Location: Boston, MA
Industry: Higher Education
Products: DatAdvantage for Windows
Boston University is a leading private research institution with two primary campuses in the heart of Boston and programs around the world. Boston University was looking for a data loss technology to protect various sensitive areas within its data centers.
Varonis offered a very strong combination of features and capabilities without having to go to multiple products and incur multiple licensing fees. And it does what I need it to do…helping us be even more effective in dealing with the challenge of data loss prevention.
As with any university or organization that has been around for a significant amount of time, Boston University has a very large, complex environment, rich with many different technologies. The university serves diverse users: staff who use predominantly Windows; faculty who use 50/50 Windows and Mac; students who use personal Mac and Windows PCs, mobile devices, and University provided thin client lab computers; and a multifaceted research community that is a combination of Windows and Mac, with a strong Unix and Linux user base, including BU’s own flavour of Linux. As with any organization, it faces the usual challenges of a continuous ebb and flow of people interacting with data.
Prior to settling on a data governance solution, Boston University was looking for a data loss technology to protect various sensitive areas within its data centers.
The first step taken was to see how others were handling the data loss prevention (DLP) challenge. Boston University began with industry research, consulting various experts and leading analysts including Gartner and Forrester, to see what others were saying about the DLP industry – trends, capabilities, and key participants. This process identified eight possible technologies, and the university started an RFI process with each company.
The field quickly halved – two failed to reply, others were ruled out on price, leaving just four solutions that, on the surface, seemed suitable. As the investigations started to delve deeper, one statement became a theme. Quinn Shamblin, Executive Director and Information Security Officer of Boston University, explains, “DLP, to me, is primarily concerned with ensuring that the right person has access to information while preventing the wrong person from doing so. In parallel it’s also to make sure that, if someone does have access, that they don’t do something silly with it. To do that I need to know two things –where my sensitive information is and who has access to it. All the DLP technologies that we looked at, with the exception of one, could only answer one of those questions. They could all tell me where it was but they couldn’t tell me who had access to it. That is only half of the answer; I need to know both or the information is almost irrelevant. Three out of four companies said ‘we can tell you where it is but if you want to know who has access to it you need to integrate with some other product – like Varonis.’ They specifically mentioned Varonis.
With three ‘recommendations’ for Varonis, Quinn decided to see for himself what Varonis offered.
Traditional DLP vendors began by answering the question of what’s in the file and, discovering they also needed to answer the question of who has access, many integrated with Varonis. The reason Varonis did not come up during the initial investigations is that it does not ‘market’ itself as a data loss prevention technology – it approaches the challenge from the other end of the spectrum of ‘data governance’, answering the question of who has access and what they are doing with it.
Varonis DatAdvantage aggregates Active Directory user and group details, ACL information and all data access events – without requiring native OS auditing – which means Boston University can answer one element of DLP by building a complete picture of who can and who is accessing data. By monitoring these file touches, the system leads Quinn’s team to the rightful data owners, who can then be involved in making sure the right people have appropriate access and usage. Varonis’ Data Classification provides the other piece of the puzzle, the ability to accurately identify files that contain sensitive information, allowing IT to immediately identify folders with excessive permissions that contain quantities of sensitive data, for remediation.
Quinn outlines how DatAdvantage answers a problem that has plagued the university for many years, “Because of what it does, recording all permissions and file access events, it can answer the core question the audit groups are always asking – who has access to what. For example, say Bill Smith were to leave the university – we need to know what Bill has access to. Without a centralized solution, we had to work with each individual system administrator across all the different schools and departments across both campuses, getting them to manually review their systems to document Bill’s permissions. Varonis DatAdvantage does this for us with a canned report. That’s just one use and there are many other ways we hope it will revolutionize our processes. Varonis has value not just for my team but also the system administrators and auditors within the organization.”
This case study details the initial phase of this project, which has been done in partnership with Boston University’s internal IT support team and the IT team that supports its medical campus (BUMC). Today, DatAdvantage runs across the main file server, collecting intelligence and reporting findings, which are used to control access and prevent data loss within this unit. The university intends to roll the solution out to targeted groups across the rest of the campus in the coming months, focusing first on areas of highest risk— those possessing regulated or sensitive data. Starting to look at other servers inside of BUMC, Quinn adds, “We’ve got to the point where the first phase is up and running. We’ve got the experience of deploying it to a single system, of tuning it and setting it up and getting the file and access records being recorded. We can now demonstrate the product to others, showing what it is capable of doing for them, so we’re moving onto the next phase – to show how we think we’d like to offer the service. We’ll get input from other stakeholders to confirm that the model is correct and identify what needs to be refined, before posting it as a service in our internal catalogue and then rolling it out across the remainder of the campus.”
A second case study is planned in 2014 to catch up with BU’s endeavors. In summary, Quinn concludes, “Varonis offered a very strong combination of features and capabilities without having to go to multiple products and incur multiple licensing fees. And it does what I need it to do – answer both questions that are part of DLP, helping us be even more effective in dealing with the challenge of data loss prevention.”
Varonis offered a very strong combination of features and capabilities without having to go to multiple products and incur multiple licensing fees. And it does what I want need it to do – answer both questions that are part of DLP (who has access to the data and what are they doing with it), helping us be even more effective in dealing with the challenge of data loss prevention.
DatAdvantage answers a problem that has plagued the university for many years – who has what access. Without a centralized solution, individual system administrators across all the different schools and departments across both campuses had to manually review their systems to document to find these permissions. Varonis DatAdvantage does this with a canned report.
The intelligence collected by DatAdvantage benefits not just the IT team, but also the system administrators and auditors across the campus.