Baillie Gifford

How Baillie Gifford met compliance regulations

PDF download

The Customer

Location(s): Edinburgh, Scotland and New York, New York

Industry: Financial

Products: DatAdvantage

Founded over 100 years ago, Baillie Gifford is an independent investment management firm based in Edinburgh, Scotland with offices in London, England and Manhattan, USA. With just under 700 staff, the firm manages more than £58 billion (US$87 billion) in active equity and bond portfolios for its clients in the UK and throughout the world, combining experience, enthusiasm and sound judgement.

This year, and for the fourth time in 20 years, Baillie Gifford Overseas Limited (a wholly owned subsidiary of Baillie Gifford & Co) received the Queen’s Award for Enterprise for its success in retaining and acquiring international clients.

DatAdvantage has enabled us to remove the risks associated with data permission changes within our IT environment. Employees with responsibility for sensitive and critical data now have confidence that there are no security exposures. As an organisation, we can prove to our regulators that our IT controls are stringent and that we are providing effective protection around our data.

– Colin Lennox, Technical Services Manager, Baillie Gifford

The Challenge

Baillie Gifford has been operating for over 100 years and since its inception over 20 years ago the Information Systems department has grown organically with the firm. However, increasingly it was discovering that network permissions set five years ago, let alone before that, were no longer valid. This raised concerns that problems may exist within its security controls.

Based on a Microsoft Windows operating system, its environment comprises 250 servers – a mixture of both physical and virtual, containing 30TB of data that continues to double year on year. Of these 250 servers, ten are identified as key file servers containing sensitive data that must be protected at all costs incorporating client information and share portfolios, HR records and financial accounts. A team of ten people, based in Edinburgh, are responsible for the day to day running, security and permission management of these servers and all its 700 employees across the organisation have access, albeit with different levels of permission.

With the security and integrity of its client information paramount, Baillie Gifford needed to ensure this critical data was secure, access to it limited and that its removal from the firm was correctly managed and maintained.

To do this it used various basic windows auditing solutions. However, these tools couldn’t provide the end-to-end insight that Baillie Gifford required, in conjunction the management effort required to produce accurate reports placed a heavy burden on the IT team. Colin Lennox, Baillie Gifford’s Technical Services Manager explains, “We needed a solution that could provide evidence that the network permissions we have are secure and correctly assigned, and that any potentially excessive permissions within the environment were not exposing vulnerabilities to our data.”

Evaluation Parameters

As an active project, Baillie Gifford knew it needed to improve the control, visibility and manageability of its critical data. Colin adds, “We wanted to revoke obsolete permissions and accurately consolidate access rights across the whole of our data structures. To do this, we needed to see who had access permissions but more importantly who was actually using it. We could then alter permissions more effectively and without revoking access to teams who continually required access to perform their roles.

In addition, Baillie Gifford had a strategy to give ownership of permission settings back to the key data managers within the firm. It sounds a simple thing, file system permissions, but as Colin explains, “To give non-technical people an easily understandable report with actionable highlights is actually quite difficult and time intensive to produce.”

The Solution

Baillie Gifford selected DatAdvantage since it was the only solution that addressed all their data access challenges, especially in terms of meeting and proving regulatory compliance. Not only is DatAdvantage easy to install and maintain, but its standard reports along with the user interface are easy to understand. As Colin adds, “DatAdvantage was the only solution that I believed covered all our requirements for data access and permissions auditing, plus the reports it produces even a layperson could quite easily pick up, interpret and action. Plus, the inbuilt ‘traffic light’ scheme clearly identifies excessive permissions and we quickly pinpointed areas that needed to be tightened.”

The security management improvements the solution provides to the organisation were evident during the evaluation period so the investment was easily justified and approved by Baillie Gifford’s internal risk committee. Working in partnership with Varonis Technical staff, the deployment of the system was trouble free and within a month DatAdvantage had been rolled out across the whole firm.

Weekly reports are created and sent electronically to the security officer, the internal IT department and more importantly those data managers responsible for the data classification in each area. In contrast to the previous complicated paper reports, DatAdvantage provides clear change control visibility with a graphical representation of changes highlighted on a week by week, month by month basis. Its simplicity allows the data managers to navigate through the permissions themselves, resolving any issues and regaining control. Everyone responsible for data protection now has confidence that is backed up with validation that the changes happening within the business are necessary and accurate – visibility that simply would not have been attainable previously.

Testament to its success, Baillie Gifford has started to roll out DatAdvantage to its Sharepoint servers. This is providing visibility to data that the IT department previously had no visibility or insight of. More importantly, DatAdvantage is exposing any risks and providing an opportunity to tighten security permissions further. Colin added, “Although this investment was driven primarily by risk management and not by cost savings, the fact that it is now so simple for those responsible to manage permission changes, I estimate DatAdvantage has saved the organisation hundreds of man hours since its introduction.”

Business Benefits

Detailed, yet understandable, access permission reports

Historically, Baillie Gifford would need to pull complex reports from each of its 250 servers – a confusing and labour intensive process. Today, DatAdvantage brings it all together under one central interface, simplifying the process and giving a holistic view. From an end-user perspective, the easily understandable reports provide relevant information to the key data managers, improving their understanding of who has and is actually accessing their data, and addressing any vulnerabilities posed.

Complete data governance

DatAdvantage has the ability to track historic changes and highlight when they’d taken place, effectively wrapping up the change control system and providing evidence to external and internal audit teams demonstrating regulatory compliance.

Minimal overhead and continued support

Since its deployment at the beginning of the year, Baillie Gifford has been impressed by how little management overhead has been needed. The solution is robust, has minimal impact on the live environment and operates without the need for patches, management and maintenance from its IT team. Colin concludes, “Varonis has established a partnership with us, providing assistance to our staff and ensuring we continue to get the most of DatAdvantage by utilising all its capabilities effectively. If only all of our software vendors provided such great support!”