Using Varonis: Who Owns What?

December 13, 2012

(This one entry in a series of posts about the Varonis Operational Plan – a clear path to data governance.  You can find the whole series here.)

All organizational data needs an owner. It’s that simple, right? I think most of us would be hard pressed to argue against that as a principle—the data itself is an organizational asset, so of course it’s not the Help Desk or AD Admin folks who own it, it’s the users or business units that should own it. Of course, that’s great in theory, but with 1, 5, 10, or even 20 years’ worth of shared, unstructured data, figuring out who owns data is far from simple, let alone involving those owners in any meaningful way.

Before we get into using Varonis to locate owners, I want to talk about why finding a single data owner can be such a problem. IT probably knows who owns the Finance folder.  It’s the CFO or a delegated steward. Same with HR, Marketing or Legal—these tend to be clearly-delineated departmental shares and it’s not hard to figure out whom to go to if we need an informed decision. (Regularly involving those owners in data governance is a different problem, and one I will cover in future posts.)  The identification for these folders is relatively straightforward.

But what happens if you need to find the owner of a folder that has a less obvious name? What if the folder’s name is a project ID, or an acronym of some kind? In my experience, a majority of unstructured data resides in folders that aren’t obviously owned by anyone.

What IT tends to do then is a few different things:

  • Check the ACL and see which groups have access. If it’s a single group with an obvious owner, that’s a likely candidate. If the ACL contains many different groups or a global access group like Domain Users, though, this tactic tends to fail.
  • Check the Windows owner under Special Permissions. This metadata can be helpful, but can also be a red herring since it’s often just set to the local Administrator of the server. Even if there’s actually a human user there (who likely created the folder), that value may be outdated or inaccurate.
Special Permissions Dialog
  • Check the owner of files within the folder. Same problems as above.
File Properties Dialog
  • Enable operating system auditing to identify the most active user. Anyone out there excited about turning on file level auditing in Windows? I have yet to talk to anyone who answers yes to this question because of the performance hit on the server as well as the storage required and expertise to parse the logs effectively.
  • Turn off access and see who complains. Not an optimal strategy when it comes to critical data.
  • Email the world and hope for a response. In general, people don’t want to take ownership of something without good reason, since it may mean more work. How confident are you that the proper owners (who may be at a management or director level) are going to know exactly which data sets their teams are using regularly? If they’re not sure, are they going to jump to take responsibility?

So finding owners is hard, let alone finding owners at scale. If you’ve got thousands of unique ACLs and you want owners for all of them (or at least the ones that make sense) you’re going to have to go through some version of this process for each one. It’s no wonder we haven’t done a good job of this over time. Thankfully, there’s a better way.

Step 4: Identify Data Owners

The key difference between attempting to solve this problem manually and attacking it intelligently with Varonis is the DatAdvantage audit trail. A normalized, continuous, non-intrusive audit record of all data access is a key piece of DatAdvantage, and it allows us to actually identify data owners at scale without having to hunt and peck. Once you start gathering usage data and rolling it up into high level stats you can start to see the likely owners of any data set, not just the obvious ones.

DatAdvantage gives you two straightforward ways to get this information: First, we can quickly take a look at a high-level view of a single folder within the Statistics pane of the DatAdvantage GUI. This will show us the most active users of a particular folder. We like to say that at most, you’re one phone call away, since if the most active user isn’t the data owner, they almost certainly know who is.

You can operationalize this process even further by creating a statistics report, which can be run on an entire tree or even a server. A single report can show the top users of every unique ACL, and it’s possible to set up advanced filters to make this even more useful—showing only users outside of IT or in a specific OU, for example. You can even add additional properties from AD to the report, showing each user’s department or line manager, if available. None of this is possible without constantly gathering access activity and providing an interface to combine it with other available metadata.

Identifying owners is useful, but actually involving them is where IT can really start to make headway when it comes to ongoing governance. We’ll tackle that next.

