Varonis Privacy and Trust Report

Posted on April 23, 2013 by

Even in an age of social media and voracious over-sharing, there are still times we need privacy online. When we engage in old-fashioned point-to-point communication, we expect the person or business at the other end to ensure that our interactions remain private. But it’s complicated.

In a new study conducted by Varonis, 91% of respondents say they trust businesses to keep their data safe despite a rise in breaches that now affects nine out of ten companies. In addition to expecting absolute security from service providers, the survey shows that 53% of consumers would be willing to pay a premium for organizations that reliably protect their data.

At the same time, consumer online habits have room for improvement. Though almost three out of four password protect their mobile phones, an alarmingly high 67% say they send unencrypted personal information in their emails.

Download the full report to learn how consumers deal with security and privacy challenges in their digital lives.



Enjoy, share, embed our infographic:

Varonis Privacy and Trust Report

Embed this infographic on your own site

Copy and paste the code below into your blog post or web page:

<a href="http://blog.varonis.com/varonis-2013-privacy-and-trust-report/"><img title="Varonis Privacy and Trust Report - Infographic" src="http://www.varonis.com/assets/infographics/privacy-and-trust.png" alt="Varonis Privacy and Trust Report" width="600" /></a>
<p><small>Like this infographic? Get more <a href="http://blog.varonis.com">data privacy</a> tips from <a href="http://www.varonis.com/">Varonis</a>.</small></p>
  Posted on April 23, 2013 in In The News, Secure Collaboration | Leave a comment

EU to Google: We Really Mean it About Data Retention Limits

Posted on April 19, 2013 by

“Are these data and privacy protection regulations serious or are they just for show?”  I’ve been hearing that question lately from the tech reporters and journalists who’ve been contacting me. Even after pointing out extensive case files and other documented incidents on government and legal sites, I’m still left with the feeling that it’s just not proof enough.

Fate has finally intervened.

With the EU Commission’s complaint against Google’s privacy policies reaching a conclusion, I now have a teachable moment to convince the naysayers that this stuff is serious business.

When Google changed its privacy terms in early 2012, the fine print was also being looked at by EU regulators. Google may have thought it was making it easier for consumers with a single policy covering all its web services, but others felt a bit differently. The Article 29 Working Party is in charge of advising the EU Commission on their data security and privacy rules, which are contained in the Data Protection Directive or DPD. In late 2012, they filed a complaint against Google, and addressed a letter to Mr. Page.

In so many words, the Article 29 folks said the search engine company had not done enough to follow DPD rules on consumer privacy.

Security experts, compliance gurus, CIOs, and other interested players would normally have to get the real story about this intersection of legal and tech in niche publications or in the back pages of certain business sections, or perhaps in a blog of a major data governance player. Since this is Google, and it appears that the EU is willing to go to the mat on this one—in other words, there will be fines—the story is now moving up in importance and appearing more prominently in business sections of main-stream publications.

You can read from the regulator’s report to learn about the long list of Google’s privacy shortcomings, which are conveniently bold-faced. I offer a few of their choice phrases: “no valid consent”, “incomplete or approximate information”, and “retention periods must be appropriate in regards to the purpose.”

Whoa! The EU—technically the individual national data protection authorities led by France’s CNIL— will fine a major American online service provider over their …  data retention policy?

Of course, having data retention policies and procedures —what to keep, what to archive—in place is just IT common sense. But you’re probably thinking that just because an organization doesn’t have explicit data retention or migration plans doesn’t mean it has broken the law.

Actually, it’s not only the EU that takes this IT procedure seriously. Data retention limits also show up in the US’s HIPAA rules for personal health data and in some financial data security regulations. But usually the limits—measured in years—are the amount of time an electronic document must be kept.

The EU, though, views data collection and retention with a goal of “data minimization” in mind: companies should store the minimum amount of personal data and limit the duration to what “must be appropriate in regards to the purpose”. That’s essentially the language of the DPD law. In other words, you just can’t keep personal consumer data unless there’s a legitimate business reason, you have to say what that reason is, and you have to say how long you’re going to keep it.

