Archive for: September, 2011

Levels of Data Protection

Wednesday, I spoke at ISSA’s monthly chapter meeting in Colorado Springs. Speaking at ISSA chapter events is great, because it’s always an intelligent crowd that quickly grasps issues around data governance.

At this particular event I gave a presentation on how we can reduce organizational risk by leveraging metadata and automation—coincidentally enough, two things that Varonis excels at. The basic argument was that data protection centers around three control areas:

  • Authentication
  • Authorization
  • Access Auditing and Analysis

Authentication is the mechanism by which we identify that the person who’s trying to access a system—in this case our unstructured and semi-structured data—is who he says he is. This is something we have a lot of good options for. With strong passwords, one-time password tokens, biometrics and other authentication factors, an organization can have reasonable confidence about who’s actually accessing the data.

The next step control area is authorization, which is making sure that the user is actually allowed to access the data. Unlike authentication, this is usually much harder. If a SharePoint site is open to Authenticated Users, for example, we’re not making any attempt at authorization since we’re assuming everyone who’s authenticated is also authorized, which isn’t always the case. Much of what we do with data governance is helping to increase the accuracy and effectiveness of our authorization. Making sure only the right people have access to the right data means making sure that only the right people are authorized.

The final control area is access auditing, which is about ensuring that the controls we’ve put in place for authentication and authorization are working as designed. With unstructured data, a complete audit trail of file activity traditionally hasn’t been available, which has meant it’s been difficult to audit the access to that data,  difficult to check potential access against actual access, and difficult to spot possibly abusive behavior.

The presentation we gave at ISSA showed how an automated data governance solution can be used to address these data protection levels. We’ll share some of the specifics in future posts.

Automating Data Governance on Virtualized Servers

We had a great opportunity last month to exhibit at VMworld in Las Vegas. It was a fantastic event, and we were able to talk to a lot of current and prospective Varonis customers about both Varonis and data governance issues in general. One of the questions we tended to get frequently was, “Why are you guys here?” More specifically, since Varonis wasn’t a virtual or cloud solution, folks were curious as to how we aligned with the rest of the exhibitors and attendees at a show like VMworld.

It’s a great question, and it allowed me to ask one in return: “Are any of the VMs you have file servers? What about SharePoint or Exchange servers?” While plenty of our customers rely on NAS for unstructured data, more and more are spinning up VMs to run Windows or Linux file servers or for SharePoint or Exchange. While all those servers benefit from being virtual, they still have many of the same data governance challenges: Who has access to the data? What are people doing with that access? and who doesn’t need access anymore? In addition, because virtual machines are relatively cheap and easy to create when needed, some of these problems tend to be exacerbated. When you can deploy VMs quickly, it can sometimes mean that governance controls are more difficult to verify, so an automated data governance solution can be even more critical in a highly virtualized environment.

It was great to meet everyone who stopped by the booth, and I’m already looking forward to next year.

New Video: Managing Data Like Money

In our new video, Managing Data like Money, Jim O’Boyle, Senior Vice President of Worldwide Sales at Varonis, discusses how data assets need the same kind of governance as financial assets.  Organizations must approach managing and protecting data with the same attention to detail and processes that they use to manage and protect their money.

“Access to data is not an IT decision, it’s a business decision.” –Jim O’Boyle

 

Automation: Getting the Most Out of Your Metadata … by David Gibson

One comment I received based on our recent post, Data Governance and Metadata, was, “Having metadata is critical, but it’s the automated analysis that I really use to figure things out. If I was just looking at hundreds of permissions reports or parsing an audit log on my own,  I’d be lucky just to be able to find lost files and stray instances of the everyone group– there’s no way I could prioritize risk, spot unusual patterns, or identify data owners. ”

Permissions, user & group information, access activity, and classification metadata all grow very quickly when gathered from busy file, Exchange, and SharePoint servers, so it’s easy to understand how automated analysis of metadata quickly becomes a must for good data governance.  In honor of our reader, we’ve created a new web page, Solutions for Actionable Data Intelligence through Automation, which highlights some of the benefits that automated analysis provides, including:

  • Identifying which users have too much access
  • Spotting possible data abuse
  • Understanding access trends
  • How to revoke access control without lighting up the helpdesk phone lines