Location: Galway, Republic of Ireland
The Marine Institute is Ireland’s national agency responsible forMarine Research, Technology Development and Innovation (RTDI).The Institute was set up under the 1991 Marine Institute Act withthe following role: “To undertake, to co-ordinate, to promote andto assist in marine research and development and to provide suchservices related to research and development that, in the opinionof the Institute, will promote economic development and createemployment and protect the marine environment.”
To fulfil this objective it seeks to assess and realise the economic potential of Ireland’s 220 million acre marine resource; promote the sustainable development of marine industry through strategic funding programmes and essential scientific services; and safeguard the marine environment through research and environmental monitoring. Its daily activities are varied and diverse – from mapping Irish territorial waters – the largest civilian mapping project in the world,to assessing levels of marine life and even testing whether shellfish is safe to eat. The Marine Institute operates from three primary locations and laboratories -Galway (HQ), Dublin and Newport with additional offices at a number of fishingports around the coast.
There’s a lot more to DatAdvantage than just reporting. It gives me the ability to exercise control, and to make actions based on the reports, which exceeds our original requirements.
The primary objective for the Marine Institute is to ensure that users only have access to the data they are authorised to access and at the correct permission level. However, with a share infrastructure that has evolved over a number of years as the organisation grew this was easier said than done. Although it does not experience a particularly high turnover of employees, its workforce could be considered fluid, further complicating matters. The Marine Institute has 182 full time employees, plus varying levels of work experience interns and graduates along with visiting contractors using the facilities and moving between teams and projects.
Keith Manson, IT Systems and Operations Manager for the Marine Institute outlines the implications, “We have over 90 servers across the organisation, plus two high performance clusters – one 72 server cluster and a further 20 server cluster, so we have quite a strong reliance on ICT infrastructure. ’We needed to gain better control and improve tracking of share permissions. If we wanted to check the permissions on a particular folder we would generally check the security attributes within the share, however due to broken inheritance within the directory structure, subfolders may have contained different attributes. When possible we used security groups but, occasionally when up against other pressures, there would be instances of a user needing access to a folder buried deep within a particular share and we’d have to break inheritance to get over a short term requirement. It would be fair to say that, over a period of time, our security permissions had become disjointed and unwieldy which needed to be addressed.”
Having scoped out its requirements, the Marine Institute decided to introduce reporting software that could detail its file server permissions based on users,groups, level of access to folders, and/or inherited and un-inherited folders. It believed this would allow the ICT team to determine where potential permission issues lay with the plan to go through them manually and make the necessary changes. Moving forwards this would allow the Marine Institute to keep track of permissions, particularly for its securitised folders. The project began by researching the market to see what was available to best fulfil the technical and business requirements.
However this wasn’t as straightforward as Keith had first thought. He adds, “The original search was based on the ability to perform reporting – something that could narrate file system permissions, Active Directory groups and security reporting. Initially we identified quite a large list of possible solutions. However there wasn’t a single one that could do everything on our list. Many could meet between 50% and 75% of our requirements but each was missing various components. An option would have been to knit together three or four different products but that was far from ideal. Then we identified Varonis DatAdvantage. On face value it appeared to do everything on the wish list, plus offered additional useful functionality and therefore power in ensuring we could adhere to our security protocols.”
The Marine Institute began by installing DatAdvantage on a virtual machine and tested it on a couple of file servers outside of the live environment – reporting and simulating changes. Having proved its effectiveness, the solution was rolled out across the institute’s entire infrastructure. Today, DatAdvantage is helping the Marine Institute address the risks associated with its data permissions. Its detailed reporting easily proves that IT controls are stringent, and helps Keith and the ICT team to manage user permissions quickly and easily. By aggregating Active Directory user and group details, ACL (Access Control List) information and all data access events DatAdvantage easily determines who has access to a folder, which folders a user or group has access to, and helps identify excessive permissions.
This intelligence allows the Marine Institute to identify rightful data owners, who are then involved in the process,checking that the people who currently have file level permissions were the right personnel with the correct levels. Keith adds, “At the start of this project we were originally sourcing a reporting solution so we could determine where the issues lay with the plan to subsequently go through them manually. Using DatAdvantage I’m confident that we’ve done that as efficiently as possible.
In a few months we’ve completed the audit, made the necessary changes required and we’re now in a position to control access moving forwards. We have only the correct personnel authorised to access the data that they require and no other data. But there’s a lot more to DatAdvantage than just reporting. It gives me the ability to exercise control, and to make actions based on the reports, which exceeds our original requirements.
As data owners change over time, and that’s the nature of our sector which isn’t going to change anytime soon, it’s important to keep track of who the owners are and that’s where the software comes into its own – we can do that quickly and efficiently which was impossible previously. In addition, the audit trail functionality ensures that we can trace any user activity within a share”.
In a few months of using DatAdvantage, the institute’s ICT team has completed an audit of its existing permission structures, made the necessary changes to address excessive and redundant permissions and is now in a position to control access moving forwards.
The Marine Institute’s data owners regularly change overtime – that’s the nature of its sector which isn’t going to change anytime soon, so it’s important to keep track of who the owners are. By tracking file activity DatAdvantage helps identify data owners who are then involved in the process, checking that the people who currently have file level permissions are the right personnel with the correct levels.
DatAdvantage gives the institute the ability to exercise control, and to take actions based on the reports, giving it the power to ensure it adheres to its security protocols. This additional functionality exceeds the original remit.