According to France’s CNIL, Google has to this date refused to provide any information about its data retention policies after being requested to do so.

And the EU Commission has been very clear that there will be consequences for not following its rules. How bad could the fines be for violating, either willfully or negligently, the DPD? The head of the Commission is suggesting they could run as high as 2% of global sales.

Last year Google earned revenues of over $45 billion. You do the math on what it means for not taking data compliance regulations seriously.

Image credit: Dschwen

  Posted on April 19, 2013 in Data Protection and tagged , | Leave a comment

Internal Data Loss is Riskier Than You Think

Posted on April 18, 2013 by

Barbed Wire

In an excellent blog post, Gartner research director Anton Chuvakin poses the question: is an Excel spreadsheet full of credit card numbers on a poorly permissioned internal file share considered a data breach?

Many information security pros and even some DLP vendors would answer “no” because the risk of data loss is implied, not actual.  But I think that is an overly optimistic stance.  To me, this is equivalent to saying, “I know there’s a hole in my roof, but it hasn’t rained in a month, so it’s only an implied risk.”

Anton astutely points out that, in every large organization, you can bet your mortgage on there being unauthorized access to your environment, facilitated by any number of factors including, but not limited to: subpar authentication, BYOD, infected endpoints, or an Active Directory that looks like a rats nest.

Chuvakin says:

 ”The phenomenon of “internally lost data” is way more pervasive than most people think. I’d bet if you think that it is pretty pervasive, then it is EVEN MORE pervasive. Confidential, regulated and “merely” sensitive data on “all access” internal file shares, SharePoint boxes, team web servers, internal blogs, etc is literally all over the place.”

We can confirm this phenomenon as it’s one of the main reasons organizations evaluate Varonis.  We’ve written extensively on the Everyone Problem.  Trust us, this is actual risk.  So what do we do about it?

The Sniff → Scan Approach

Dr. Chuvakin talks about how well the Sniff → Scan approach has worked for some organizations: sniff the network to see what’s leaking and then scan your storage environment to figure out where that data lives:

“[Organizations] first saw *it* on the wire, got mad – and then got curious: just where exactly is it stored internally? “Oh, in 537 different places!”  Next they fought the battle for reducing the internal exposure and then – surprise! – the occurrences of that piece of data being seen on the wire decreased as well…”

The trouble with most DLP solutions that help with data discovery is that, once the data of interest is found, you’re on your own.  There’s no operator’s manual for reducing the exposure in a safe, methodical way without doing collateral damage to the business.  Once you’ve pinpointed where leaky data lives, wouldn’t you love to know: Who can access it? Who’s using it? Who is responsible/is the data owner? How to reduce access down to a least privilege model without cutting off people who need the data to do their jobs?

The only way to answer these questions is to combine other metadata streams with the classification information.  If you’re in the information security space, you’ll start to hear the term Context-Aware Data Loss Prevention, if you haven’t already.  Analysts have begun putting a lot of weight on the ability to determine the context of data and its usage in order to make intelligent decisions about protecting it.

Anton concludes:

“So, if you got [sic] a DLP tool, plan for using its discovery capabilities. Hit those shares, SharePoints, team servers, intranet web sites, etc, etc.  And, yes, you need a process, not just a tool!”

For an in-depth look at the Varonis process for preventing internal data loss, check out our operational plan blog series (which starts with data classification).  And if you’re interested to see how the Varonis Data Governance Suite brings context to DLP, let us show you!

Also, have a look at Anton Chuvakin’s blogs here and here.  He’s one of the most entertaining and prolific writers on data protection.

  Posted on April 18, 2013 in Data Protection | Leave a comment

Unknown Unknowns of the Dark Data Menace

Posted on April 12, 2013 by

It’s nice for us to see we’re not the only ones pointing out the challenges of unstructured data for organizations and IT departments. Analysts and other industry observers use a different name, dark data, but the issues on their agenda are the same as ours. The core problem is that large amounts of uncategorized and poorly permissioned text and image data in file systems are a huge security risk, leading to real bottom line financial and legal liabilities.

