Jump to content
In May 2012, Varonis launched its first customer awards program – the Varonis Data Governance Awards. Entry has now closed, and we are delighted with the response we received and the outstanding strength of the different entries. We have reviewed the entries and selected our shortlist.
The judging panel is made up of independent industry experts and Varonis executives who will be meeting over the coming weeks to review the shortlist and decide the winners. We also want to give visitors to our website the opportunity to have their say by casting their vote for the entries they feel most deserve success.
Please review the following project summaries, and cast your vote using the form below. You will be able to rank your top 3 projects.
Select a finalist to read their summary:
Historically, Aimco used a predominantly paper based process to authorise access requests. However, this ‘old school’ format was cumbersome to administer, prone to delays and a drain on resources.
As a financial institution, Aimco also faces strict government legislation that it must adhere to. Using a paper trail to respond to audit requests was an ineffective and, at times, incomplete method.
Having taken the decision to move to a digital process, it identified DataPrivilege as the perfect tool for the job.
Today, when users need to be added to a group, they can use a self-service portal to request access to group resources directly, and the relevant manager involved in the authorisation process is emailed for approval. Having received and agreed the request, user access is automatically provisioned by asset managers - all at the click of a button.
It can use the information collected within Varonis to produce a variety reports, and perform various searches and scanning to answer all audit questions. In particular, Aimco can generate itemised lists covering any aspect of the process - from when a person made a request, how it was tracked, logged and where the change has been made to Active Directory. With DatAdvantage, Varonis can even be used to produce a report of all open events. This covers much, if not all, of the groundwork for Aimco to answer any requests auditors may make. As the reports are so detailed, Aimco has managed to drastically reduce follow on questions as a result.
An additional benefit from automating the process is eradicating the associated charges from a paper process – the paper itself and printing charges.
The final part of the project is to revoke user access rights. Every quarter, using DataPrivilege, reports are automatically generated and emailed to asset owners providing clear details of who currently forms part of the group. Using this information, redundant rights can be cleaned up and access revoked.
With a staff of 900 Alberta energy was finding it difficult to keep up-to-date with all of its finance, legal and human resources information. With the introduction of DatAdvantage the Department began to clean up the main drive they used, to ensure that permissions management on the most sensitive directory on the database – used by the Finance Department, Legal Department and Human Resources Department were dealt with properly and in accordance with Data Governance best practice. The IT team first cleaned out all permissions which were out of date. They minimised all permissions to those who were absolutely necessary so that all Departments had a clear idea of who was using their systems and who could access those systems. It was also useful to see what directories were actually being used and those which were not being used so that permissions could be more accurately targeted. Once this had been done the Ministry was able to move onto more operational uses of DatAdvantage.
Axa Wealth realised four years ago that it had a very complex network sharing system, with many Active Directory security groups, many people and accounts in those groups, and many folders that referred to them for permissions. The service desk was unable to fulfil frequent requests to determine which groups provided access to which folder and which folders were accessible by a given group without contacting another team for investigation. Axa Wealth also had no way of reporting who was accessing data on the file shares and therefore could not see what users were doing. The network security team often performed a lot of manual digging to answer these kinds of questions as best it could.
DatAdvantage came into its own when Axa Wealth decided to sell a part of its business to Friends Life. Axa Wealth used DatAdvantage to see not only what data both teams could have accessed (via permissions), but also what they had actually accessed, and make logical data separation decisions based upon permissions and activity history. They were also able to ensure compliance with separation of duties “closed book” requirements during the process, and prove that Friends Life staff had not accessed information which was barred to them. This was particularly useful during the separation period given the sensitivity of the business process.
In 2008 the Corporate and Investment Banking North America division of BNP Paribas had excessive permissions that were increasingly flagged by its internal audit teams as a potential issue. In the years since, by methodically implementing Varonis DatAdvantage and DataPrivilege into their current processes, they have not only significantly reduced risks around share access, but also implemented a self-service model that saves business and IT resource time.
The first phase implementing Varonis was to remove excessive permissions and in particular, revoke the ‘everyone’ group. DatAdvantage identified that the majority of cases, 95 % of directories that included ‘everyone’ was in addition to the people that really needed it. This made removal straightforward and pain free. As you’d expect with 40 shares, there were a few cases where users would miss their access. For these users, the request was forwarded to the business sponsor responsible for the data and once approved, their access was reinstated.
Today, when its internal audit team asks who has access to a particular drive; those that have embraced DataPrivilege and are au fait with using BNP Paribas self-service portal, via its intranet are able to answer the request in minutes. In fact, in most cases the auditors are actively asking to see the Varonis reports! Now, it is also expected that business sponsors will be able to proactively help themselves when files are moved or deleted to track them down and retrieve them.
BNP Paribas has deployed DatAdvantage to monitor all activity access. Rather than making a hasty decision, BNP Paribas allowed the tool to collect data for a number of months. Having done so, it has found that the detailed information produces accurate recommendations of where access rights across the organisation were unused and could be revoked.
We are currently working on identifying owners for the last 500 shares not currently owned in their environment. Two months into a planned 10 month project, remediation has taken place on 35% of shares, which not only included assigning owners but also decommissioning old unused shares.
CIBC had concerns relating to its unstructured data for a number of years. Not knowing who owned what data, and therefore not engaging these owners as part of the access approval process, which was actually conducted by an asset manager, was far from ideal. However, it was an internal audit in 2006 that catapulted the predicament to the top of the agenda. With 40,000 users, and in excess of a petabyte of growing data, the resolution needed more than a spreadsheet.
Using DatAdvantage, CIBC has been able to identify data owners for 95% of its data. These owners are now actively responsible for granting and revoking access to the files, making CIBC far more secure.
