Location: Boston, Massachusetts
Products: DatAdvantage, DataPrivilege, IDU Classification Framework
Founded in 1980, The MENTOR Network’s roots date back to 1980 when the organisation, as Massachusetts MENTOR, received its first contract to provide therapeutic foster care to children and adolescents. Today, it has evolved from a single, residential program provider serving juvenile offenders to a national diversified network offering an array of quality, innovative services to adults and children with intellectual and developmental disabilities, brain and spinal cord injuries and other catastrophic injuries and illnesses, and to youth with emotional, behavioral and medically complex challenges as well as their families.
The Network operates in 38 states across the US and one of its most significant clients is the federal government – through Medicaid and Medicare. Since its founding it has never wavered from its goals of “Building Relationships. Enhancing Lives.” Tying The Network together is a well-defined set of policies, procedures and quality standards that create a level of support and consistency unavailable elsewhere.
The results were quite impressive – the solution was one of the most powerful we had seen in terms of the level of detail and control over the data that we could have.
The Network’s infrastructure is exceptionally complex. Five years ago it had just 4,000 users – today that number has grown to 7,500 users across 360 distributed offices – a mix of both large and small, all using Microsoft productivity tools and web based applications. It needed a way to manage the five terabytes of data being stored and accessed in its two data centres.
Shawn Fernandes, senior director for infrastructure and technology services for the MENTOR Network, explains, “We had a number of issues that we were looking to address – people changing role within the organisation and the access clean up or control as a result. More importantly when protected or sensitive data was moved out of a controlled directory, or even where there was wider audience directory, we needed to make sure that sensitive data could be controlled despite changes users might make whether accidentally or not. We know that there are people who have permission to access sensitive consumer data, and making sure that as roles changed and new access requests were received, we maintained the integrity of who was seeing what based upon their roles and privileges. What I wanted to introduce was the ability to audit who was accessing what, who was moving what and reversely what was moved by whom.” Like any organisation, The Network has data that is growing rapidly. In Shawn’s words “Everyone is creating and very few are deleting.”
Prior to the Varonis deployment, Shawn’s team would run queries using SQL to produce basic reports of its data but struggled as it was difficult to structure the results. Shawn explains, “We got some strong recommendations from our partners about Varonis so we had a look at what it could do. We started with some lab work, testing unstructured data that we’d created. The results were impressive – the solution was one of the most powerful we had seen in terms of the level and control over the data that we could have. We spent three months in this phase before we went full blown with the project. The decision was a simple one and we went down the path pretty quickly.”
The Network chose Varonis DatAdvantage for Windows, Varonis DataPrivilege and IDU Classification Framework. Using Varonis DatAdvantage The Network can aggregate its Active Directory user and group details, ACL information and all data access events—without requiring native OS auditing—to build a complete picture of who can and who is accessing data, and providing data owners with information about who should have their access refined or revoked.
Combining it with the Varonis IDU Classification Framework gives The Network visibility into the content of its data, providing intelligence on where sensitive data resides across its file systems. Shawn adds, “Data classification is huge for us because it gives us the opportunity to assess what type of data we have out there and then make sure that, if it is sensitive, we have the appropriate controls around that data so it can only be accessed on an ‘as needs’ basis.”
The Network added DataPrivilege into the program to automate data governance by providing a framework for users and data owners to be directly involved in the access review and authorisation workflows. Shawn describes the map he’s been able to create, using the Varonis suite, to record users’ access to data across the field as ‘a big spider web of shares’. On a daily basis a user’s access requirements can change dependant on which patients they are looking after or what program they’re part of.
Shawn explains, “The ability to clean up and then pass the access management to the users so they can administer it themselves with DataPrivilege, thereby removing IT from the equation, is massive for The Network.” Although The Network hasn’t performed a full evaluation of the success of the project, in terms of ROI, in Minnesota alone it has had a huge impact and this type of improvement is replicated across the organisation. Here we identified data owners and trained them to administer access to their data starting with the request, all the way to auditing access periodically.
Following the introduction of DataPrivilege, the workload for its team of two IT people – managing the shares for that state – has decreased by 50%. Instead program managers now handle requests themselves, through a self-service portal, making the process efficient.
The Varonis Suite allows The Network to provide reports on the access controls it has in place in response to SOX audits. It has also been able to tighten up its permissions by analysing, and then producing reports, detailing who hasn’t accessed data and then alerting the relevant data owners so they can consider pulling them out of the groups. Today, Shawn is focusing efforts on global groups (everyone, domain users, etc.), monitoring access and identifying who the people are that are accessing these with to replace them with restricted groups.
Shawn concludes “When you think that, in the last five years, the user base has doubled across the organisation, accessing a growing number of shares, the work would also have increased for my team. Today we actually receive far fewer calls with panic from data owners because someone has moved data out of a controlled share without realising the implications. Instead of looking for a needle in a haystack, we can now use DatAdvantage to quickly identify the data in question, and it helps us resolve those queries very quickly. It becomes a five minute query and resolution. By addressing many of the challenges we were facing early enough we’ve been able to prevent a big drain on IT resources and keep the same level of people providing a much better service to twice as many users.”
Assess the types of data The Network has and make sure that, if it is sensitive, it has appropriate controls around that data so it can only be accessed on an ‘as needs’ basis.
On a daily basis The Network’s user’s access requirements can change dependant on which consumers they are looking after or what program they’re part of. To pass control to the business and have them individually responsible so that, when there’s a change in the business, they can manage it themselves is immense.
When The Network needs to provide reports on access it can now easily fulfil these requests on the access controls it has in place and compliance reporting against those controls
By addressing many of the challenges The Network was facing early enough it has been able to prevent a drain on IT resources to keep the same level of people providing a much better service to twice as many users.