Customer Success Story: Juniper
"Varonis® DatAdvantage® gave us the visibility and recommendations to limit user-to-data access by business function and need. Now, my team is able to audit the use of any data set or group for our compliance initiatives."
- James Nelson, IT Security Manager, Juniper Networks
The Customer
Juniper Networks, Inc. is the leader in high-performance networking. Juniper's high-performance network infrastructure is the foundation for creating a responsive and trusted environment that meets the requirements of the most demanding service provider and enterprise businesses in the world. It helps service providers design, implement, manage and scale best-in-class solutions from core to edge of their Next Generation Networks (NGN), and gives enterprise environments advanced campus, data center and branch architectures, as well as extended architectures to support remote and mobile users. Among the company's installed base are the world's 40 largest service providers and 92 of the Fortune 100 companies.
Widely recognized as an innovator of business-critical technology, Juniper Networks has a highly collaborative culture in which business, marketing, and technology development groups share ideas and information freely. As part of that process, Juniper Networks naturally produces and presides over vast amounts of sensitive and proprietary information. It is up to Juniper's Information Technology (IT) team to ensure the free flow of information continues, and any risk of misuse is minimized or eliminated.
The Challenge
Juniper Networks believes that security is an integral requirement of every job function. As such, many groups within Juniper IT share responsibility for security policy creation, compliance, awareness and training. The challenge in managing unstructured data on file servers has been that different IT groups share a security charter, but not the means to control and administer this information. And, because access to information and ideas is such a driving force of innovation at Juniper Networks, well-intentioned IT and helpdesk groups must mitigate the risk of being overly permissive in granting employee access to file shares.
"What is required is a centralized view into, and control mechanism for, the contents of our Windows file shares," says James Nelson, IT security manager for Juniper Networks. "My group often creates and disseminates the security policies that govern access to file shares. A different group will define and enforce those policies within Active Directory and the file servers themselves. Initially, access to the file share is restricted to only the right people. As employee roles and privileges change over time, access can become more permissive. Access permissions to new information are granted, but the old ones can't be revoked without explicit instructions from the business unit. The result can be nearly wide open file shares, which is unacceptable from an internal policy and a compliance standpoint."
Evaluation Parameters
Juniper Networks identified about 10 terabytes of unstructured data that had to be closely monitored and controlled. Any system implemented had to be offline, and not in the data path, so there would be no performance impact on the redundant file server clusters where the data was stored. The data governance and management system would need to monitor data access patterns and types of use. It also had to include a mechanism to disseminate access permission changes directly to the file servers. Finally, since the responsibility for monitoring and administering access to these Windows file systems spans multiple groups, the solution had to support role-based administrative access so IT administrators with varying degrees of privilege could use the system for their needs (e.g., generate reports, remove permissions, monitor use, etc.).
"When we began our unstructured data management project we had two terabytes of data which quickly swelled to ten. When you are dealing with rapid rates of data growth and user role changes, the user-to-data mapping cannot be maintained manually," said Mr. Nelson. "You need to have an automated determination of which users need access to what data. That way, the company is assured that data entitlements are justified and never out of date. With that under control, you can focus on entitled users to make sure that there isn't an abuse of privileges."
The Solution
For access control and monitoring of its unstructured data, Juniper Networks deployed Varonis® DatAdvantage®.
"These file servers contained every type of data imaginable, from the inconsequential, to the highly regulated. There was human resources and even development information, yet permissions were not always commensurate with business importance," said Mr. Nelson.
"Varonis DatAdvantage gave us the visibility and recommendations to limit user-to-data access by business function and need. Now, my team is able to audit the use of any data set or group for our compliance initiatives. If we see any inconsistencies or red flags, we communicate them to the file server administrators, who can revoke permissions or triage the causes of anomalous behavior using DatAdvantage as well."
Continuous intra-group communication is key for Juniper's security savvy IT staff. Varonis DatAdvantage brings together data permissions visibility, access control and use auditing to one central place of administration. Mr. Nelson notes that "with Varonis, our IT groups can coordinate smoothly to ensure proper use. A monitoring group can identify anomalous or overactive access, Windows engineers can in turn verify the use case and revoke permissions as needed, and my group has the audit record we require, all accomplished through the DatAdvantage UI."
Business Benefits
Business Driven Access Control
Juniper business policies require that access to sensitive data is granted to as few users as possible at all times. Varonis DatAdvantage automatically computes which users should have access to which data by conducting a thorough analysis of user activity and business needs. The analysis and learning is ongoing and constantly updated, and the result is that DatAdvantage is able to confidently recommend individuals who should have their access revoked based on lack of business need.
Data Protection
Juniper security practices mandate that user access to data be monitored so that misuse or improper conduct can be identified and dealt with quickly. Varonis DatAdvantage generates detailed statistics and a searchable log of every file touch, enabling Juniper IT administrators to rapidly identify excessive file opens, deletes or other such anomalous behaviors.
Auditing and Compliance
Juniper internal audit and compliance practices require detailed record keeping of all efforts to control and monitor access to sensitive and regulated information. With Varonis DatAdvantage, Juniper can generate reports that demonstrate this by data-set of interest and for any time interval required. Showing a progression of unstructured data control and rightful access is a point and click activity within the DatAdvantage reporting capabilities.