With recent shifts in consumer data protection regulations and policies, both in the US and the EU, the stakes for not illuminating dark data have become even higher. For those new to the regulatory side of the fence, you can read about enhanced requirements for safeguarding patient medical data, and overall higher standards for personal data protections being asked of companies.

What risks and potential data sea monsters can one expect to find in a file system’s terra incognita? There are the known unknowns. This is essentially the personally identifiable  information (PII) and other sensitive data that hackers are looking to take. You can get a sense of the extent of this type of personal information hidden in file folders by examining one of this blog’s favorite resources: Verizon’s Data Breach Investigations Report (DBIR).

In their latest research based on data for 2011, the DBIR notes that credit card numbers were involved in 48% of all breaches, passwords and user names in 42%, social security numbers in 4%, and bank account numbers in 2%. These numbers shouldn’t come as too much of a surprise to anyone who follows the security scene, and if they do, you should start seriously exploring  your dark data.

I’ve also written about another type of threat in dark data, a kind of quasi personal-identifier, which doesn’t fit the standard definition of PII. The best known of this species is the combination of full birth date, zip code, and gender, which can be used to re-identify the consumer victim with very high likelihood.

Are there unknown unknowns in dark data?

Actually, there are. As hackers become cleverer in their ability to mine and correlate pieces of seemingly unrelated data, they’ll find new and exotic ways to link information back to individuals.

Recently, The New York Times profiled Carnegie Mellon University economist and privacy expert, Alessandro Acquisti. The article mentions one of Acquisti’s research projects, which proved it was possible to derive likely social security numbers from a photograph.

Long pause.

His technique involves two steps. In the first, he uses facial imaging software to connect a photo with a Facebook profile. This a re-identification hack that’s better understood, and even regulators have recently recognized the privacy issues involved with photo data.

The second step, though, is new to me and is based on work Acquisti has done in analyzing patterns in social security numbers. At a Black Hat conference back in 2009, he presented a paper that showed it was possible to predict these numbers based on just hometown and birth date.

So the photo image was used to find a Facebook or Linkedin account that had a face picture, and then using public information on the account profiles or from other on-line sources, he pulled out birth date and address information. Acquisti’s algorithms then generated likely social security numbers.

Acquisti has come up with a more technical name for these unknown unknowns, calling them personally predictable information or PPI. The larger point is that there are likely more PPIs out there than the ones Acquisti discovered.

As a general rule of thumb, though, files containing any information with location and dates, even without standard PII embedded, should be restricted.

By the way, do you know your file system’s data well enough to say that dates and addresses in customer records are protected from unauthorized users and are only viewed by those on an absolute need-to-know basis?  Just wondering.

  Posted on April 12, 2013 in Compliance, Data Protection and tagged , , | Leave a comment

Data Retention in the Social Media Era

Posted on April 10, 2013 by

 A variety of industry research analysts have indicated that 3 of the top 10 priorities for IT in 2013 will be initiatives focusing on BYOD, cloud computing and business analytics obtained via Social Media.  While these initiatives provide clear business benefits, they will challenge data retention and records management policies for most organizations.

BYOD, cloud computing and social media have a common thread – they all create data repositories that have been geared towards the non-IT consumer, where governance, management and retention have taken a backseat to ease of use.  With the introduction of these technologies into the enterprise, companies are obligated to develop backup, archiving, and classification strategies to ensure that relevant data is available in the event of litigation and a discovery request.

The Federal Rules of Civil Procedure state that the moment a company receives a legal hold request they must not dispose of data without having a clearly defined and demonstrable retention and disposal policy. These policies cannot be developed and implemented in the midst of litigation as an opposing  litigant could claim that destruction of data was intentional, resulting in damages and penalties awarded to the opposition.

