that group grants access to, or IT rather than the actual Data Owner. This is a problem, since that’s not usually the person who has the best context to make good access control decisions.  To continue our metaphor—it’s like allowing the pharmacy decide which medicine we should take.

DataPrivilege changes this model by offering an authorization workflow that puts decisions into the hands of owners and their designated delegates. A big part of operationalizing DataPrivilege is transitioning this approval process from IT to the end users and owners themselves. It can mean significant operational resource gains for IT as well as a higher level of service and data protection.

Self-Service Portal

The last thing I want to mention about DataPrivilege is the Self-Service Portal, which allows Data Owners to get information and make decisions on-demand. The DataPrivilege portal lets owners see—at any time—information about their data, including permissions, log information and statistics.

We’ve found that many of our customers have seen impressive results once they deploy the portal to their users. If you give owners information about their assets and the ability to make decisions, they tend to use it. The Self-Service Portal is another way IT can shift the management burden to owners themselves.

Empowering owners to implement policy is a great first step, but Data Privilege also offers the ability to automate a lot of this work. The next step in the Varonis Operational Plan involves setting up and deploying automatic rules. Stay tuned!

Related articles

Leave a Comment » | Application Hosting, Marketing, Retail IT Solutions | Tagged: , , , , , , , | Permalink
Posted by david ricketts

Using Varonis: Involving Data Owners (Part I)

January 2, 2013

(This one entry in a series of posts about the Varonis Operational Plan – a clear path to data governance.  You can find the whole series here.)

Almost every organization is now data driven. With all the talk about data growth and big data analytics over the past couple of years, people have started to ask: “How do we maximize the value of our data? How can we make sure we’re deriving real business benefit?”

The keys to maximizing the value of our data are to gather the right intelligence about it, and then give the right people the ability to take action using the intelligence you’ve gathered.

Now that we know who our Data Owners are, it’s time to start getting them involved. Remember that it’s the owners—not IT—that have adequate context to make decisions about who should and shouldn’t have access to their assets.

The next step in operationalizing Varonis is to provide owners intelligence about their data assets.  DatAdvantage can deliver data-driven reports that shed light on what is happening with their data: who can access it, what they’re doing with it, which data is stale, etc. These reports greatly simplify and optimize reporting by delivering reports to all owners which contain information aboutonly the data they own.

An Example

Say you’ve spent a few weeks identifying and confirming business owners for all of the top-level folders on a large NAS (or two, or three…). Depending on the size of the company, this might be a few dozen or a few thousand people. One of the most common next steps is to provide permissions reports on all of these data sets to the relevant owners. So the HR owner gets a report on all of the users who have access to the HR folder, for instance. It’s the same with Finance, Marketing, R&D, etc. In the past, you would have to create and deliver a separate report for each owner, which depending on the complexity of your reporting process might be an onerous undertaking all by itself. DatAdvantage gives you a far better alternative.

In DatAdvantage, to accomplish the same thing, you’d only need to create a single report, and all owners would get permissions reports once a quarter (or however often you like). Create the report, include the proper filters and formatting, and then set up a data-driven subscription to be delivered on the first day of the first month of the quarter. That’s it you’re done.

Every quarter, every data owner is going to get that report in their inbox, and the report will contain information about only the data that they own—they won’t see anything that doesn’t belong to them. As you add and change owners over time, the subscription will continue to work without intervention. If my job role changes and suddenly I’m the owner of additional folders, my permissions report will show those as well. If I’m no longer an owner, my report won’t contain information about what I no longer own.

Permissions reporting is a great use case for data driven reports, and it’s not the only one. Reports that show actual access can be useful, too.  What if every data owner could see exactly who on their team was accessing data most? What about those people who weren’t accessing any? Or people from outside their team bumbling around?  Who creates content? Showing owners what data is stale or which folders are growing the fastest can help give them understanding of how their using resources. Providing owners intelligence about where their sensitive data is, where it’s exposed, and who has been accessing it lead to informed decisions about how they can reduce risk.

Once you’ve started putting intelligence into the hands of your owners, the next step is to give them the power to take action without bugging IT. We’ll cover that next.

Related articles

2 Comments | Application Hosting, Managed Service Hosting, Marketing | Tagged: , , , , , , , , , , , , , | Permalink
Posted by david ricketts

Using Varonis: Who Owns What?

