Vote Now on the Finalists for the 2012 Varonis Data Governance Awards

Aimco

Historically, Aimco used a predominantly paper based process to authorise access requests. However, this ‘old school’ format was cumbersome to administer, prone to delays and a drain on resources.

As a financial institution, Aimco also faces strict government legislation that it must adhere to. Using a paper trail to respond to audit requests was an ineffective and, at times, incomplete method.

Having taken the decision to move to a digital process, it identified DataPrivilege as the perfect tool for the job.

Today, when users need to be added to a group, they can use a self-service portal to request access to group resources directly, and the relevant manager involved in the authorisation process is emailed for approval. Having received and agreed the request, user access is automatically provisioned by asset managers - all at the click of a button.

It can use the information collected within Varonis to produce a variety reports, and perform various searches and scanning to answer all audit questions. In particular, Aimco can generate itemised lists covering any aspect of the process - from when a person made a request, how it was tracked, logged and where the change has been made to Active Directory. With DatAdvantage, Varonis can even be used to produce a report of all open events. This covers much, if not all, of the groundwork for Aimco to answer any requests auditors may make. As the reports are so detailed, Aimco has managed to drastically reduce follow on questions as a result.

An additional benefit from automating the process is eradicating the associated charges from a paper process – the paper itself and printing charges.

The final part of the project is to revoke user access rights. Every quarter, using DataPrivilege, reports are automatically generated and emailed to asset owners providing clear details of who currently forms part of the group. Using this information, redundant rights can be cleaned up and access revoked.

Alberta Government Ministry of Energy

With a staff of 900 Alberta energy was finding it difficult to keep up-to-date with all of its finance, legal and human resources information. With the introduction of DatAdvantage the Department began to clean up the main drive they used, to ensure that permissions management on the most sensitive directory on the database – used by the Finance Department, Legal Department and Human Resources Department were dealt with properly and in accordance with Data Governance best practice. The IT team first cleaned out all permissions which were out of date. They minimised all permissions to those who were absolutely necessary so that all Departments had a clear idea of who was using their systems and who could access those systems. It was also useful to see what directories were actually being used and those which were not being used so that permissions could be more accurately targeted. Once this had been done the Ministry was able to move onto more operational uses of DatAdvantage.

AltaLink

Two years ago AltaLink link decided to move its systems from a Windows file server to an EMC Celerra NAS and found that the tool which they used for file access auditing was not suitable for use on the EMC. They therefore had to find an alternative and Varonis DatAdvantage was recommended by EMC. The company was migrating over 2.5 TB of data from its all Windows file server to the new EMC NAS system.

The company needed to ensure that the auditing solution was up to the needs of the organisation. The server was provisioned, Varonis was installed and AltaLink checked that the Varonis DatAdvantage system gave them the functionality they needed. The old tool was limited in the number of files they could monitor – with DatAdvantage they had visibility over all the files on all systems.

AltaLink uses Varonis to report on employee access to specific folders. Two of the departments, Finance and the Treasury do quarterly reports of all files accessed. They use the automated reporting in DatAdvantage to provide the relevant departments with regular reports. They get some requests for reports on an ad hoc basis and sometimes they get requests to find out why folders have been moved, where they have been moved to, and why some folders disappear completely. It is important to find out whether it has been accidental or not.

The company growth has been very rapid. They have doubled their data storage capacity in the last two years and there is no sign of it slowing down.

The company holds a lot of GIS type data – storing and mapping images. This takes up a lot of storage. The company has just added 1 terabyte of storage just to store the GIS data.

Axa Wealth

Axa Wealth realised four years ago that it had a very complex network sharing system, with many Active Directory security groups, many people and accounts in those groups, and many folders that referred to them for permissions. The service desk was unable to fulfil frequent requests to determine which groups provided access to which folder and which folders were accessible by a given group without contacting another team for investigation. Axa Wealth also had no way of reporting who was accessing data on the file shares and therefore could not see what users were doing. The network security team often performed a lot of manual digging to answer these kinds of questions as best it could.

DatAdvantage came into its own when Axa Wealth decided to sell a part of its business to Friends Life. Axa Wealth used DatAdvantage to see not only what data both teams could have accessed (via permissions), but also what they had actually accessed, and make logical data separation decisions based upon permissions and activity history. They were also able to ensure compliance with separation of duties “closed book” requirements during the process, and prove that Friends Life staff had not accessed information which was barred to them. This was particularly useful during the separation period given the sensitivity of the business process.

BNP Paribas – Corporate and Investment Banking

In 2008 the Corporate and Investment Banking North America division of BNP Paribas had excessive permissions that were increasingly flagged by its internal audit teams as a potential issue. In the years since, by methodically implementing Varonis DatAdvantage and DataPrivilege into their current processes, they have not only significantly reduced risks around share access, but also implemented a self-service model that saves business and IT resource time.

