Johnnie Konstantas Vice President of Marketing Varonis Systems

I.    Obstacles to achieving compliance in 2009
Most industry experts agree that the events of the last year will lead to more and stricter regulations. This is particularly bad news for resource strapped IT departments who are already challenged to meet current requirements. Most businesses find that the annual effort for SOX compliance drains resources and is highly disruptive to operations. Now, with budgets and headcounts tightening, IT departments don’t have the time or the people to devote to what they know is really required to meet SOX and other regulatory mandates: drafting and implementing sustainable GRC processes.

The good news is that necessity often begets invention, and technologies are now available to help or-ganizations automate some of the more labor intensive processes of GRC. Implementing them early in the year is a move that can help GRC practitioners get through this annual audit cycle, despite dimin-ished resources, and make subsequent audits easier and more efficient.

II. How data governance can help organizations with compliance initiatives
Governance, Risk Management and Compliance (GRC) is a broad reaching initiative that organizations of all types are planning or have already started. GRC efforts aim at putting in place the processes, technologies and behaviors that ensure the proper security, handling and management of digital assets in all of their forms and locations. This cannot be accomplished overnight, but it is important to get started now because data stores are growing exponentially and, with them, the risk of data loss and misuse. As guidelines for getting started, understanding what data you have and which part of it is key to the business are important first steps. Identifying the business owners of data is also imperative be-cause doing so begins a vital collaboration between IT and the business. This communication and co-operation will ensure that any further data protection efforts are properly vetted. The following is a more detailed discussion on steps and technologies that can help individuals and organizations get started with GRC.

Guidelines
Inventory All Data Assets
The natural place to get started with GRC is to identify all of the places where data or digital assets are stored. This includes on-line and offline storage, databases and endpoint devices. In cases where or-ganizations are particularly large and distributed, then locating the largest data aggregation points is key, as is generating an audit of how much and what types of data are stored there, who has access, and what the access entitlements and privileges of data users are. Doing this allows GRC strategists to define the scope of the challenge and work. It also takes care of a very time consuming first step, es-tablishing the business materiality of the data. While it is important to create as comprehensive an in-ventory as possible, those organizations just getting started with GRC will want to consider that over 80% of enterprise data takes an unstructured form (i.e. documents, spreadsheets, web-pages, image and media files) and typically 25-35% of this is security and compliance intensive (Source: IDC, The Exploding Digital Universe).  So, an inventory of NAS and SAN storage as well as file system contents is a logical starting point.

Identify Data Business Owners
Business owners have the most context for the data, its value and sensitivity. Knowing who the data business owners are can save hundreds of hours from storage clean-up projects, data migrations, ac-cess control revocations, and even domain consolidations.  Basically, giving administrators the means to collaborate with the business on these projects increases their accuracy and expediency. And, doing this as part of the first steps for GRC planning will also ensure smooth future communication for the purposes of defining data protection and preservation policies.

Link IT and the Business Units
Currently, IT operations and personnel – not business data owners – are almost singlehandedly re-sponsible for managing where data resides and for the security policies, access controls and monitoring facilities that are in place. Consequently, this means that data entitlement and access authorization management is managed by people with no context for the data or its business materiality. In fact, most decisions about data are the burden of technical staff as opposed to the business units. Any plan for GRC must aim at establishing a broad organization-wide management framework for data such that business owners manage access decisions, and IT operations remains responsible for maximizing its availability. And, in those functional areas where responsibilities overlap, a properly functioning GRC environment enables, even enforces, collaboration among all data stakeholders.

Delete Unwanted Data
GRC projects are challenging in part because of the sheer volume of data they are meant to address. It stands to reason then that the focus should be that data which is valuable, sensitive, and business ma-terial. For most organizations, deleting stale and orphan data, as well as that data which falls outside the scope of GRC (music files, personal photos, etc.) will increase the efficiency and expediency of any project to consolidate and manage digital assets. The key to doing this accurately is to ensure that the data to be deleted from company storage is not preservation worthy. This requires some intelligence about data use and access activity, data ownership, and data business materiality.

Remove Excess Access
Establishing an ongoing process and system for ensuring that access to data is always warranted is central to a GRC implementation. But, while the GRC rollout is in the planning stages, data remains at risk from access controls that are overly permissive and dated. This risk increases during difficult economic times when data breaches and mishandling spike. Organizations can make a big dent in risk reduction by removing rules and policies that allow large groups of users to access shared data unfettered. For example, in Windows Active Directory environments, these are access controls that allow “everyone” or “domain users” to access directories and files. Often these overly lax controls are in place because of file system defaults that are assigned when a new data folder is created on a file share. Removing these controls and replacing them with more restrictive ones that limit access to only the groups that require it (e.g., the finance group to the finance folder) will significantly reduce the risk of data loss and misuse, at least as far as unstructured data (the most voluminous in any organization) is concerned. 
 