December 13, 2012

(This one entry in a series of posts about the Varonis Operational Plan – a clear path to data governance.  You can find the whole series here.)

All organizational data needs an owner. It’s that simple, right? I think most of us would be hard pressed to argue against that as a principle—the data itself is an organizational asset, so of course it’s not the Help Desk or AD Admin folks who own it, it’s the users or business units that should own it. Of course, that’s great in theory, but with 1, 5, 10, or even 20 years’ worth of shared, unstructured data, figuring out who owns data is far from simple, let alone involving those owners in any meaningful way.

Before we get into using Varonis to locate owners, I want to talk about why finding a single data owner can be such a problem. IT probably knows who owns the Finance folder.  It’s the CFO or a delegated steward. Same with HR, Marketing or Legal—these tend to be clearly-delineated departmental shares and it’s not hard to figure out whom to go to if we need an informed decision. (Regularly involving those owners in data governance is a different problem, and one I will cover in future posts.)  The identification for these folders is relatively straightforward.

But what happens if you need to find the owner of a folder that has a less obvious name? What if the folder’s name is a project ID, or an acronym of some kind? In my experience, a majority of unstructured data resides in folders that aren’t obviously owned by anyone.

What IT tends to do then is a few different things:

  • Check the ACL and see which groups have access. If it’s a single group with an obvious owner, that’s a likely candidate. If the ACL contains many different groups or a global access group like Domain Users, though, this tactic tends to fail.
  • Check the Windows owner under Special Permissions. This metadata can be helpful, but can also be a red herring since it’s often just set to the local Administrator of the server. Even if there’s actually a human user there (who likely created the folder), that value may be outdated or inaccurate.
Special Permissions Dialog
  • Check the owner of files within the folder. Same problems as above.
File Properties Dialog
  • Enable operating system auditing to identify the most active user. Anyone out there excited about turning on file level auditing in Windows? I have yet to talk to anyone who answers yes to this question because of the performance hit on the server as well as the storage required and expertise to parse the logs effectively.
  • Turn off access and see who complains. Not an optimal strategy when it comes to critical data.
  • Email the world and hope for a response. In general, people don’t want to take ownership of something without good reason, since it may mean more work. How confident are you that the proper owners (who may be at a management or director level) are going to know exactly which data sets their teams are using regularly? If they’re not sure, are they going to jump to take responsibility?

So finding owners is hard, let alone finding owners at scale. If you’ve got thousands of unique ACLs and you want owners for all of them (or at least the ones that make sense) you’re going to have to go through some version of this process for each one. It’s no wonder we haven’t done a good job of this over time. Thankfully, there’s a better way.

Step 4: Identify Data Owners

The key difference between attempting to solve this problem manually and attacking it intelligently with Varonis is the DatAdvantage audit trail. A normalized, continuous, non-intrusive audit record of all data access is a key piece of DatAdvantage, and it allows us to actually identify data owners at scale without having to hunt and peck. Once you start gathering usage data and rolling it up into high level stats you can start to see the likely owners of any data set, not just the obvious ones.

DatAdvantage gives you two straightforward ways to get this information: First, we can quickly take a look at a high-level view of a single folder within the Statistics pane of the DatAdvantage GUI. This will show us the most active users of a particular folder. We like to say that at most, you’re one phone call away, since if the most active user isn’t the data owner, they almost certainly know who is.

You can operationalize this process even further by creating a statistics report, which can be run on an entire tree or even a server. A single report can show the top users of every unique ACL, and it’s possible to set up advanced filters to make this even more useful—showing only users outside of IT or in a specific OU, for example. You can even add additional properties from AD to the report, showing each user’s department or line manager, if available. None of this is possible without constantly gathering access activity and providing an interface to combine it with other available metadata.

Identifying owners is useful, but actually involving them is where IT can really start to make headway when it comes to ongoing governance. We’ll tackle that next.

Leave a Comment » | Application Hosting, Managed Service Hosting, Retail IT Solutions | Tagged: , , , , , , , , , | Permalink
Posted by david ricketts

Oops, we lost a few terabytes! NBD!

December 11, 2012

Earlier this week, Swiss intelligence agency (NBD) warned US and UK counterparts that they might have lost terabytes of top secret data due to insider theft by a disgruntled IT admin.  Reminds me of this xckd:

Chain of Command

We emphasize insider threats and the importance of zero trust all the time at Varonis.  Yes, it’s extremely important to secure the perimeter walls and use data loss prevention to protect endpoints.  But perimeter defense is far more straightforward, if nothing else, than defending against those who appear to be on your team – Kingslayers.