Leave a Comment » | Application Hosting, Managed Service Hosting, Retail IT Solutions | Tagged: , , , , , , , , , | Permalink
Posted by david ricketts

Using Varonis: Fixing the Biggest Problems

November 26, 2012

Now that we have a pretty good idea where the highest-risk data is, the question naturally turns to reducing that risk. Fixing permissions problems on Windows, SharePoint or Exchange has always been a significant operational challenge. I’ve been in plenty of situations as an admin where I know something is broken—a SharePoint site open to Authenticated Users for instance—but I’ve felt powerless to actually address the problem since any permissions change carries the risk of denying access to a user (or process) who needs it. Mistakes can have significant business impact depending on whose access you broke and on what data. Since we’re defining “at-risk” as being valuable data that’s over-exposed, that means that any accessibility problems we create will impact valuable data, and that can create more problems than we started with.

Step 3: Remediate High-Risk Data

The goal is to reduce risk by reducing permissions for those users or processes that don’t require access to the data in question.

The next step in the Varonis Operational Plan is fixing those high-risk access control issues that we’ve identified: data open to global access groups as well as concentrations of sensitive information open to either global groups or groups with many users. Since simply reducing access without any context can cause problems, we need to leverage metadata and automation through DatAdvantage.

Let’s tackle global access first. When everyone can access data, it’s very difficult to know who among the large set of potential users actually needs that access. If we know exactly who’s touching the data, we can be surgical about reducing access without causing any headaches.

DatAdvantage analyzes the data’s audit record over time in conjunction with access controls, showing folders, SharePoint sites, and other repositories that are accessible by global access groups, and those users who have been accessing that data who wouldn’t have had access without a global access group. In effect, it’s doing an environment-wide simulation to answer the question, “What if I removed every global access group off every ACL tomorrow. Who would be affected?” This report gives you some key information:

  • Which data is open to global access groups
  • Which part of that data is being accessed by users who wouldn’t otherwise be able to access

And it’s not just global groups that DatAdvantage lets you do this with. Because every data touch by every user on every monitored server is logged, Varonis lets you do this kind of analysis for any user, in any group, on any file or folder. That means you can safely remediate access to all of the high-risk data without risking productivity. You can actually fix the problem without getting in anyone’s way.

The next step is to start shifting decision making from your IT staff to the people who actually should be making choices about who gets access to data: data owners.

Related articles

2 Comments | Application Hosting, Managed Service Hosting, Marketing | Tagged: , , , , , , , , , , | Permalink
Posted by david ricketts

At-Risk Exchange Data

November 12, 2012

One of the more interesting benefits of last year’s launch of DatAdvantage for Exchange was the opportunities it presented to talk with different sets of people in our customers’ organizations. Where traditionally we’d worked mostly with security, storage, Windows or Active Directory teams, DatAdvantage for Exchange spurred meetings with messaging, e-Discovery and legal folks as well.

E-mail is a business-critical system, period. From an IT perspective, it may be the most critical system—most companies would rather lose their phones for a day than their e-mail. What that has meant for the Messaging folks in charge of Exchange is that simply keeping the lights on—making sure that emails are being delivered promptly and that the repository of stored data is available—has been far and away more important than access control. However, the consequence of focusing on availability rather than confidentiality or integrity has meant that a lot of the controls and auditing that should be in place are sorely lacking.

Data Governance and Exchange

Exchange is an interesting repository from a data governance perspective. The last time I wrote about using Varonis, I talked about how we can combine data classification with permissions exposure to identify the data that’s most at-risk on a file system or SharePoint site. Unlike a file share, the hierarchy is flat—everyone’s got their own mailbox, and it’s very easy to share out access rights to it. You can, for instance, give someone access to your inbox or calendar. With IT’s help, you can give them the ability to send email on your behalf, or even “as” you. Exchange is exactly like file shares in that mailbox access is reviewed periodically, mailboxes stay shared and users have send-as or send-on-behalf-of privileges for a long, long time.

