Getting the Most Out of Data Transport Engine

If you don’t need it, get rid of it. If it’s sensitive, make sure sure it’s in the right place, and only accessible to those who need it. Old files...
Brian Vecci
3 min read
Last updated June 9, 2023

If you don’t need it, get rid of it. If it’s sensitive, make sure sure it’s in the right place, and only accessible to those who need it. Old files are expensive and risky, which is why we have retention and disposition policies for what should happen to data that we don’t need anymore.

The Data Transport Engine (DTE) is a component of the Varonis Data Security Platform that lets you automate these kinds of policies at the file or folder level, so you can automatically move data to where it’s supposed to be.

 

How does it work?

DatAdvantage collects directory information (users and security groups from Active Directory and local accounts), file system permissions (access control lists, or ACLs), classification information on which files contain PII or other sensitive data, and a record of access activity by all users and service accounts. With all of this information, Varonis knows where your data is, who’s got access to it, which files might be sensitive, and exactly what’s being used (or not and by whom).

With DTE, you can create file and folder transportation rules based on this metadata, so DTE will move files from one location to another that match the rule. For example, you can automatically move files that haven’t been accessed (by a human being!) in more than seven years to meet your retention policy. You can also create rules based on content, so if someone puts something sensitive where it’s not supposed to be, like an open SharePoint site, a DTE rule could automatically put it some place safe.

What are some popular use cases?

Stale Data Cleanup

Setting up DTE to clean up old data is straightforward, and leaving stub files behind means that user can still have access to archived data if needed.

One customer had an interesting variation on this use case. They needed to archive a lot of data, but with one important exception: any financial records that met certain criteria couldn’t be moved or modified in any way because of a compliance issue. They used DTE to identify and move the special financial records to separate folders with a unique naming scheme. Then they created their automated retention policy with a clause to exclude those folders from the retention rule’s scope.

You can run stale data cleanup jobs manually with DTE or configure automated retention rules that constantly scan for data that is old enough to archive.

Data Classification Rules

Sensitive Data Migration

Your security policy might dictate where sensitive or regulated data should live (or where it shouldn’t) and who should have access to it (or who shouldn’t). Customer data with PII can’t live in folders open to everyone in the company, for example, or in personal drives. Since DTE rules can use the sensitive data scans from our Data Classification Framework (DCF), you can move sensitive files where they’re supposed to be.

One customer took this a step further and enhanced the DTE rule to modify the permissions of the files in transit. DTE rules can be set to modify permissions so the destination data is more secure than the source. In this case, the DTE rule was set so that once files get to the destination folder, file system permissions were overridden to inherit from the parent folder. This simplifies their security and helps make sure the right people have access once the data it moved.

What if someone drops a sensitive file somewhere by accident? Just like with stale data, you can set DTE rules that affect sensitive data to automatically quarantine them some place safe.

Classification Rules

Migrating Everything, Even Between Domains

Migrations and consolidations can be massive projects, like in the case with one large telecom customer we have who went from hundreds of individually-managed, remote Windows file servers down to just a few very large NAS devices. Instead of having to manually migrate each server to a NAS and then re-create all of the file system permissions in the destination domain, DTE managed the whole process automatically.

In this case, the movement rules were set up to re-permission the data at the destination NAS devices, too. This is important if your migration is between Active Directory domains, since if you don’t re-permission the data, no one will be able to access anything if the old domain goes away. DTE will re-create the groups in the new domain so you can automate that part of the process as well.

What should I do now?

Below are three ways you can continue your journey to reduce data risk at your company:

1

Schedule a demo with us to see Varonis in action. We'll personalize the session to your org's data security needs and answer any questions.

2

See a sample of our Data Risk Assessment and learn the risks that could be lingering in your environment. Varonis' DRA is completely free and offers a clear path to automated remediation.

3

Follow us on LinkedIn, YouTube, and X (Twitter) for bite-sized insights on all things data security, including DSPM, threat detection, AI security, and more.

Try Varonis free.

Get a detailed data risk report based on your company’s data.
Deploys in minutes.

Keep reading

Varonis tackles hundreds of use cases, making it the ultimate platform to stop data breaches and ensure compliance.

what-is-open-xdr?-benefits-and-security-comparisons
What is Open XDR? Benefits and Security Comparisons
Learn all about the new open XDR solution and whether it’s the right fit for your organization’s security needs.
watch:-varonis-reconnect!-empowering-data-owners-to-keep-risk-low
Watch: Varonis ReConnect! Empowering Data Owners to Keep Risk Low
How do you get the right people access to the data they need faster, and still free up IT to focus on other mission-critical work? Kilian and David walk through...
varonis-gets-lightning-fast-with-solr
Varonis Gets Lightning Fast with Solr
Any security practitioner that has had to perform forensic analysis on a cybersecurity incident likely describes the process as “searching for a needle in a stack of needles.” Even Tony...
update-62---saas-authentication-monitoring-evasion
Update 62 - SaaS Authentication Monitoring Evasion
Businesses know they need to monitor their SaaS apps, but it's easy to get lulled into a false sense of security if you're relying on authentication monitoring as your only line of defense.