A different sort of governance

Varonis describes itself as providing data governance for unstructured and semi-structured data. By which it means controlling, monitoring and auditing access to spreadsheets, multi-media files, documents and so on. Now, I am not sure that I would describe that as governance. A part of governance certainly, but the role of governance is also about ensuring the quality of your data, which Varonis does not do. You can, of course, use spreadsheet management or content governance software for that purpose and it would be nice to see Varonis forming some partnerships in these areas.

However, all of that is putting the cart before the horse. The key point is what Varonis does do, rather than what it doesn’t—and what you call it doesn’t really matter either.

Briefly, what Varonis does is to collect metadata (on a continuous basis) about permissions, activity (every access by every user) and users and groups. From this it is able to identify not only who accesses the data but who owns it. This last point is currently a very hot topic in the blogosphere but if you think about it, at least for unstructured data, you can tell who actually owns the data (as opposed to who ought to own it) by looking at access patterns. In addition, you can discover whose access should probably be revoked, what data is stale (it is estimated that 70% of unstructured data is out-of-date within 3 months), which users are inactive and so on.

The key advantages of Varonis are that it increases productivity: you don’t need to spend so much time managing permissions and access; it reduces risk—by identifying who actually uses the data you can limit access to those people that really need it—most access lists are far too lax; it identifies non-accessed data that can be deleted or archived; and, by establishing data ownership, can put more control into the hands of that owner. The fact that these messages resonate with users is demonstrated by the fact that Varonis has more than 550 customers despite the fact that many people will not have heard of them.

So far, so good. But Varonis has just announced a new release, which adds a data classification option to its offering. Now data classification means different things to different people. The definition in Wikipedia, for example, has nothing to do with what we are talking about. However, The Information Security Glossary has a more useful definition as follows: “Data Classification is the conscious decision to assign a level of sensitivity to data as it is being created, amended, enhanced, stored, or transmitted. The classification of the data should then determine the extent to which the data needs to be controlled / secured and is also indicative of its value in terms of Business Assets.”

There are a number of data classification products on the market. However, it takes a long time to do the classification and that’s all they tend to do. Varonis, because it already understands the metadata, can classify data very much more quickly and you can prioritise based on how often the data is accessed, for example, or how critical it is. Furthermore, because you have the context of who owns the data, who accesses it, and so on, you are in a position to immediately act on any issues that may arise: something that you can’t do in a pure play classification tool because you don’t know about users. Note that Varonis will work in conjunction with third party classification products.

I said at the beginning of this article that I wouldn’t call Varonis a data governance solution per se, but it is certainly the best product I have seen for managing the security aspect of governance for unstructured data.