Archive for: June, 2012

Case Study: NBC Holdings

NBC Holdings (Pty) Ltd (NBC) is the first black-owned and managed employee benefits company in South Africa. Today NBC is a leading force in the South African employee benefits arena, providing a comprehensive range of employee benefits products and services to 120 registered pension and provident funds, representing the retirement fund savings of more than 350,000 members.

As a financial institution, NBC Holdings needs to closely monitor access to data. When data was moved or deleted it was difficult and time-consuming for the IT department to figure out who moved it, and where. In addition, there were some instances in which it was necessary to provide a record of email messages that were read, sent, or deleted and the IT department required an efficient way to produce this information. (Native Windows and Exchange auditing tools could not provide the granularity NBC required and on their own provided no actionable intelligence or activity analysis).

Further, they wanted to relieve the IT helpdesk of some manual access provisioning tasks, as these were very time-consuming, and the helpdesk often lacked context about the data to make accurate decisions about who should have access.  Even identifying who had access to a particular data-set had been inefficient and resource-intensive. NBC is now able to identify data owners and involve them in the authorization processes through automation.

Find out how Varonis® DatAdvantage® for Windows, Varonis® DatAdvantage® for Exchange and DataPrivilege® helped NBC with their auditing, permissions and data ownership challenges.

Click here to read the complete case study.


Varonis 2012 User Forums – Thank You!

To our user group attendees,

We’d like to thank our customers for joining us at our spring 2012 User Forums. Varonis held events in New York, Boston, London, Paris, Luxembourg, and Geneva to share product updates, roadmap plans, and most importantly, to hear from you. It was a real treat for us to get to spend time with you outside of the office at wonderful venues like the Tate Modern in London, Hôtel La Réserve in Geneva, and aboard the ship Excellence in Paris. So thank you.


The feedback we receive about our products and services is invaluable. Nothing teaches us more about what’s working and what’s not, and how we can better accomplish our mission: to make digital collaboration as effortless and secure as possible, so that people are free to work – to easily create and share content with others, and so that organizations can be confident that their human generated content is well protected and efficiently managed.

As always, we are grateful that you have chosen to do business with us. Thank you.

Yaki Faitelson,
CEO and Co-Founder

For more User Forums images, visit our Facebook page.

Data Classification Tips – Finding Legal Data

In our previous post, we introduced 4 regular expressions that help us locate credit card numbers.  Today, we’ve got a few more handy RegExes for your data classification library. This time we’re targeting legal data.

Find “All Rights Reserved” NOT near your company name

Regular expression:

\b(?!all rights reserved\W+(?:\w+\W+){1,10}?acme)all rights reserved\b

Use case: you want to find files within your organization that you do not own the rights to, and verify that they are being used in accordance with their license.

Find “attorney” near “client” near “privilege”

Regular expressions:


Use case: you want to find files that contain confidential information that should only be shared between an attorney and their client.

This should get you started, but remember, finding sensitive data is only the first step.  In the “All Rights Reserved” example, once you find these files you need to interview the people who are using them in order to figure out whether you’re compliant.  This can be quite a project if you don’t have an audit trail that can help you find the data owner.  In the attorney-client privilege example, the next step would be to ensure that only the right people had access to the data. How do you know who the right people are? Your best bet is to ask the data owner.

Hmm, I’m sensing a pattern here.


Dropbox Alternative: Are You Searching for One?

So were we. We wanted to sync with our existing file shares and NAS devices as easily as we could with storage in the cloud, but no one seemed to provide a solution that was just right— where we could use only our existing storage, authenticate with Active Directory, and keep our permissions intact. We decided that we’d build it ourselves.

New Case Study: Western Precooling

Western Precooling was founded in 1942. For nearly 70 years it has been the partner of choice for growers and shippers to get fresh, healthy produce from the field to their customers.

Western Precooling wanted to eliminate possible security concerns due to folders open to global access groups like “Everyone” and “Domain Users.”  These folders would be accessible to the entire organization, and since some of them might contain sensitive information, it was imperative to restrict access only to users who needed it. In addition, Western Precooling wanted to have a more detailed record of access activity.

Brian Paine, Director of IT, began looking for a solution that could clean-up excessive permissions and provide granular auditing capabilities. He considered bringing in a team of consultants, but was concerned that this approach wouldn’t allow him to maintain a secure environment after the clean-up process, and a team could not provide the auditing he needed. One of Brian’s concerns was the impact the clean-up process might have on business activity; he needed solution that could allow him to clean up permissions without affecting the daily operations of the company.

Since Western Precooling is preparing to move several applications and services to the cloud, it was necessary to have permissions in order prior to the migration; it would become a much more difficult problem to fix later on. It was also important to identify stale data so it could be archived instead of migrated. Finally, Brian needed a solution that could support their newly acquired NetApp NAS device.

Varonis DatAdvantage was the long term solution that Brian was looking for.  Varonis gives his team the ability to clean up permissions, audit access activity, identify stale data, and provide support for NetApp. Download the case study to read the complete story.


SharePoint Permissions Cheat Sheet

Complexity is dangerous in the security world.  The harder something is to understand, the harder it is to protect.  SharePoint falls squarely into this category.  Configuring permissions in SharePoint can be daunting, especially if you don’t understand the core concepts and terminology.  Unfortunately, managing access controls in SharePoint is often left end-users, not IT administrators, and that can spell disaster.

Learn more about permissions management with our free guide. 

This mini cheat sheet is designed to point out the various gotchas with SharePoint permissions so you don’t make the typical mistakes (now you’ll only make atypical mistakes).

  • SharePoint has “local” groups that can contain Active Directory Groups
    • For example, you can have a SharePoint permissions group called “Sales” which can contain Active Directory groups “Sales” and “Sales Engineering” and “Chess Team”
    • Unlike file shares where local groups are generally avoided, SharePoint specific groups are very common – this is makes it much harder to answer the question “Which human beings can access my data?”
  • There are more default permissions types than you can keep in your head at one time (33 in all):
    • 12 permissions types for Lists
    • 3 permissions types for Personal actions (e.g., views)
    • 18 permissions types for Sites
    • Each permissions type can be grouped into Permissions Levels.
      • For example, the default “Contribute” site permission level contains 8 of the 12 site permission types.
  • In addition to the built-in permissions types, admins can create custom levels
    • For a given site or list, a custom level might be applied, making it really hard to determine who can do what
    • A malicious admin could create a custom level called “Extremely Limited” (sounds innocent, no?) but grant that level permission to do everything
  • If you’re running a version of SharePoint prior to 2010, watch out for the “Authenticated Users” button
    • Before 2010, there was a button that let admins grant access to everyone who authenticated to the domain
    • The button was a common cure-all for frustrated admins trying to grant access to frustrated users

OK, now that I’ve primed you for the worst, I’m going to give you a link that should be your best friend.  Bookmark it, study it, and hope for the best:

Did you really think I’d leave you hanging here?

Varonis DatAdvantage for SharePoint abstracts away the complexity of SharePoint permissions.  You’re only ever a double click away from figuring out who has access to SharePoint document libraries, lists, sites, sub-sites, etc.

Don’t just take my word for it – try DatAdvantage free for 30 days.  At the very least, you can point Varonis at your existing sites and immediately lockdown data that is wide open.

Image credit: keenanpepper

Learn more about permissions management with our free guide.