III. Implementing GRC Now, Saves More Than Risk – It Saves Real Money
In a down economy, the key operational tasks that must be performed daily don’t change, only perhaps the amount of available resources to complete them. Typically, people don’t think of the solution to tough economic times as instituting GRC, but if doing so can reduce operational overhead, then that is precisely the answer to “how can I meet my compliance directives with fewer people?”  Right now, as part of their daily deliverables, IT operations personnel must:

1.    Audit data use and access activity
2.    Generate a review or attestation of who can get to what critical data
3.    Migrate data (old data to storage, sensitive data to Content Management Systems, key data to NAS, etc.)

The time it takes to complete each of these tasks takes days and weeks, or in some cases months, de-pending on how much data there is to reconcile. In some cases, the timeline for completion must be accelerated to meet a compliance-reporting deadline (e.g., an attestation of privileges). In those in-stances, resources are pulled from other tasks and projects to help with the completion of the compli-ance effort. The result is a hurriedly pulled together report, and disruption in business flow for the re-source deprived areas. Enter GRC processes and technologies. Generating a review of data entitle-ments and privileges, also known as an attestation, can be automated with market available software.

The software application stays abreast of changes in the user and data repositories, and provides enti-tlement reports on demand. The representative OPex savings is on the order of 67% for organizations with a couple of terabytes of data.

Data use auditing is another must-do task that can be a huge resource drain. Businesses may need the audit for compliance reporting or to conduct forensics. In either case, combing through logs requires expert eyes and a lot of time in order to map the activity to an individual’s identity. At-will data use re-porting is key to a GRC framework. Any analysis for risk reduction depends on this data being readily available. In the past, tools were limited by the native auditing capabilities of file systems, but this is no longer the case. Reports can now be generated within minutes if the right infrastructure is in place. The representative OPex savings for automating data use auditing is a mind-boggling 90%.

Finally, there is data migration. Data administrators are constantly trying to identify which data is secu-rity and preservation intensive and which can be deleted or archived. At play is a balancing act between using available storage prudently and moving old or stale data to cheaper archives, all the while main-taining business intensive data so that it is readily available to internal users. These migrations can be extremely time consuming and lengthy because they require sign off from data business owners. To identify them, companies often use survey instruments and mass emailing campaigns. Business owner identification is at the heart of compliance and GRC efforts. These are the people who are ultimately responsible and accountable for digital asset use and protection. Being able to quickly identify who owns what data can now be computed programmatically, and it needn’t be an impediment to a GRC rollout. And what is the cost savings from automating business owner identification? For companies with just one terabyte of data it means a 75%+ OPex savings.


IV. What Varonis’ new product – DatAdvantage 4.0 – does to help companies achieve compliance
Varonis makes software that addresses all aspects of protection, management and auditing for unstructured data at rest. With Varonis, organizations can audit all data use, limit access, identify business owners and maintain data owner accountability for access policy enforcement.

Varonis software gives complete visibility to unstructured data as well as the permissions and access controls that are in place. The software installs easily and, within a couple of hours, data administrators can generate reports on who has access rights to what data, what those rights are and how they were acquired.  Varonis also maintains detailed statistics on data access and use. A thorough analysis of these access activities and patterns reveals the list of persons who are the most rigorous and legitimate users of the data. Among these persons are typically the business owners, or people who can identify them. So, for any folder or data set, administrators can get a list of the likely business owners. This re-places company-wide emailing and surveying. Varonis reduces the amount of time required for busi-ness owner identification to just the time it takes to point at a folder and right click.
Perhaps most importantly, Varonis software programmatically links IT, data business owners, data us-ers, auditors, and in fact any data stakeholder, by a process for managing data entitlements. Varonis brokers user requests to data and enforces the decisions of the authorizers. The rationale and actions taken on the data are all recorded and auditable in time. In fact, the software even automates the ad-herence to and enforcement of least privilege access, reminding data owners and IT which revocations are in queue for processing. With this, Varonis essentially automates compliance to what is a funda-mental requirement of virtually all regulations (e.g., SOX, HIPAA, FISMA, GLBA): segregate job func-tions and access policies such that only the right users have access to the right data at all times.

V. Summary
The mandates for regulatory compliance don’t ease with economic recessions, in fact the requirements become more stringent. This can pose huge challenges for shrinking or resource strapped IT departments without mature processes for data Governance, Risk and Compliance (GRC) in place.

While it may seem counter-intuitive at first, now may be the best time to consider implementing automation in the form of newly available GRC technologies. These have emerged largely to help expedite the rollout of GRC frameworks and to increase the accuracy and efficacy of compliance efforts. The really good news here is that GRC automation technology also means huge cost savings for those savvy enough to maximize its use.