varonis datadvantage for windows
Post on 14-Sep-2014
7.868 views
DESCRIPTION
Varonis® DatAdvantage® delivers the visibility and auditing you need to determine who can access your unstructured data, who is accessing it and who should have access. Continuously updated information drawn directly from your environment shows you the individual users and the groups they are part of, every folder on your file systems, and each data access - open, delete, rename, etc. - for every user.Click on a folder to see exactly who has access to it, what type of access they have - read, write, execute, etc., and where their permissions came from. Varonis DatAdvantage shows you detailed data access behavior and makes recommendations about whose access can be safely revoked.TRANSCRIPT
Unstructured Data Quantities – Present and Future
© 2008 Varonis Systems. Proprietary and confidential.
Unstructured and semi-structured data is exploding...
Source: Gartner Jan 2010
650% growth over the next 5 years
80% of all data is unstructured or semi-structured
Data Explosion – Are We Ready?
91%
lack processes for determining data
ownership
76% unable to determine
who can access unstructured data
© 2010 Varonis Systems. Proprietary and confidential.
Page 3
DataCollaboration
Cross-Functional Teams+ Security Requirements
More ContainersMore ACLs
More Management
Source: Ponemon Institute
Can IT answer: Who has access to this
folder? Which folders does this
user or group have access to?
Who has been accessing this folder?
Which data is sensitive? Who is the data owner? Where is my sensitive
data overexposed? How do I fix it? Where do I begin?
---------More---------
Varonis IDU Framework – Foundation for Data Governance
• Four types of metadata are collected, synthesized, processed, and presented:
Permissions information
User and Group Information
Access Activity
Sensitive Content Indicators
• Actionable data governance information is presented:
Who has access to a data set?
Who has been accessing it?
Which data is sensitive?
Who is the data owner?
Where is my sensitive data overexposed, and how do I fix it?
• Allows data owners to participate in data governance:
Automated Entitlement reviews
Authorization workflows
© 2010 Varonis Systems. Proprietary and confidential.
Page 4
Varonis Data Governance Framework Components
© 2010 Varonis Systems. Proprietary and confidential.
Retention/Storage
Analysis & Modeling
Aggregation & Normalization
File System Meta Data Collection
User Data Collection
Commit Changes to
File Systems and
Directory Services
DatAdvantage DataPrivilege
Windows File
Systems
UNIX/Linux
SharePointMS Active Directory
LDAP NISLocal
Accounts
Data Content Classification
The Varonis IDU Framework creates and manages a meta-data layer that enables IT and the business to work together to protect unstructured data
Presentation
NAS
Access Activity
IDUIDU
Future
FUTURE
• Metadata and folder location don’t reveal ownership
• Time consuming and manual process to find owners
• Significant amounts “orphan” data–unknown business context or relevance, wasted storage
Unstructured Data – Operational Challenges
© 2010 Varonis Systems. Proprietary and confidential.
• As employee needs change, authorizations grow & grow
• Permissions are seldom revoked
• Tools are mostly manual: time consuming and error prone
Ensuring authorizations are based on business need
Identifying data business owners
• Native auditing impairs server performance, generates large volumes of difficult to decipher data
• Audit trail often enabled only after incident has occurred
• Most lack any audit information
Understanding who accessed data & how
• Searching through so much data takes a lot of time
• Data constantly changes – hard to keep current
• Results provide only the first step in the data’s protection
Finding/classifying sensitive content
Risks, Controls & Regulations
• High Risk LevelsFile System data is at great risk for loss, theft, and misuse
Access configuration changes are untested
• File System Controls GapsMany access controls are “loose,” even broken
No audit trail exists
>50% of data has no known business owner
• Regulatory RequirementsHIPAA
CMS
Sarbanes Oxley
© 2010 Varonis Systems. Proprietary and confidential.
Page 8
Varonis Solution
• Technological BreakthroughAutomatically Identify and Remediate Access Control Gaps
Provide a Usable Audit Trail of Data Usage
Identify Data Owners, Inactive Data, Sensitive Content
Automate and Enforce Access Control Processes
• Efficient, Effective Risk Reduction
• IT Data Protection Jumpstart
• Proven Operational Execution>600 customers
All Verticals
© 2010 Varonis Systems. Proprietary and confidential.
Permissions - Bi-Directional Visibility
Double-click any folder…Double-click any folder…
© 2010 Varonis Systems. Proprietary and confidential.
Permissions - Bi-Directional Visibility
…to see all of the users and groups which have access
…to see all of the users and groups which have access
© 2010 Varonis Systems. Proprietary and confidential.
Permissions - Bi-Directional Visibility
Including users within nested groupsIncluding users within nested groups
© 2010 Varonis Systems. Proprietary and confidential.
