Sramana Mitra: Let’s do some use cases where you can explain how certain customers are using your technology.
David Gibson: The day-to-day operational use cases are answering questions. Who is asking these questions? Often the business user is asking IT, “Who deleted my data?” Most organization have the experience where they call up and IT says, “I can restore it for you, but I can’t tell you who deleted it or if somebody moved it where it has moved to.” This is the basic use case that concerns almost everybody.
One of the early stories involves an organization that did a lot of undersea photography for drilling. It costs a lot to ride a submarine and take all these images. Then the images were gone, and nobody knew what had happened. Stories like this happen all the time, and it is a fundamental use case to know what is going on with your assets.
From a big data analytics perspective, a lot of organizations lost track of who owns what data. When they look at data, they wonder if anybody is using it because they don’t have the auto trail, and they also don’t know who it belongs to, so they don’t even know who to ask. What we are able to do is align the business with the right owners. A lot of interesting things happen when they do that. First of all, they are surprised at who has access to their data, and then a level of consciousness starts to emerge, followed by a cleanup effort to go through and make sure the right people have access to this data, it is protected adequately and used effectively and according to policy.
One use case is entitlement review. Within entitlement review we see the activity of who is accessing data and we see who can access data. We put those together and we do a cluster analysis to make recommendations on which people shouldn’t have access anymore. What we found is that in a lot of organizations, as you are moving from job to job, you get more privileges. But the privileges you had in your most recent job are seldom revoked. We have one customer who uses this. They started looking at our recommendations and sharing this with the data owners. They are able to say, “Varonis has highlighted this person and this person is no longer with my team, so let’s take them out.” The way they made this transition is they had Varonis, they would get audited and they would get dinged, then our champion would go look at Varnois and say, “This person had a recommendation. So let’s split it and get the recommendation into the hands of data owners, so we can get ahead of these data audits.” We can take this example to a large bank with 40,000 users. They have empowered the owners with a self-service portal, so that at any time they can see who has access to their data and who shouldn’t. And they are on their own. In one month they made 8,000 revocations of access on their own. These are not IT people that I am talking about. The business now has the power to revoke access to their data, where before they couldn’t even see who had access to their data. They are even injecting intelligence into that process. Now the business is regularly revoking access to data on their own, whereas before access only grew.
SM: Obviously there is a governance angle, an audit and policies being enforced in that example. Is this an exception-driven process or a query-based process?
DG: How our technology works is that we collect a ton of metadata, and we collect it continually. We have a metadata store. In our framework we have a complete map of the infrastructure, including a bidirectional view of who has access to what data. We have a complete record of activity and we also map the content of interest. When you query, you can see the answers and we also give you exceptions. We can see, for example, when somebody doesn’t look like they should have access to something anymore and we can show you that exception. We also baseline everybody’s normal day-to-day activity and when they spike, we alert you. We can alert you when key items change, when somebody is added to a key group, when data is removed or missing, etc. There are all sorts of exceptions we can alert on, and there is the query component as well.