In the article, eDiscovery Rules Applied to Social Media: What This Means in Practical Terms for Businesses, statistics show that the FRCP rules are being enforced— sanctions were ordered in 50% of the cases where sanctions were sought, with a few resulting in large monetary penalties. Needless to say, companies are compelled to comply.

While many companies have chosen the pack-rat approach – save and archive all of the data they manage, including customer data, personal data, etc., this approach is not practical due to ever increasing volumes of data, especially when considering the information generated by mobile devices and social media.

In the event that a company does need to develop a defined retention policy that takes these initiatives into account, their requirements should be part of a larger blueprint for securing their data, linking their retention strategies with governance and accessibility.  These 6 steps provide some basic guidelines:

  1.  Determine the age at which each type of data that has not been accessed would be considered stale – 1 year?  2 years? 5 years?
  2. Implement a solution that can identify where stale data is located based on actual usage (not just file timestamps)
  3. Automate the classification of data based on content, activity, accessibility, data sensitivity and data owner involvement
  4. Automatically archive or delete data that is meets your retention guidelines
  5. Automatically migrate data that is stale but contains sensitive information to a secure folder or archive with access limited to only those people who need to have access (e.g. the General Counsel)
  6. Make sure your solution can provide evidence (e.g. reports) of your defensible data retention and disposal policy

Image Credit: File Upload Bot (Magnus Manske)

  Posted on April 10, 2013 in Data Migration and tagged | Leave a comment

3 Key Features Philip Morris International was Looking for in a Data Protection Solution

Posted on April 8, 2013 by

Recently, one of our largest customers, Philip Morris International (PMI), agreed to sit down with us and answer a few key questions about why they chose Varonis to manage and protect their critical unstructured and semi structured data—take a peek in the video below. You can watch the entire interview in our newly launched video gallery.

What were the 3 key features PMI was looking for in a data protection solution?

Jan Billiet, Dir IS Security & Risk Management at Philip Morris International

  Posted on April 8, 2013 in Success Stories | Leave a comment

5 Steps to Get Data Owners Started

Posted on April 5, 2013 by

During a recent conversation a customer asked if we had a Getting Started Guide for Data Owners. After using Varonis to identify and assign owners, one of the new data owners asked, “What am I supposed to do now? What do data owners do?”  In order to help him—and anyone else in this situation—I created 5 high-level steps business users can follow to get started as a data owner.

Step 1: Take inventory of your data and confirm ownership

One of the first things data owners should do is review the data for which they are responsible; IT should provide them a report listing all the folders, SharePoint sites, etc. that they own. Owners should carefully review this report and confirm with IT that they are, in fact, the correct owners of this data. It is also important that they understand which, if any, of these folders contain sensitive data, which folders are open to other groups in the organization, and which teams they expect to collaborating with.

Once they have reviewed their data assets, they will be able to start governing and protecting their data effectively. In addition, they should determine if other users will need to be involved in the authorization process (delegated “authorizers” for specific folders), and coordinate with them on how access requests will be processed.

Step 2: Review permissions/users with access

Once they’ve confirmed ownership and they understand the types of data contained in these folders, the next step would be to perform an initial Entitlement Review.  These can either be done manually with IT provided lists of people to review, or with automated solutions, like Varonis DatAdvantage and DataPrivilege.

During an initial entitlement review, data owners will review which users have access to which data and make decisions about which users should be removed or added. Solutions that provide automated entitlement reviews, like DataPrivilege, automate this task end to end, providing actionable information to data owners, (e.g. recommendations based on access activity and cluster analysis) and effect changes to the appropriate ACL’s and groups without IT intervention.

It is important that this step be carefully performed, whether manual or automated, as this will be the first step in cleaning up excess access and ensuring that only the right people have access to data.

Step 3: Ensure all requests are processed for the appropriate reasons

Once owners have performed their initial review, they should now be in “maintenance mode” and ongoing data ownership activities shouldn’t take much time– they’ll mostly need to approve/decline access requests as they come up, either with an automated solution (like DataPrivilege) or through a manual process. As a best practice, every access request should ask the requestor to enter a reason for requesting access, either selected from a menu of legitimate reasons, or manually entered.

