Varonis and Windows AD Security

Since we‘re a CheckPoint partner, we’ve been looking closely at their data security and security management solutions for SOX compliancy, both of which are supposedly going to be rolled up in their new VPN SecureRemote client and able to be pushed out via Group Policy.

So, there’s this huge push to make sure (a) stuff says on NTFS drives (and doesn’t wonder to FAT32 drives), or (b) someone doesn’t boot to a live cd and bypass NTFS permisssions, but what happens within NTFS and Active Directory to make sense of the madness? I’ve done a lot with Active Directory, and every time The Big Cheese asks me who can access what, I cringe. Doing it within Windows can sometimes be quite a chore, and even when I use third party tools such as AccessEnum to make that process less painful, it’s still sometimes a big chore. I can remember a couple of years ago having to nitpick NTFS permissions for a biomedical client of mine who was paranoid about unauthorized document changes on engineering specs and having to set up groups / users and then use all sorts of auditing tools to make sure that I (or another admin) didn’t give too many permissions to various users.

One solution to this scenario might be with ‘data governance’ tools like Varonis. Using their solution, you can do lots of things that’s a HUGE pain in the ass with native Active Directory (AD) tools, such as creating users and permissions for specific time periods, creating changes in a sort of AD sandbox, finding dependencies on AD objects, etc. I met with the channels rep from Varonis the other day and was quite impressed with their demo. Using their product, someone in a business unit could, say, add new permissions for contractors on special projects, and once x out of y people approved that addition, the contractor would have AD permissions for Z amount of time. Or, say that someone needed to clean up AD (something that’s always a pain in big organizations), they could turn on Varonis’ reporting (which is way less resource intensive than Windows’ native file auditing, which sort of assumes you know files or users are suspect). Lots of cool stuff there….

I was impressed with how many bases Varonis covers. From a C-level perspective, it puts business units in the driver’s seat. In too many companies, IT departments (for good or bad reasons) cripple business functionality. From a tech “trenches” perspective, I’ve now got a tool that helps me do easily what was previously quite arduous and take care of duties that would otherwise have fallen in the cracks.

Pricing on Varonis is a sort of combination between these probe clients installed on file servers, as well as AD users. As you might guess, it is insanely expensive for the the average company, leaving it up to places that are willing to pay huge premiums to ensure that they’re SOX compliant.

(Soon I should have a demo running on my VMware server, and perhaps can have a better review at that time.)