Inside jobs happen over and over again because they’re so hard to stop. According to a Forrester survey in 2010 [1], 43% of data breaches were caused by “trusted” insiders.  Just a few months ago, I wrote about the Zynga employee who, upon leaving the company, felt compelled to take 763 documents—including business plans and other IP—along with him.

So what do we do about it?  The answer is actually in Varonis’ mission statement: we ensure that that only the right users have access to the right data at all times from any device, all use is monitored, abuse is flagged.

Where do you stand in the battle against insider threats?

Are you alerted when statistical deviations in file system and email activity occur?

We jokingly call this our early resignation detection system since, sometimes, when someone is about to resign, they copy everything they’ve ever worked on.  But the alerting system in DatAdvantage was primarily designed to detect suspicious and potentially harmful behavior.

Are you alerted any time someone is granted admin-level access?

One of the top use cases for DatAdvantage for Directory Services is to always know exactly when someone is given super user rights, who granted it, when, and why.  And perhaps even more importantly, we can see what they’re doing with that access.

Do you know when IT administrators can, and do, access business data?

There’s likely no good reason for an IT admin to be rifling through customer records, changing the contents of business data, or deleting files without justification.  If you can say for certain that this isn’t even possible, you’ll be able to prevent a situation like NBD’s.  Incidentally, one of the core reasons businesses cite for not wanting to move corporate data to the cloud is that they lack visibility into what the cloud provider’s IT admin are doing with their sensitive business data at any point in time.

If you’d like a free data protection assessment to find out if your environment is at risk, sign up here.

[1] Source:Forrester, Forrsights Security Survey, Q3 2010

Related articles

Leave a Comment » | Application Hosting, Managed Service Hosting, Marketing | Tagged: , , , , , , , , | Permalink
Posted by david ricketts

Using Varonis: Which Data Needs Owners?

December 6, 2012

(This one entry in a series of posts about the Varonis Operational Plan – a clear path to data governance.  You can find the whole series here.)

Which Data Needs Owners?

In a single terabyte of data there are typically around 50,000 folders or containers, about 5% of which have unique permissions. If IT were to set a goal of assigning an owner for every unique ACL, they’d need to locate owners for 2,500 folders. That’s quite daunting. And most organizations aren’t dealing with a single terabyte of data; in fact, many enterprise installations we encounter are dealing with multiple petabytes of unstructured data. Clearly we need a more surgical approach to assign owners.

Varonis tackled this problem with a longtime customer who needed to identify and assign owners for more than 200 terabytes of CIFS data on their fleet of NetApp filers. There were about 40,000 users in the company, approximately 3,000 of which (as it turned out) needed to be as designated owners for some data.

When we started taking a close look at specific folders, we discovered that many of them (especially at the top of the hierarchy) simply didn’t need an owner; the only users who could read or write data, according to the ACL, were either services accounts or administrative/IT.

What we needed was a methodology for locating the folders where business users had access and a way to identify the likely owner for just those folders. So that’s what we built.

The logic went like this:

  • Identify the topmost unique ACL in a tree where business users have access.
  • If that ACL’s permissions allow write access to users outside of IT, it’s considered a “demarcation point.”
  • For what’s left, identify higher-level demarcation points where non-IT users can only read data.
  • For each demarcation point, identify the most active users
  • Correlate active users with other metadata, such as department name, payroll code, managed by, etc.

The end result of this process is that each demarcation point has a likely ownership candidate. For this particular customer, the next step was to go through a survey process to confirm ownership of each demarcation point with the likely owners (as determined by Varonis’ reports). Any data without a confirmed owner was locked down to remove non-IT access and underwent a separate disposition process.

Other customers have since added content classification and other risk factors in order to better prioritize the data ownership assignment process. With a good classification scheme in place, IT is able to start assigning owners to the most critical data first.

The key takeaway from this process is we can use DatAdvantage to quickly identify the folders that need owners as well as likely owners, so IT doesn’t need to make decisions about 2500 folders per terabyte of data.

While this report was a originally a customization for one customer, we’ve now baked it right into DatAdvantage as report 12M – Recommended Base Folders.

Now that we know who our owners are, the next step is to start getting them involved. My next few posts will cover exactly how we do this using both DatAdvantage and DataPrivilege.

