Royal DSM N.V.

How DSM removed excess permissions, provisioned access, and achieved a least privilege model

PDF download

The Customer

Location: Netherlands

Industry: Science

Products: DatAdvantage and DataPrivilege

Royal DSM N.V. (DSM), a global Life and Material Sciences company based in the Netherlands. DSM strives to create innovative products and services that contribute to the quality of human life. DSM has been recognized the world over, earning numerous accolades including Fortune’s 10 Most Admired Companies with innovations and breakthroughs that span furniture, pharmaceuticals, nutritional products, cosmetics, transportation and a myriad of consumer goods. Naturally, the company’s data is at the source of its leadership and competitive differentiation. With 23,000 employees generating information across 200-plus sites in 49 countries, ensuring that only the right people are accessing important data and doing so in a consistent and timely fashion is an extremely resource intensive set of tasks.

By receiving regular reports on valuable data use activity, data stakeholders can investigate overly rigorous access or anomalous activity that might indicate misuse.

– Luc Dupuits, CSO of Royal DSM N.V.

The Challenge

Given the scale and footprint of this truly multi-national enterprise, ensuring that only the right people are accessing precisely the data they need for their jobs and projects, and doing so in a consistent and timely fashion is extremely resource intensive if not nearly impossible to achieve with high accuracy. DSM’s IT operations department cares for vast amounts of unstructured data which, when compared to that of other types of organizations is by percentage extremely business valuable in its content. Considering how much intellectual property makes its way to file shares, it stands to reason that DSM considers the automation of the processes that govern data use and authorizations as well as revocations crucial.

Evaluation Parameters

DSM had a need to ensure that access to company data is governed by the principle of least privilege meaning that when it comes to the intellectual property of the company, only the right people have access to valuable information and even then only for the time period that such access is required. The Company wanted to implement a long term unstructured data protection regimen that not only removes excess access but also identifies data business owners so that in the near future entitlement management can be transitioned away from IT and placed with those persons who have context as to the business value of the data.

DSM generates a lot valuable digital information, so the proposed data governance framework had to prove scalability in order to guarantee it will keep up with information volumes as they grow and change. Further, because the company has many locations and IT operations is often providing services for remote organizations, the process of identifying business owners has to be automated. Finally, DSM management wanted to ensure that any investment in new technology would have quick payback of less than 3 months. After lengthy and careful evaluation of possible solutions, DSM selected Varonis for company-wide unstructured data protection and control.

The Solution

DSM is deploying the entire Varonis product suite. DatAdvantage and DataPrivilege to enforce business need driven access to digital intellectual property.

Business Benefits

Continuous Monitoring of Data Use

With so much intellectual property in its care, it is very important that DSM data stakeholders and those chartered with it’s safekeeping closely monitor access, even if the activity is by persons with warranted permissions to the data. By receiving regular reports on valuable data use activity, data stakeholders can investigate overly rigorous access or anomalous activity that might indicate misuse.

Removal of Excess Permissions

Permissions to data should be revoked once the business need for access concludes. This is a core principle to assigning access controls and Varonis automates that process by recommending those persons whose permissions to data should be revoked. DSM will use the recommendations as guidance to permissions assignment and removal so that the risk of data loss from overly permissive access is mitigated. IT operations persons and alternately data business owners can review the Varonis recommendations and either accept or reject the action to revoke. If the revocation recommendation is accepted then Varonis will automatically remove the permissions for the individual(s).

Intelligent Reporting

DSM will use the detailed Varonis reporting capabilities to keep IT personnel, data owners and compliance auditors up to date on not only how data is being used but also how access controls are applied and revoked over time. These reports will be generated as frequently as daily, if DSM so chooses, and sent on a pre-defined schedule. This will allow not only the auditing of data use but of security controls and entitlement management as well.

Data Owner Identification and Entitlement Management

With DatAdvantage, DSM will identify the names of the business owners for file share data and train those individuals in the use of the Varonis DataPrivilege application to easily manage requests and authorizations for access to that data. In fact, once the transition is complete all DSM employees can use the DataPrivilege application to make requests for data on file servers. Varonis DataPrivilege via its automated workflow capabilities will inform data business owners of the pending data access requests and provide the means to distribute and enforce the desired access policy (example: grant read-only access for 30 days).

Reduced IT Management Costs

As a multi-national company, DSM maintains data stores at locations throughout the world. This means that data access control and entitlement -management is very challenging and time consuming. By centralizing all aspects of unstructured data protection and automating the workflow and enforcement of privileged access, DSM will save thousands in the short term and is poised to manage data growth and provisioning of protections without disrupting business flow.