What’s at Risk?

One of the first things we do when we spin up DatAdvantage for Exchange for a customer is to run a report that shows them everywhere someone in the organization has access to a mailbox that isn’t their own.

Everyone has access to their own mailbox by default. It takes some sort of permissions change, though, either on the client (Outlook) side, or by the admin on the Exchange server, to grant someone access to another mailbox. One of things we’re seeing when we do this, by the way, it that the mailboxes that are without question most likely to have been shared are those that are probably considered the most valuable—those of the CEO and other high-level management. While native tools might let you manually (and somewhat painfully) check permissions on a mailbox-by-mailbox basis, Varonis gives you the ability to see where anyone has access to an object that’s not part of their own mailbox.

We take that risk assessment a step further, too, with another report that will show you where people are actually accessing data in mailboxes that don’t belong to them. For good or ill, these are probably the permissions you want to take a look at first from a governance perspective.

1 Comment | Application Hosting, Managed Service Hosting, Retail IT Solutions | Tagged: , , , , , , , , , | Permalink
Posted by david ricketts

Here’s what early reviews of Microsoft’s new Surface tablet are saying

October 24, 2012

Early reviews for Microsoft’s new Surface tablet have been released this evening, giving us a look at the company’s supposed “saving grace.” According to the pundits who got their hands on it early, things aren’t looking too good for Microsoft. Many are complaining about a lack of apps, awkwardness of the Windows 8 RT operating system, and a buggy platform. It sounds like the iPad will remain unchallenged by Microsoft…for now.

Leave a Comment » | Marketing | Tagged: , , , , , , , | Permalink
Posted by david ricketts

Scale Up Your Performance Density with HP IO Accelerators and ioTurbine Software

August 8, 2012

As an update to a previous posting, HP has just published a whitepaper highlighting dramatic TPS performance and VM density using HP IO Accelerators and Fusion’s ioTurbine caching software with virtualized HP DL980 servers.

Benchmark testing demonstrated a 2.8x increase in performance achieved by adding just two 1.28TB IO Accelerators and ioTurbine software to a pair of HP ProLiant DL980 servers running Microsoft Windows 2008 and VMware ESX 4.1, connecting with HP P4800 storage. The configuration supports an aggregated 7120 transactions-per-second (TPS) across 16 VMs running SQL workloads, in parallel. This result compares to 2521 TPS for the same baseline but uncached configuration.

The testing illustrates that this solution not only adds scale to the HP DL980 server but also dramatically increases VM densities to support almost any application, regardless of workload, in a virtual server environment. Having more and larger size VMs makes more efficient use of infrastructure, lowers costs and provides the opportunity to run databases in a virtualized environment, something that was previously not possible or cost prohibitive, at least until now. The solution is an ideal VMware consolidation platform and preserves VMware vMotion and high availability capabilities, important customer requirements.

Of course, this same solution approach can also be attractive for customers interested in using HP IO Accelerators and ioTurbine with other HP servers such as the HP DL580, HP DL380 and the BL460 for bladed environments.

Note also that testing was accomplished with HP’s Gen1 IO Accelerators, so performance results would be expected to be even better using HP’s recently announced ioDrive2 IO Accelerators.

Leave a Comment » | Application Hosting, Managed Service Hosting, Marketing | Tagged: , , , , , , , , , | Permalink
Posted by david ricketts

TechValidated: Fusion-io Enhances Server Virtualization

June 26, 2012

More than ever, companies all over the world are virtualizing their servers to battle server sprawl, improve productivity and maximize system resources. In doing so, many of these companies have discovered that implementing Fusion ioMemory boosts the efficiency of virtualized systems with astounding results. Below are TechValidate survey results displaying just how much improvement companies have experienced with Fusion Powered server virtualization solutions.

Performance Improvement: In this survey, 95 percent of IT organizations using server virtualization achieved three to five times or more performance improvement in application throughput when using ioMemory.