Stay tuned!

2 Comments | Managed Service Hosting, Marketing, Retail IT Solutions | Tagged: , , , , , , , , , , | Permalink
Posted by david ricketts

Using Varonis: Fixing the Biggest Problems

November 26, 2012

Now that we have a pretty good idea where the highest-risk data is, the question naturally turns to reducing that risk. Fixing permissions problems on Windows, SharePoint or Exchange has always been a significant operational challenge. I’ve been in plenty of situations as an admin where I know something is broken—a SharePoint site open to Authenticated Users for instance—but I’ve felt powerless to actually address the problem since any permissions change carries the risk of denying access to a user (or process) who needs it. Mistakes can have significant business impact depending on whose access you broke and on what data. Since we’re defining “at-risk” as being valuable data that’s over-exposed, that means that any accessibility problems we create will impact valuable data, and that can create more problems than we started with.

Step 3: Remediate High-Risk Data

The goal is to reduce risk by reducing permissions for those users or processes that don’t require access to the data in question.

The next step in the Varonis Operational Plan is fixing those high-risk access control issues that we’ve identified: data open to global access groups as well as concentrations of sensitive information open to either global groups or groups with many users. Since simply reducing access without any context can cause problems, we need to leverage metadata and automation through DatAdvantage.

Let’s tackle global access first. When everyone can access data, it’s very difficult to know who among the large set of potential users actually needs that access. If we know exactly who’s touching the data, we can be surgical about reducing access without causing any headaches.

DatAdvantage analyzes the data’s audit record over time in conjunction with access controls, showing folders, SharePoint sites, and other repositories that are accessible by global access groups, and those users who have been accessing that data who wouldn’t have had access without a global access group. In effect, it’s doing an environment-wide simulation to answer the question, “What if I removed every global access group off every ACL tomorrow. Who would be affected?” This report gives you some key information:

  • Which data is open to global access groups
  • Which part of that data is being accessed by users who wouldn’t otherwise be able to access

And it’s not just global groups that DatAdvantage lets you do this with. Because every data touch by every user on every monitored server is logged, Varonis lets you do this kind of analysis for any user, in any group, on any file or folder. That means you can safely remediate access to all of the high-risk data without risking productivity. You can actually fix the problem without getting in anyone’s way.

The next step is to start shifting decision making from your IT staff to the people who actually should be making choices about who gets access to data: data owners.

Related articles

2 Comments | Application Hosting, Managed Service Hosting, Marketing | Tagged: , , , , , , , , , , | Permalink
Posted by david ricketts

Varonis Data Governance Suite 5.8: Faster, Leaner, Lower Cost

October 5, 2012

We’re extremely excited to announce the release of version 5.8 of the Varonis Data Governance Suite!

This release is packed with major architectural changes that not only increase performance, but also reduce your total cost of ownership and make managing your Varonis infrastructure faster and easier than ever.

What’s new?

Here are some of the key features in 5.8:

  • Collectors: New      component introduced for metadata collection that no longer requires      Microsoft SQL, resulting in better performance, easier deployment, and a      lower Total Cost of Ownership (TCO).
  • Management      Console and Scheduler: Single point to manage and control the      entire Varonis infrastructure, simplifying installation and monitoring.
  • Incremental      File Walk: Ability to incrementally scan/walk only the changed      permissions on the file system rather than the entire file system,      reducing system and network overhead and boosting overall efficiency.
  • Database      Separation: Support for SQL farms external to Varonis components,      increasing architecture flexibility and reducing total cost of ownership.
  • Auditing      Actions: full audit of activities within DatAdvantage increases      organizational security posture by providing immediate accountability for      administrators.
  • User      and Group Creation: Users and groups can be created and edited      from the DatAdvantage interface, increasing administrative functionality      and flexibility.

Our CEO and co-founder, Yaki Faitelson:

“We have changed the architecture of the product so that the people who already rely heavily on DatAdvantage to improve management and security for their unstructured data platforms can integrate it into their workflow even more seamlessly, while those new to the technology will benefit from the experience and input from those who have come before them.”

Related articles

1 Comment | Application Hosting, Managed Service Hosting, Marketing, Retail IT Solutions | Tagged: , , , , , , , | Permalink
Posted by david ricketts

Follow

Get every new post delivered to your Inbox.

Join 746 other followers