Location: Heemskerk, the Netherlands
Gemeente Heemskerk is a town in the Netherlands, with a population of 39,000. The town’s local government, which works together with other local governments, totals approximately three hundred employees. The services provided by the local council are diverse, with various departments who rely on its IT infrastructure. Seven system engineers are tasked with keeping the organisation’s IT infrastructure functional and its data secure.
We have a very fragmented file folder naming structure and we plan to address this during the upgrade. We couldn’t contemplate this without Varonis to show us our file folder structure, and help grant only the rightful users access to their files and newly named folders.
Heemskerk had two core problems. First, its NetApp storage system held approximately five terabytes of data, and was growing, but it did not have a way to identify files and folders that were stale or unused that could be archived. As a result, its only option was to increase its capacity, which is an expensive alternative.
Fred Kroone, Heemskerk’s network and systems engineer, outlines the second issue faced at the start of the project, “We were working with Microsoft Active Directory 2003 and had made the decision to upgrade to Microsoft Active Directory 2008. As you’d expect, we wanted to make the upgrade as easy as possible for all concerned. In order to do this, we needed a way to evaluate our existing users, groups and permission structures so that redundancies and errors could be remediated prior to migrating.”
During a workshop arranged by their trusted advisor, WeSecure, Fred compared Heemskerk’s existing software portfolio against new solutions. He remembers, “It became apparent that not only were the products we were using out of date, but that we would need to fuse three NetApp solutions to try and achieve our objective. By comparison, the results Varonis DatAdvantage could offer would dig much deeper with less effort. We didn’t need to look any further.”
WeSecure set up a standalone test server for Heemskerk and let it run for one month.
Varonis DatAdvantage combines user and group information taken directly from Heemskerk’s Active Directory with the permissions metadata on their file systems to deliver a complete picture of the organisation’s access control landscape. Using this intelligence, DatAdvantage can automatically highlight users and groups that are inactive, redundant, or unnecessary and highlight areas where permissions can be safely reduced. This allows Heemskerk to quickly troubleshoot problems, reduce risk, and answer questions about who can access data.
At the end of the trial period, WeSecure presented the findings generated by DatAdvantage to Heemskerk. Fred confirms, “In this session we were shown the detailed information that Varonis had collected about our environment and it was an easy decision. We couldn’t wait to get started.”
Having had Varonis DatAdvantage installed for just four months, Heemskerk could already quickly and easily identify data that was unused and could be archived or even deleted. Fred adds, “We use DatAdvantage to determine the people who own a lot of data so we can then speak to them about their requirements. Using the reports we can show them how much space they are using, including its cost correlation, plus how much of it is actually stale. Together we can then determine what can be archived and if there is a cheaper alternative than housing all their data on our expensive cluster.”
Heemskerk has scheduled about four reports that run each week to provide intelligence to its environment and help resolve issues quickly. For example, there have been several occasions Fred and his team have used Varonis to find data that’s been moved or deleted. Fred remembers, “We had one occasion where it turned out to be a system engineer that had moved something, and damaged some installation files. Not only were we able to get it sorted quickly, but we could also see what had happened and determine how to avoid it happening again.”
At the end of 2013 Heemskerk will start upgrading to Active Directory 2008 and the plan is to use DatAdvantage’s intelligence to determine the current status and identify changes that can be planned and implemented during the upgrade. Mark Vader, also a network and systems engineer for Heemskerk and the project leader for the migration of Microsoft Active Directory 2003 to Microsoft Active Directory 2008, adds “We have a very fragmented file folder naming structure and we plan to address this during the upgrade. We couldn’t contemplate this without Varonis to show us our file folder structure, and help grant only the rightful users access to their files and newly named folders.”
Moving forward, Fred recognises that he has only scratched the surface with DatAdvantage as he concludes, “It has a lot of options, making it difficult to identify which element to tackle next, but that’s a positive. Eventually we hope to introduce Varonis DataPrivilege so that our users can actually manage permissions for themselves.”
Heemskerk can now quickly and easily identify stale data to archive or delete. Working with the data owners, it can also be determined if there is a cheaper alternative for housing infrequently used data.
Within minutes, rather than days, Heemskirk can spot and correct permissions issues within Active Directory and across the NetApp environment.
On one occasion a system engineer erroneously moved a file and damaged some installation files. Not only was Heemskerk able to resolve it quickly using DatAdvantage’s audit trail, but they were able to prevent it from happening again.