The first phase implementing Varonis was to remove excessive permissions and in particular, revoke the ‘everyone’ group. DatAdvantage identified that the majority of cases, 95 % of directories that included ‘everyone’ was in addition to the people that really needed it. This made removal straightforward and pain free. As you’d expect with 40 shares, there were a few cases where users would miss their access. For these users, the request was forwarded to the business sponsor responsible for the data and once approved, their access was reinstated.

Today, when its internal audit team asks who has access to a particular drive; those that have embraced DataPrivilege and are au fait with using BNP Paribas self-service portal, via its intranet are able to answer the request in minutes. In fact, in most cases the auditors are actively asking to see the Varonis reports! Now, it is also expected that business sponsors will be able to proactively help themselves when files are moved or deleted to track them down and retrieve them.

BNP Paribas has deployed DatAdvantage to monitor all activity access. Rather than making a hasty decision, BNP Paribas allowed the tool to collect data for a number of months. Having done so, it has found that the detailed information produces accurate recommendations of where access rights across the organisation were unused and could be revoked.

We are currently working on identifying owners for the last 500 shares not currently owned in their environment. Two months into a planned 10 month project, remediation has taken place on 35% of shares, which not only included assigning owners but also decommissioning old unused shares.

CIBC

CIBC had concerns relating to its unstructured data for a number of years. Not knowing who owned what data, and therefore not engaging these owners as part of the access approval process, which was actually conducted by an asset manager, was far from ideal. However, it was an internal audit in 2006 that catapulted the predicament to the top of the agenda. With 40,000 users, and in excess of a petabyte of growing data, the resolution needed more than a spreadsheet.

Using DatAdvantage, CIBC has been able to identify data owners for 95% of its data. These owners are now actively responsible for granting and revoking access to the files, making CIBC far more secure.

In 2011, over the course of five months, a number of training sessions were held via conference call. These sessions were attended by over 1000 people and each resulted in a spike of activity as data owners cleaned up excess access to their data.

In 2012, auditors have approached the business units and, as part of the audit, have asked owners to attest to their own data. This has been another drive to make people clean up their access.

The benefit to CIBC of knowing who owns data is immense:

• The difference between a system where people are gaining access to data with no proper approval process, to one that does, is like night and day
• It has found, and deleted, 2.33 TB of stale data for a savings of 25K in annual storage and backup costs
• The service desk now only gets involved if there is an extenuating circumstance
• Data owners can see who has access to their data, reducing permission creep
• A huge percentage of users have lost access that they didn’t need or shouldn’t have had
• CIBC is far more secure

CIT

Once Varonis was identified as the vendor and tool of choice, we were able to implement a global management infrastructure for all of our in-scope data silos within three months. With the infrastructure in place, we tackled the business drivers that led us to select Varonis:

• Identify where customer information and other sensitive data is stored
• Identify Data Owners of repositories
• Automate Entitlement Review processes

As we began to align our actions to the milestones above, we created a sub‐project to accomplish the following:

• Removal of nested Active Directory groups that were being used to grant permissions
• Developed a standard model for share access within the enterprise and successfully completed all North American regions within a 3-month period. International expansion scheduled for Q4 2012.
• Aligned all existing Data Owners for SOX-related and self-identified critical shares within the DA console.
• Scanned the environment for PII elements and successfully closed a FED audit point.

As of today, more than 80% of all North American file shares have data owners assigned along with improved internal processes to leverage the Varonis Metadata Framework. We have also expanded the use of the DataPrivilege Entitlement Review workflows by 1000%. The pilot had 45 unique shares, and the Q2 2012 Entitlement Review cycle has more than 450 unique shares.

Fountain Tire, Ltd.

Fountain Tire had grown rapidly as a company but information technology systems had not been updated for a little while. The company had 100 users at its headquarters in Alberta approximately 40 of whom use the main Finance/Accounting file share. The main company systems held approximately 1.5 TB of data and were distributed across a very complex directory structure which had grown with the company. The Finance/Accounting file share was being used seven days a week with the need to service over 140 stores nationally. The finance system was becoming unwieldy so Fountain Tire decided that it would have to deploy DatAdvantage from Varonis to keep track of the living data on this system. By the time the company had made this decision there were over 87,000 folders on the system which needed to be managed.

It became clear that permissions had to be made more sophisticated particularly where information such as credit card numbers was available. DatAdvantage allowed the company visibility of what was happening within the finance file share. For example, if a folder was moved there it allowed them to see who had moved the folder. The audit function allowed them to work out who had moved it so they could follow-up with them to find out why.

The company was able to work out a new method of permissions management which meant that these requests went to the chief financial officer who then made decisions on them and then the permissions were allocated. This has ensured that data owners are held accountable for their actions and the company now knows who did those actions whereas it previously had no idea. Training of the data owners is an on-going process, however it has made a system which previously was too complex to handle, manageable.

