If you don’t need it, get rid of it. If it’s sensitive, make sure sure it’s in the right place, and only accessible to those who need it. Old files are expensive and risky, which is why we have retention and disposition policies for what should happen to data that we don’t need anymore.
The Data Transport Engine (DTE) is a component of the Varonis Data Security Platform that lets you automate these kinds of policies at the file or folder level, so you can automatically move data to where it’s supposed to be.
How does it work?
DatAdvantage collects directory information (users and security groups from Active Directory and local accounts), file system permissions (access control lists, or ACLs), classification information on which files contain PII or other sensitive data, and a record of access activity by all users and service accounts. With all of this information, Varonis knows where your data is, who’s got access to it, which files might be sensitive, and exactly what’s being used (or not and by whom).
With DTE, you can create file and folder transportation rules based on this metadata, so DTE will move files from one location to another that match the rule. For example, you can automatically move files that haven’t been accessed (by a human being!) in more than seven years to meet your retention policy. You can also create rules based on content, so if someone puts something sensitive where it’s not supposed to be, like an open SharePoint site, a DTE rule could automatically put it some place safe.
What are some popular use cases?
Stale Data Cleanup
Setting up DTE to clean up old data is straightforward, and leaving stub files behind means that user can still have access to archived data if needed.
One customer had an interesting variation on this use case. They needed to archive a lot of data, but with one important exception: any financial records that met certain criteria couldn’t be moved or modified in any way because of a compliance issue. They used DTE to identify and move the special financial records to separate folders with a unique naming scheme. Then they created their automated retention policy with a clause to exclude those folders from the retention rule’s scope.
You can run stale data cleanup jobs manually with DTE or configure automated retention rules that constantly scan for data that is old enough to archive.
Sensitive Data Migration
Your security policy might dictate where sensitive or regulated data should live (or where it shouldn’t) and who should have access to it (or who shouldn’t). Customer data with PII can’t live in folders open to everyone in the company, for example, or in personal drives. Since DTE rules can use the sensitive data scans from our Data Classification Framework (DCF), you can move sensitive files where they’re supposed to be.
One customer took this a step further and enhanced the DTE rule to modify the permissions of the files in transit. DTE rules can be set to modify permissions so the destination data is more secure than the source. In this case, the DTE rule was set so that once files get to the destination folder, file system permissions were overridden to inherit from the parent folder. This simplifies their security and helps make sure the right people have access once the data it moved.
What if someone drops a sensitive file somewhere by accident? Just like with stale data, you can set DTE rules that affect sensitive data to automatically quarantine them some place safe.
Migrating Everything, Even Between Domains
Migrations and consolidations can be massive projects, like in the case with one large telecom customer we have who went from hundreds of individually-managed, remote Windows file servers down to just a few very large NAS devices. Instead of having to manually migrate each server to a NAS and then re-create all of the file system permissions in the destination domain, DTE managed the whole process automatically.
In this case, the movement rules were set up to re-permission the data at the destination NAS devices, too. This is important if your migration is between Active Directory domains, since if you don’t re-permission the data, no one will be able to access anything if the old domain goes away. DTE will re-create the groups in the new domain so you can automate that part of the process as well.