We just finished an evaluation of Varonis DatAdvantage for Windows and DatAdvantage for Sharepoint. I’ve been interested in this product for a few years since seeing a presentation. We finally got it into the budget this year. Amazingly we were able to hold on to the budgeted amount this late in the fiscal year.
Back when I was a Windows System Administrator, I would frequently need to do several things ether as part of housekeeping or because the users needed it.
1. HR would request a quarterly review of permissions on their Windows file server directories. This always took a while because I would first need to get the Windows security groups, then look up the members of the group. The jigger it into something readable in Excel. Very tedious manual process.
2. I would want to figure out if a security group was being used for any access on the file server.
3. I would want to create a report showing where an individual had access on the file server.
4. I would want to know where permissions were not set correctly. Did inheritance not get set? Is the everyone group in use?
5. I wanted to review all access on the file server. I quickly found the only review I could easily do is to look where someone might have transferred departments and still had access to the old departments data.
To relieve the manual tedium, I started creating a SQL database and after much massaging of data I would import the file permissions from two file servers, the list of domain users, local users from each file servers, domain security groups and local security groups. Set up queries, and after much work I would have the ability to do a lot of the review of data access.
A new web developer, eager to please and not yet jaded, took this on as a project and the whole thing was automated. Dumpsec would create the files, they would be imported to the database and a website was created where you could browse directory permissions. It was nice. As with many internal development projects, overtime the website was neglected and began to show its age. The original developer left the company and all that left was compiled code without the source. I wanted to expand the features but no developers were available. So we began looking for a replacement.
Varonis meets most of our original goals. It also does a lot more.
Varonis provides data governance for both our Windows File server and Sharepoint. (we did not evaluate their Unix file share product or the Exchange product). It answers questions such as:
1. What happened to my files (they were moved to xyz by you, presumably after an accidental drag and drop)
2. How can we watch for unusual file activity patterns?
We do get asked occasionally to watch a specific individuals access behavior. We couldn’t do it before this product. Varonis also creates a baseline of normal behavior and alerts on behavior outside that norm.
3. Who is using these files?
4. Where is my sensitive data over exposed (assumes you have a way to identify sensitive data such as data labeling, or looking for Social Security Numbers)
File auditing in Windows is rarely done because of the performance burden on the server and the difficulty in using the results. Varonis uses a file shim and a database to make reporting much easier.
Sharepoint democratized permission management by allowing teamsite owners to add people to their sites. That created a wild west of permissions that was out of control. That has been reigned in by Varonis.
I’m still new in my usage of the product, but so far I am still excited about it. We’ve replaced an internal application that was showing its age and we now have data governance capabilities that we did not have before. I would recommend people check it out to manage their unstructured data.