This type of visibility ensures that the finance system is more secure. This policy is being rolled out to other people within the organisation and there is still work to be done on this roll out. One of the pluses of the new system has been the company has been able to protect its employees since all actions are now transparent and now no one can be accused of moving a file which they have not touched. DatAdvantage turned out to be a very useful piece of software for Fountain Tire.

DatAdvantage puts the power of data access into the hands of the people who know what the data strategy decisions are ahead of time. It has also enabled the store managers, distribution centre managers and regional office managers to share information with their employees. Fountain Tire was of the opinion that the distribution centres could not be managed without DatAdvantage being in place.

PMI

The company invested in a central infrastructure to standardize processing and review of access control list information across Active Directory, file servers and Sharepoint, to identify and remedy permission administration shortfalls, engage data owners more in the review of access to important company information, and increase opportunities for access control automation. It is a key component of the company’s strategy and operations around access control. The IT department leverages the metadata produced by this implementation, to drive quality and consistency in this important security domain as well as raise awareness with IT and business stakeholders for adjacent initiatives around access control.

Société Générale

Four years ago Société Générale in the US faced a major challenge. It had approximately 50tb of application and users shared (departmental) data. Users’ departmental data was being provisioned in an adhoc and inconsistent fashion. As a result, it was extremely difficult for IT to manage and subsequently secure the data. At that time the IT department held responsibility for all data management and user access.

In 2008, Varonis DatAdvantage was a fairly new product and the only one of its kind on the market. However, as it solved the bank’s main challenge of how to control and manage its data environment, Société Générale decided it was worth a chance.

• Société Générale US Team and Varonis worked together to develop DatAdvantage for mutual benefit. For Varonis, it received feedback that could be used to develop the product and introduce enhancements that aided implementation in the real world, while Société Générale were able to request and define the functionality it needed. The partnership ensured a smooth deployment.
• Using DatAdvantage, Société Générale ran reports to determine who was actually touching data with the results confirming it was scattered in different folders and directories. Using this intelligence Société Générale created dedicated storage for each of its business units, explained what it was doing and why to the data owners, identified the impact any changes would have, and then moved the associated files with minimal if any disruption.
• By introducing DataPrivilege, Société Générale could now go several levels down and allow users to protect their data. Instead of IT being responsible for access provisioning, the data owners were pivotal in the process and either granted or denied access requests. When a share was granted, it automatically created a group within active directory. This could then be used to generate regular entitlement reports allowing data owners to periodically revoke redundant access rights.

The combination of DatAdvantage and DataPrivilege has allowed Société Générale to:

• Determine owners for 100% of its common data
• Hand management of the data to the user
• Data owners protect their own data
• The security department can define and run its own reports, as necessary, to determine who did what with the data to reduce risk
• Similarly, the audit team is also in charge of its reporting and auditing
• The IT team is no longer using its time managing peoples’ data and can concentrate instead on managing the infrastructure

Western Precooling

Western Precooling wanted to eliminate possible security concerns due to folders open to global access groups, like “everyone” and “domain users.” The team was looking for an efficient and effective way to identify potentially overexposed folders and lock them down without impacting business activity. In addition, the company needed to know what data users were accessing, but without a record of access activity this was a time-consuming and inefficient process. It was also difficult or impossible to determine if users had accessed sensitive information.

Western Precooling started looking for a solution that could clean-up excessive permissions and provide granular auditing capabilities. One of Western Precooling’s concerns was the impact the clean-up process might have on business activity; it needed a solution that could clean up permissions without affecting the daily operations of the company.

Varonis® DatAdvantage® automates access and permissions management on both NetApp devices and file servers, providing visibility into existing access controls, data access auditing, and recommendations for tightening up access and group membership.

With DatAdvantage®, Western Precooling has the ability to identify folders open to the “Everyone” group, and determine which of these folders are accessed the most, so they can prioritize accordingly.

DatAdvantage® simulation capabilities provide the ability to model, or sandbox, permissions and group membership changes before committing them to production. This is a key feature to clean up permissions without disrupting regular business processes. Within two hours the team was able to clean up permissions in 75% of home drives. DatAdvantage® also provides the ability to commit changes to production as well as rollback functionality. This allows Western Precooling’s IT Department, to incrementally clean up the permissions and closely monitor the response they get from production.

DatAdvantage’s complete audit trail provides the team the granular record of access activity when they need to know what data has been accessed by each user.

The automated analytics and execution capabilities within DatAdvantage® have allowed Western Precooling to ensure that permissions are both accurate and up to date, and that sensitive data is locked down, reducing worry about data being exposed to the entire organization.

For the price of the DatAdvantage® Suite versus the cost of Professional Services originally budgeted for the project, Western Precooling not only gained more value and functionality, but also saw a ROI in 6 months.