Varonis Prevents Unauthorized Access to Unstructured Data

Published: July 31, 2007

by Alex Woodie

You have probably witnessed the problem: terabytes of unstructured data, in the form of Excel spreadsheets, Word documents, PDFs, and image files, piling up on Windows servers, IFS servers, and file shares. Microsoft made it easy to store and share these files, but it failed to create an automated method for controlling access to these files. That's not good when the files contain sensitive data like social security numbers. So Varonis developed a product that gives employees access only to the data they need to do their jobs.

According to the IT analyst firm IDC, unstructured data accounts for up to 90 percent of all the data stored by corporations. If the data had been stored using a relational database system, it would be a relatively simple matter to lock it down. But the simple fact is the vast majority of new data being created lives in an unstructured format.

"It's a big pervasive problem," says Johnnie Konstantas, vice president of marketing for Varonis, a New York City software company that last week launched a new version of its flagship product, DatAdvantage version 3.0. "Enterprises do a pretty good job controlling and protecting database data. But the data sitting on Windows file servers and file shares, access to it is not tightly controlled."

The issue has to do with scale and approach. Windows and Active Directory do provide the capability to restrict access to directories and files for users and groups of users. But the technology is not nearly as granular as it should be, and it basically requires administrators to manually set permissions for each user or group of users. That just doesn't cut it in enterprise environments with constantly changing workforces and unregulated growth of unstructured data.

But the problem isn't restricted to Windows-only shops. Among System i shops--which also tend to be heavy users of Windows servers--there is no automated way to manage access to the Windows files stored on their Integrated File System (IFS) environment. Instead, administrators must lock down each individual directory or file with read, write, and use attributes. With more and more data finding its way onto System i shops' IFS servers, the problem of protecting unstructured data is only getting worse.

"Say I join a new company," Konstantas says. "The IT workers get a work order that says 'Please assign Johnnie with access to the folder with all the marketing data.' If I move to sales, there's a new work order. If I stay with a company long enough, I'll pretty much have access to everything."

The situation is exacerbated by the never-ending growth of data. "Considering that data grows exponentially, and users move around so much, it's impossible for a human being to keep up with and assign them permission and keep them timely," Konstantas says. "People get access to all kinds of stuff that's not needed for their jobs."

Varonis developed DatAdvantage to put an end to this cycle by allowing users to access only the files on Windows servers and shared folders that they need to do their job. The product does this by monitoring file usage and "learning" which files particular users need to do their job. If a user tries to access a file that DatAdvantage has determined is not necessary for his job, it will prevent him from accessing the file.

DatAdvantagekeeps track of all user-initiated file access events, and provides the administrator with a color-coded log.

The software, which runs on Windows servers and only works with Windows file servers and file shares, uses a sophisticated algorithm to determine who gets access to what. "We are able to mathematically derive a relationship between you and the data you need to do your job," Konstantas says. "The net result is you significantly lower the probability of data misuse." The learning process normally takes about 30 days, after which the organization can put DatAdvantage into full protective mode. The product also includes a sandbox mode to test the effects of the data lock-down.

Data leakage can occur almost anywhere, even in organizations that (try to) keep their most sensitive data locked down in databases. Take for example the common practice of downloading information from a relational database into an Excel spreadsheet, where it is readily manipulated by workers who have developed extensive skills in Excel. Even though the manager or executive is a trusted individual who is authorized to view salary or healthcare information, the security of that data is lowered considerably when it is moved to an Excel spreadsheet. In some cases, such use could be a violation of new federal data handling laws.

While only a small percentage of a people in an organization use their permissions in a malicious way, the fact remains that it only takes one malicious event to ruin it for the rest of the company. When you consider that the majority of incidents of malicious hacking are perpetrated by individuals from within the organization that got hacked (as opposed to hackers gaining access over the Internet), the importance of locking down access to unstructured data is magnified.

DatAdvantage continuously monitors access techniques and updates its user-file relationships, and also takes measures to protect the organization against disgruntled users. "We make sure data is protected where it lives, on file shares first," Konstantas says. "But just because you give them permission [doesn't mean they won't become disgruntled]. So we continually audit and monitor every file touch. The administrator will know if you're showing an anomalous activity pattern." Varonis claims the product is 99.999 percent accurate, and in the rare case when the product wrongly blocks a user from accessing data they need, it's a fairly simple matter to restore access, Konstantas says.

The advanced search window in DatAdvantage 3.0 gives administrators access to new filtering and sorting mechanisms to spot possible data leakage.

With DatAdvantage version 3.0, Varonis has boosted the product's search, scalability, and reporting capabilities. In terms of search, the new version delivers a more granular record of user access activity, and includes filters for finding file access trends by the individual, by data sets, by action, by time of day, or by IP address. Scalability has been increased by tripling the number of file servers that individual "probes" can gather event access data on, up to 75 servers per probe, or about 10 to 20 TB per probe. ("This thing can really scale," Konstantas says.) Varonis also added a new dashboard reporting feature that shows every file server's data utilization statistics in graphical and table formats.

Since it was formed by Yaki Faitelson (the president and CEO) and Ohad Korkus (the CTO and vice president of R&D) nearly three years ago, Varonis has attracted about 65 customers and more than 200 installations, including Sharp Healthcare and the Museum of Modern Art. The company has 75 employees, and $13.5 million in venture funding.

DatAdvantage version 3.0 is available now through Varonis' partner network. The software requires SQL Server standard or enterprise edition. Pricing starts at $25,000 for a license for one to 250 users. For more information, visit www.varonis.com.

                     Post this story to del.icio.us
               Post this story to Digg
    Post this story to Slashdot