In 2011, over the course of five months, a number of training sessions were held via conference call. These sessions were attended by over 1000 people and each resulted in a spike of activity as data owners cleaned up excess access to their data.
In 2012, auditors have approached the business units and, as part of the audit, have asked owners to attest to their own data. This has been another drive to make people clean up their access.
The benefit to CIBC of knowing who owns data is immense:
Once Varonis was identified as the vendor and tool of choice, we were able to implement a global management infrastructure for all of our in-scope data silos within three months. With the infrastructure in place, we tackled the business drivers that led us to select Varonis:
As we began to align our actions to the milestones above, we created a sub‐project to accomplish the following:
As of today, more than 80% of all North American file shares have data owners assigned along with improved internal processes to leverage the Varonis Metadata Framework. We have also expanded the use of the DataPrivilege Entitlement Review workflows by 1000%. The pilot had 45 unique shares, and the Q2 2012 Entitlement Review cycle has more than 450 unique shares.
Fountain Tire had grown rapidly as a company but information technology systems had not been updated for a little while. The company had 100 users at its headquarters in Alberta approximately 40 of whom use the main Finance/Accounting file share. The main company systems held approximately 1.5 TB of data and were distributed across a very complex directory structure which had grown with the company. The Finance/Accounting file share was being used seven days a week with the need to service over 140 stores nationally. The finance system was becoming unwieldy so Fountain Tire decided that it would have to deploy DatAdvantage from Varonis to keep track of the living data on this system. By the time the company had made this decision there were over 87,000 folders on the system which needed to be managed.
It became clear that permissions had to be made more sophisticated particularly where information such as credit card numbers was available. DatAdvantage allowed the company visibility of what was happening within the finance file share. For example, if a folder was moved there it allowed them to see who had moved the folder. The audit function allowed them to work out who had moved it so they could follow-up with them to find out why.
The company was able to work out a new method of permissions management which meant that these requests went to the chief financial officer who then made decisions on them and then the permissions were allocated. This has ensured that data owners are held accountable for their actions and the company now knows who did those actions whereas it previously had no idea. Training of the data owners is an on-going process, however it has made a system which previously was too complex to handle, manageable.
This type of visibility ensures that the finance system is more secure. This policy is being rolled out to other people within the organisation and there is still work to be done on this roll out. One of the pluses of the new system has been the company has been able to protect its employees since all actions are now transparent and now no one can be accused of moving a file which they have not touched. DatAdvantage turned out to be a very useful piece of software for Fountain Tire.
DatAdvantage puts the power of data access into the hands of the people who know what the data strategy decisions are ahead of time. It has also enabled the store managers, distribution centre managers and regional office managers to share information with their employees. Fountain Tire was of the opinion that the distribution centres could not be managed without DatAdvantage being in place.
The company invested in a central infrastructure to standardize processing and review of access control list information across Active Directory, file servers and Sharepoint, to identify and remedy permission administration shortfalls, engage data owners more in the review of access to important company information, and increase opportunities for access control automation. It is a key component of the company’s strategy and operations around access control. The IT department leverages the metadata produced by this implementation, to drive quality and consistency in this important security domain as well as raise awareness with IT and business stakeholders for adjacent initiatives around access control.
Four years ago Société Générale in the US faced a major challenge. It had approximately 50tb of application and users shared (departmental) data. Users’ departmental data was being provisioned in an adhoc and inconsistent fashion. As a result, it was extremely difficult for IT to manage and subsequently secure the data. At that time the IT department held responsibility for all data management and user access.
In 2008, Varonis DatAdvantage was a fairly new product and the only one of its kind on the market. However, as it solved the bank’s main challenge of how to control and manage its data environment, Société Générale decided it was worth a chance.
The combination of DatAdvantage and DataPrivilege has allowed Société Générale to:
Western Precooling wanted to eliminate possible security concerns due to folders open to global access groups, like “everyone” and “domain users.” The team was looking for an efficient and effective way to identify potentially overexposed folders and lock them down without impacting business activity. In addition, the company needed to know what data users were accessing, but without a record of access activity this was a time-consuming and inefficient process. It was also difficult or impossible to determine if users had accessed sensitive information.
Western Precooling started looking for a solution that could clean-up excessive permissions and provide granular auditing capabilities. One of Western Precooling’s concerns was the impact the clean-up process might have on business activity; it needed a solution that could clean up permissions without affecting the daily operations of the company.
Varonis® DatAdvantage® automates access and permissions management on both NetApp devices and file servers, providing visibility into existing access controls, data access auditing, and recommendations for tightening up access and group membership.
With DatAdvantage®, Western Precooling has the ability to identify folders open to the “Everyone” group, and determine which of these folders are accessed the most, so they can prioritize accordingly.
DatAdvantage® simulation capabilities provide the ability to model, or sandbox, permissions and group membership changes before committing them to production. This is a key feature to clean up permissions without disrupting regular business processes. Within two hours the team was able to clean up permissions in 75% of home drives. DatAdvantage® also provides the ability to commit changes to production as well as rollback functionality. This allows Western Precooling’s IT Department, to incrementally clean up the permissions and closely monitor the response they get from production.
DatAdvantage’s complete audit trail provides the team the granular record of access activity when they need to know what data has been accessed by each user.
The automated analytics and execution capabilities within DatAdvantage® have allowed Western Precooling to ensure that permissions are both accurate and up to date, and that sensitive data is locked down, reducing worry about data being exposed to the entire organization.
For the price of the DatAdvantage® Suite versus the cost of Professional Services originally budgeted for the project, Western Precooling not only gained more value and functionality, but also saw a ROI in 6 months.