Data owners should consider access requests carefully, especially when the data they’re managing is sensitive:

  • What data are they requesting access to?
  • If I grant access, is there anything in that folder that they should treat as confidential?
  • Should access be granted permanently, or temporarily?
  • If access should be granted temporarily, how will we remember to revoke it? (Manual process or with automation like DataPrivilege)

Step 4: Do periodic entitlement reviews

On a regular basis—once a quarter, every 6 months, etc.—IT should require owners to complete an attestation, or entitlement review. This will ensure data owners review any changes or new recommendations made since their last review and ensure that organizational changes have not granted unwarranted access. Owners should have the option to specify where access should be restricted or stay the same, and a record of their decisions should be kept. Entitlement reviews help organizations efficiently maintain a least privilege model.

Step 5: Review access statistics on your data

If available, data owners should have the ability to access a dashboard which includes permissions and access activity relevant to their data, as with DataPrivilege’s Self-Service Portal. Data owners can make better decisions if they are able to see who is accessing their data, which folders are most accessed, least accessed, or stale, and who is accessing folders that hold sensitive data.

Conclusion

While there are a lot more details on data ownership, we hope this list provides a starting point for Data Owners on how to govern their data effectively. For more information you can visit our collection of blogs on data ownership or download our whitepapers from our resource center.

Image credit: Electron

  Posted on April 5, 2013 in Data Protection | Leave a comment

The Essential Guide to US Data Protection Compliance and Regulations

Posted on April 4, 2013 by

The Essential Guide to US Data Protection Compliance and RegulationsWe’ve written a lot about compliance and consumer privacy over the past few months. One of our chief bloggers, Andy Green, has been neck-deep in compliance documents–keeping track of what’s changing and who’s being impacted. He’s been reviewing case files and boiling down dense regulatory tomes to must-know facts for IT.

Why? Because we know you’re busy putting out fires and answering 2am phone calls about downed servers and lost emails. You probably don’t have time to wade through 500 pages of HITECH rules trying to figure out what, if anything, applies to you. So, we put together a thoroughly crafted whitepaper covering the essentials of data protection legislation.

Grab it today…it’s free!



  Posted on April 4, 2013 in Compliance | Leave a comment

Varonis Named 2013 CODiE Finalist for Big Data

Posted on April 2, 2013 by

CODiE Awards Finalist 2013

We’re extremely honored to have been named for Best Big Data Solution in this year’s CODiE Awards alongside great companies like Metamarkets and Tableau.

We consider the Varonis analytics and recommendations engine to be one of the most actionable, value-producing solutions for human generated big data available.  Without the need for Hadoop clusters or data scientists, the Varonis Metadata Framework monitors unstructured data activity, content, and permissions and uses sophisticated analytics to generate actionable intelligence—where data is at risk, how excess permissions can be safely eliminated via recommendations and simulation, and where statistically aberrant user activity should be examined.

A major contributing factor to Varonis’ success, especially within large enterprises, is the ability to horizontally scale out our deployments on commodity hardware.

This nomination is a testament to the hard work of our engineering and product development teams.  Their relentless pursuit to innovate is unmatched.

To learn more about the Metadata Framework, watch this quick video:

  Posted on April 2, 2013 in Big Data, In The News | Leave a comment

Astronauts Passing Time Browsing the Web

Posted on April 1, 2013 by

If you monitor who is visiting your website with Google Analytics Real-Time, you too may notice 41 visitors from the International Space Station browsing your content.

I started to think that we hadn’t really considered file syncing from space as a requirement for DatAnywhere ,and that astronauts need to collaborate, too, but then I realized this was a well-crafted April fool’s day prank by Google.

Check it out:

  Posted on April 1, 2013 in In The News | Leave a comment
« Previous Page  1 2 3 4 5 6 7 8 9 10 ... 20 21   Next Page »
powered by SEO Pager

Twitter Feed

    Follow @Varonis on Twitter