Latency: In addition, 77 percent of companies using server virtualization reported that they decreased average latency by 50 to 74 percent or more by deploying one Fusion ioDrive.

More Virtualized Servers Per Card: One customer at a small business computer software company reported achieving 10 virtualized servers per card. “Fusion offered exactly what we needed — appearance as a block level device to the host OS while providing dramatically faster I/O calls, allowing us to fully virtualize 10 servers per card.”

To see complete TechValidate results, click here.

Leave a Comment » | Application Hosting, Managed Service Hosting, Retail IT Solutions | Tagged: , , , , , , , | Permalink
Posted by david ricketts

Everything is a Remix…worth viewing

June 25, 2012

Some days ago, Microsoft presented its “Surface” product; a tablet with Windows 8 to fight against Apple’s hegemony. A day after, I started to read that Microsoft had copied Apple’s iPad without remorse. If you get back in time, you can find that Microsoft created the “Tablet” concept in 2001 (although no one cared about it).

Via @grantcroker I bring you this video about copying and the history around stealing creations or ideas…

It’s worth viewing…

Leave a Comment » | Marketing | Tagged: , , , , , , , | Permalink
Posted by david ricketts

A hands on look at the new Microsoft Surface : video

June 22, 2012

The Microsoft Surface tablet has finally made it’s debut. Not discussed in the presentation was the capacitive touch button, the really solid feeling build quality and all the way down to the Windows logo on the front. October can’t come soon enough for us to get some more hands-on time with this device.

Related articles

Leave a Comment » | Application Hosting, Marketing, Retail IT Solutions | Tagged: , , , , , , , | Permalink
Posted by david ricketts

Video: Wednesday’s unveiling of Windows Phone 8

June 21, 2012

Image representing Microsoft as depicted in Cr...

Image via CrunchBase

FORTUNE — The full keynote in which Microsoft (MSFT) gave its developers “the details they need to know” lasts nearly two hours. But the executive briefing is Joe Belfiore’s 60 minute presentation that starts at the 6 minute mark.

Most press reports highlight the key hardware features — support for multi-core processors, MicroSD chips, near field communications, higher resolution screens, etc.

But Belfiore leads with the news that might give Apple (AAPL) and Google (GOOG) pause: Microsoft has abandoned the Windows CE kernel. From now on its smartphones will share a “common core” with Windows 8. That means its three platforms — PC, phone and tablet — will have common networking, security, media and web browser technology, device drivers and file systems.

This is Microsoft playing to its strength: the 1.3 billion people around the world wedded for one reason or another to the Windows desktop operating system.

It’s a smart move. It’s too early to tell if it’s coming too late.

thanks to http://www.fortune.com

Leave a Comment » | Application Hosting, Managed Service Hosting, Marketing | Tagged: , , , , , , , | Permalink
Posted by david ricketts

Windows Surface – iPad’s biggest rival

June 19, 2012

Microsoft announced the release of their new tablet, and it will be called Surface. Surface will come in to 2 versions – the Windows RT version and Windows 8 Pro version. This tablet has a keyboard dock with it and will come in colors such as blue, pink, red, black and white.

SPECS (RT):
•Windows RT
•10.6″ Clear Type HD Display
•microSD/USB 3.0/ HD Video/2×2 MIMO antennae
•Office Home & Student 2013 RT/Touch Cover/Type Cover
•VaporMg Case & Stand
•32/64 GB Storage

PRO
•Windows 8 Pro
•10.6″ Clear Type HD Display
•microSDXC/USB 3.0/Mini DisplayPort Video/2×2 MIMO antennae
•Touch Cover/Type Cover/Pen with Palm Block
•VaporMg Case & Stand
•64/128 GB Storage

Leave a Comment » | Application Hosting, Managed Service Hosting, Marketing | Tagged: , , , , , , , , | Permalink
Posted by david ricketts

« Previous Entries
Follow

Get every new post delivered to your Inbox.

Join 746 other followers