Varonis Data Governance Suite

The core component of the Varonis Data Governance Suite (currently in version 5.9) consists of various DatAdvantage products for Windows, SharePoint, UNIX/Linux, Exchange, Directory Services (such as LDAP), and NAS. In addition, there are three further elements of the suite known as DataPrivilege, DatAlert and the IDU Classification Framework.

The key point about the Data Governance Suite is that it is about who can do what with the data. In most organisations, there is a lack of clarity about what data is sensitive or confidential and who has access to that information. It is often the case that many people have access rights to information that they don’t need or should not have, and it is also the case that, as people get promoted or change roles in the organisation, then their access rights follow them even though they no longer need access to the data that they previously did. According to research, approximately 70% of people have access to data that they don’t need. This poses a risk to the organisation from, for example, disgruntled employees or staff leaving to join competitors. Also, there is a compliance element to this issue if, for instance, credit card or social security numbers are embedded in textual data.

The Varonis Data Governance Suite allows you to identify sensitive and confidential information, to set and govern permissions and to monitor (and subsequently audit) access activity in real-time with, if necessary, the ability to raise alerts if abnormal activity is detected.

Varonis has a somewhat different approach from many other companies. Although the company has a large salesforce of its own, nearly all of its sales are through channel partners. In other words, the salesforce is there to support the company’s partners. Somewhat surprisingly, none of the company’s partners is listed on Varonis’ website so if you are interested in the company’s offerings you will either have to go Varonis directly—who will, no doubt, forward you to a relevant partner—or you will have to serendipitously run into one of these partners.

As of December 31, 2013, the company had approximately 2,400 customers. Its customer base spreads across a variety of industry sectors including financial services, public, healthcare, energy and utilities and many more. Notable accounts include Philip Morris International, Juniper Networks and many more.

To begin with, the Varonis Data Governance Suite allows you to see all the data that any particular individual or user group has access to. It also allows you to discover and define what information might be sensitive or confidential and for which you want to control access. It is, in effect, the marriage of these two sets of capabilities that provide the heart of the governance offered by Varonis, allowing you to explore not just what can be seen by whom but also who can see what. In other words, you can explore from the data to the people or vice versa. Moreover, this is not just about who has permission rights but also about who has been using those rights and how frequently. Thus, on the one hand, you can produce audit trails of usage, and, on the other, you can identify individuals who are not using their access rights.

Having visibility is one thing but you also want to be able control permissions, removing them where appropriate, and the Varonis suite allows you to do this also. The suite includes workflow capabilities so that appropriate procedures can be established and followed with regard to the revocation of access rights. This in itself is a formal part of the governance process.

All the relevant data about what is sensitive, who has permission rights and who is accessing what is captured and stored, in real-time, in the Varonis repository. Over time, this builds up a profile of each person’s activity with respect to the data that they are accessing, and Varonis software can monitor individual activity against these profiles with the result that alerts can be raised if unusual activity is detected.

Two additional particular points are noteworthy. The first is with respect to the IDU Classification Framework. The point here is that, going in cold, organisations will typically not know what sensitive data they have or where it is. Varonis software can you help you find out. However, it is more than that, because such data is likely to be all over the place and the IDU Classification Framework is designed to help you prioritise your remediation efforts on the places where risk is highest. The second point is that Varonis software offers a sandbox capability. When you are thinking about changing permissions on any sort of wide scale basis, this allows you to test what would happen before you actually commit to any changes: there can be unintended consequences when access rights are changed and it is wise to check for this in advance.

Varonis provides conventional training, consulting and support services. Some of Varonis’ partners also offer consulting services.