This article can also be found in the Premium Editorial Download "Information Security magazine: Security Readers' Choice Awards 2008."
Download it now to read this article plus other related content.
Price: $22,000 for up to 250 Active Directory users
Dealing with the growing challenge of unstructured data and its governance has been a struggle since the earliest use of file servers. Described as a large set of unorganized files and information, unstructured data presents a large security risk to companies of all sizes. Varonis DatAdvantage addresses this universal problem, giving IT departments the ability analyze, manage, and secure all forms of unstructured data.
Setup was fast, and straightforward. All of the components can run from a single server, and for most environments, that will suffice. The analytics server requires IIS and MSSQL 2000.The system can be deployed either in a Virtual Machine or as physical hardware--either way, the system requires dual 2GHz or better processors, and 2GB of memory.
DatAdvantage sends probes to enumerate data that will be returned to the analytics engine. The probes are basically software components that go out to each file system and AD tree and collect pertinent data. This requires that you configure DatAdvantage with accounts that have a high level of permission to each resource.
The analytics server is responsible for compiling information from Active Directory (AD) and the file systems. It correlates file system objects, access control lists (file system permissions), and the users or groups. This information is stored in the database and displayed in the management tool.
Once the analytics server and probes are configured, DatAdvantage will begin analyzing file systems and their ACLs. In addition, it will begin collecting information on data usage patterns, and tracking the integrity of each file system object, such as files and folder. Management of the system is handled through a console that can be installed on a PC or on the server itself. Although it is modeled with an Outlook 2003 look and feel, working inside of the management software can get pretty tricky, especially when chasing very specific data. Newer features allow you to hide certain panes within the interface, allowing a cleaner look and feel.
DatAdvantage has the unique ability to make recommendations on changes to permissions based on usage patterns and group memberships. Thus, you'll want to run it first in evaluation mode, so it can record how data is being accessed across each file system. The longer you allow it to collect and analyze data, the more accurate the recommendations.
Walking through the suggested changes, we were able to see what users or groups probably don't need access to specific resources. For example, Mary in Finance probably doesn't need access to the Legal folder. Because these types of changes can drastically affect users' abilities to do their jobs, you can test them in a sandbox to test their impact.
One of the issues faced with having the ability to make permissions changes via multiple interfaces is tracking and audit. Varonis facilitates this by including things like product history, change monitoring, and history timelines. Product history allows you to review changes and commands issued within DatAdvantage. Change monitoring tracks file system events and constantly checks and rechecks permissions, comparing each pass with the one before it.
DatAdvantage solves a number of challenges to managing standing file system objects. One very interesting feature is the ability to determine data ownership based on access frequency. Identifying what data belongs to who is otherwise nearly impossible if the ACLs don't directly indicate it. Because DatAdvantage goes beyond the ACL, it can also perform usage auditing. This is different from change recommendation and ownership because it allows you to detect anomalies as users break their normal access patterns, perhaps spending too much time browsing where they shouldn't.
Arguably the most important tool is data integrity monitoring, watching for actions such as the deletion or modification of files and folders. Although you cannot control what the users can do through this tool, you can use the detailed logging to find very specific activities. Ultimately, the combination of DatAdvantage tools will give you a both a truly global and granular view of all monitored systems.
Testing methodology: Our lab included a single Active Directory domain with users and groups for access assignment. The volume on the file server used for testing contained live data from a production environment.
This was first published in April 2008