It’s hard to find the appropriate balance between the need to share and protect sensitive information. Too much control makes life miserable and kills business agility, whereas too little control creates risk. This conundrum is at the heart of the “shadow IT” dilemma – where users want “consumerized” SaaS solutions like gmail and dropbox that are easy to use and “just-work” – and internal IT has the opposing mandate to control data access in order to comply with regulatory requirements and manage business risk.
It’s hard to derive context from the volumes of unstructured data scattered across large user populations. Unstructured data includes Office documents, PDFs, cad-cam engineering specs, you name it, anything that’s human-generated. Most existing solutions require manual marking and self-categorization by the authors. This is cumbersome, and subjectivity & interpretation bias creates chaotic results. Building data security policies, standards & guidelines, automating compliance, implementing fast alerting & response to violations; this is where the bleeding-edge early adopters are.
Information security budgets mirror compliance regimes & governance frameworks. These regimes are only now starting to evolve, thanks to firms like Gartner, IDC & Forrester, from legacy controls that have questionable efficacy for modern threats, to data- and people- oriented frameworks.
Enter Varonis (VRNS). Up until now, unstructured data solutions have been a difficult sale into most organizations. VRNS is trailblazing a new market opportunity for focusing protection on what matters, the data.
VRNS is tackling a problem that’s so traditionally difficult, most firms frankly don’t even know where to begin. Lacking a proper toolset, IT teams do their best to lock down network access, but for all but the most conservative environments, this is mission impossible. (Lock it down so much and you kill user efficiency; ease up and you’re susceptible to APT and insider mis-use.) Once access is obtained to the network, its often a free for all. IT teams not only lack context about the data –is it important? what’s the risk?– they don’t have any visibility at all of who is accessing data, what they’ve done and whether or not it’s okay. And this environment is dynamic – across all forms of devices, clouds, folders – making it nearly impossible to monitor/enforce policy on unstructured in real time as its being created and shared. So the best of them end up buying very expensive full packet capture tech for post-breach forensics like EMC netwitness and pumping logs into SIEMs or Splunk.
I’ve worked with companies at the forefront of being fined heavily for data violations. Some are exploring combinations of tools like Teamcenter, Titus, Netwitness, Lancope, ArcSight and Splunk, but with mixed results given how manual, inflexible and limited these things are. My perspective is that VRNS looks a lot more powerful in terms of automation and scale. After 60 days, they can give IT teams enough context to find who the biz data owner and enable them to make decisions on how to lock down – and proactively monitor – high-risk data.
But the company –and its stock–have struggled mightily. Are they going to be able to turn things around?
Stay tuned for Part III and we’ll work through their challenges when it comes to execution, and the probable risk/reward in owning the stock.
-g
If you enjoy the content at iBankCoin, please follow us on Twitter