Permissions - Bi-Directional Visibility
Double-click any user or group…Double-click any user or group…
© 2010 Varonis Systems. Proprietary and confidential.
Permissions - Bi-Directional Visibility
…and see every folder where that user or group has access
…and see every folder where that user or group has access
© 2010 Varonis Systems. Proprietary and confidential.
Permissions - Bi-Directional Visibility
Folder in green indicated some type of access, those in yellow do not
Folder in green indicated some type of access, those in yellow do not
© 2010 Varonis Systems. Proprietary and confidential.
Permissions - Bi-Directional Visibility
Also see explicit Windows permission levels and where they were inherited from
Also see explicit Windows permission levels and where they were inherited from
Audit Trail
© 2010 Varonis Systems. Proprietary and confidential.
Page 20
Complete audit trail of file eventsComplete audit trail of file events
Audit Trail
© 2010 Varonis Systems. Proprietary and confidential.
Page 21
Every open, create, move, modify and delete on the file system is recorded
Every open, create, move, modify and delete on the file system is recorded
Audit Trail
© 2010 Varonis Systems. Proprietary and confidential.
Page 22
Who accessed the fileWho accessed the file
Audit Trail
© 2010 Varonis Systems. Proprietary and confidential.
Page 23
When they did…When they did…
Audit Trail
© 2010 Varonis Systems. Proprietary and confidential.
Page 29
…to find exactly what you’re looking for…to find exactly what you’re looking for
Recommendations
© 2010 Varonis Systems. Proprietary and confidential.
Page 31
By combining permissions and audit data with sophisticated analysis, Varonis makes recommendations on where excess access can be removed
By combining permissions and audit data with sophisticated analysis, Varonis makes recommendations on where excess access can be removed
Recommendations
© 2010 Varonis Systems. Proprietary and confidential.
Page 32
List of users with red X’s next to their names can be removed from this group
List of users with red X’s next to their names can be removed from this group
Recommendations
© 2010 Varonis Systems. Proprietary and confidential.
Page 34
Double-click the red X…Double-click the red X…
Recommendations
© 2010 Varonis Systems. Proprietary and confidential.
Page 35
…and see the effects of making that change…and see the effects of making that change
Recommendations
© 2010 Varonis Systems. Proprietary and confidential.
Page 36
Varonis also makes recommendations by user
Varonis also makes recommendations by user
Simulate Changes
© 2010 Varonis Systems. Proprietary and confidential.
Page 38
With Varonis you can simulate permissions changes to your environment without affecting production
With Varonis you can simulate permissions changes to your environment without affecting production
Simulate Changes
© 2010 Varonis Systems. Proprietary and confidential.
Page 39
By removing the Everyone group from a folder, you can see what the results would have been
By removing the Everyone group from a folder, you can see what the results would have been
Simulate Changes
© 2010 Varonis Systems. Proprietary and confidential.
Page 40
These users would have been affected by the changeThese users would have been affected by the change
Simulate Changes
© 2010 Varonis Systems. Proprietary and confidential.
Page 41
They can be added back to the ACL to avoid any interruption of service while reducing unneeded access
They can be added back to the ACL to avoid any interruption of service while reducing unneeded access
© 2010 Varonis Systems. Proprietary and confidential.
Finding Data Owners
By analyzing audit activity, Varonis can help identify business data owners
By analyzing audit activity, Varonis can help identify business data owners
© 2010 Varonis Systems. Proprietary and confidential.
Finding Data Owners
Double-click a folder…Double-click a folder…
© 2010 Varonis Systems. Proprietary and confidential.
Finding Data Owners
View most active users…View most active users…
© 2010 Varonis Systems. Proprietary and confidential.
Finding Data Owners
The data owner is likely in this listThe data owner is likely in this list
© 2010 Varonis Systems. Proprietary and confidential.
Finding Data Owners
…or you’re one phone call away…or you’re one phone call away
© 2008 Varonis Systems. Proprietary and confidential.
Common Use Cases for Varonis
• Access Control Cleanup – Identify & Remediate:“Global” Groups -(everyone, authenticated users, etc)
Redundant, Excessive Group Memberships
Orphaned SID’s, Individual User SIDS on ACL’s
• Find Lost & Deleted Files
• Identify Anomalous Behavior
• Track Permissions & Group Changes
• Ongoing Entitlement Reviews
• Automate Access Authorization & Revocation
• Identify Inappropriate File Activity (mp3’s, etc.)
• Enhance Other Data Protection Projects
© 2008 Varonis Systems. Proprietary and confidential.
Common Use Cases for Varonis (cont’d)
• Efficient audit compliance - provide evidence of:
Effective permissions (preventive controls)
Usable audit trail (detective controls)
Authorization processes
Compliance with authorization processes
• SharePoint Migration
Stale Data Identification
Data Owner Identification