Varonis - Product Quick Peak

Recently Ethan posted about a recommendation from Tom G for a company named Varonis. My initial impression was that this company appeared to offer a product that opened the door to policy based information management. In that this was a pet proposition of mine for the large aerospace firm I used to work at before I retired I was pretty excited about the prospects.

First off, I don’t have anything to say about the financial prospects or performance of Varonis. I only looked at their product offerings. There’s no pricing information on the website.

I’ll first summarise what policy based information management is.

Information (in particular business information, but the concept is extensible) can be classified. The purpose for classification is to lump all information assets which share common characteristics into groups. This step requires the generation and application of “metadata” (my preferred term is metainformation, but oh well) to each information asset. Key words are the most obvious example, but key words are user assigned and lack discipline. Users may assign whichever key words they desire, appropriateness and even accuracy may or may not apply. A great deal of metadata can be machine generated if one has a content/context aware environment. However, such environments have not been generally supported. There is still going to be a gap between what can be generated and what is required, but depending on how sensitive and well “trained” the awareness engine is, it may be small. Varonis appears to take a step in providing an “aware” computing environment.

Individuals also need to be grouped. Individuals with respect to computing environment are also simply information records. Identity management is a separate but similar exercise to asset management. Machine generation of identity record metadata is not required to a large extent. Most (but not all) of the necessary information is already contained (or could be) within a person’s identification record. The primary problem with identity records is keeping them up to date. For example, let’s say we have an engineer engaged in the design of payloads for a specific commercial transportation product. This engineer may be reassigned from design to a quality checker in the same group. Presumably, he would no longer be authorized to create new design records. Has his identity record been updated to reflect this change in authority? Often this step is neglected, especially if the person in question still works for the same boss. Again, a context sensitive system would not allow him to carry out his new task if it was sensitive enough to the engineering design process, but my experience is that it is rare for information systems to have granular knowledge of business processes.

The next piece of the puzzle is the policy engine. This is the ability to express machine aware rules which are attached to the information asset classes which define which actions are permitted by users assigned to specific groups. As I designed the information asset management system which I championed, I proposed a group of information stewards to be created. These were the people who managed the policies and maintained the assignments to information asset classes.

There is no way to entirely turn this over to a content/context aware environment. There are too many external influences that impinge upon policies. A new law or regulation, a court ruling, a new CEO, etc. may entirely upset certain policies. A business reorg may disrupt business processes and individual assignments and tasks, so on and so forth. In other words, information assets, just like physical assets demand human intervention in order to be properly managed. As I originally proposed the system, I posited that all policies could be categorized as belonging to one of three groups: Life Cycle, Quality and Security/Protection.

I won’t dwell on the wrinkles, there are many. The upshot is that managing information assets is labor intensive. This was the single biggest inhibitor to adoption. As a result management sought point solutions for what was perceived as the highest risk information management security problems. There were essentially four: protection of IP (intellectual property), protection of financial information, protection of PII (personally identifiable information) and protection of export control information. Surprisingly, management (where I worked) cared little about the life cycle or quality of information, thought these aspects got a lot of attention for physical assets.

I visited the Varonis website in order to gain an understanding of what their product does. First of all, Varonis does not have a product, they have ten. To a greater or lesser extent, all ten products they offer have parsed the information asset management space. I can’t blame them for wanting to have a palette of offerings.

After reviewing everything posted about their product offerings on their website, I have a lot more questions than answers. They provide just a surface skim of each offering with little depth. There are no links to white papers, no references to academic studies, nothing. All that’s available is a high level overview of functionality. Information about how the products actually deliver the functionality is what the group of enterprise architects I worked with used to refer to as the “magic happens here” module whenever a software vendor promised functions without any explanation of how the product delivered. Mind you, I’m not asserting the s/w doesn’t work, it probably does, but there’s no insight as to limitations (there always are some), manual intervention and maintenance requirements, etc.

All their products pretty much play in the security/protection policy arena however, they do mention archiving and final disposition which would more likely be considered life cycle policies. I saw nothing pertaining to quality policies, and what little they had to say about life cycle policies seemed woefully inadequate. I know of no company that would archive or disposition information simply because it was “stale” (unaccessed for some period of time), but that appears to be the criteria they offer.

They include identity management by group and assert that they take deep IT involvement out of the process. I’ll accept that, it seems reasonable, but the underlying assumption is that the appropriate decision maker will properly manage identity assignments to appropriate groups. This would be a new task for most already overworked managers working 50 - 60 hour weeks (the 40 hour work week for salaried employees went the way of the dodo years ago). As employees move from job to job within a large organization, they not only need new group assignments, their old group memberships must be eliminated. I don’t see any assurance that group assignments would be properly maintained. But, I emphasise, the overview does not provide much information, could be that there’s some built-in forced review process.

There’s another more subtle problem. It’s not unusual for a given person to be a member of multiple groups. I was responsible for several different assignments simultaneously throughout my career. There is a potential for at least some of the the permissions of one group to be mutually exclusive to the permissions of a different group. When a given person holds different group memberships simultaneously, you need to know more than who that person is, you need to know what that person is working on. The example I gave above of the engineer is relevant. The engineer may move back and forth between both assignments and therefore be a member of both groups, the designer group and the quality checker group. Each group has different permissions. The permissions should depend on what activities are being executed. I saw no evidence that this situation was contemplated or addressed. Maybe not too big a problem, this same situation went unaddressed in every security environment I was aware of when I was still working (when it was important to discriminate, the same person had multiple IDs, each ID had separate group affiliations). Higher authority permissions prevailed in all other circumstances. Group assignments gets into the arena of job titles and definitions of RAAs (responsibility, authority and accountability). In a lot of companies job titles and RAAs are undisciplined and rather vague. The Varonis s/w won’t fix that problem.

Then there’s the whole issue of business rules. Varonis claims to have a rules engine and they pretty much leave it at that. This is a deep subject, even if constrained to security and permission policies. They make no mention of who or how business rules are converted to information management policies, but even if they’ve simplified the task via a declarative language (as opposed to a procedural language), it’s no mean task. Policies pretty much have to be designed, tested and implemented by dedicated experts.

I could go on, but I’ll only discuss one more issue I perceive as a problem. As far as I could determine from the Varonis website they only address files. Files are office documents, .pdf, ,jpg, .mp3, email, etc. That’s a lot of information assets. An estimated 80% of business information is maintained as files. The other 20% is database records (these days, pretty much all of it stored in relational databases. Big Data in Hadoop or similar is essentially file data, or that’s the way I understand it). These used to be called “unstructured” (files) and “structured” (relational). I’m not sure those terms are still in use. But here’s the rub, while the structured data constitutes the minority of information assets, it also generally represents the most valuable information for the majority of businesses. An enormous amount of file information has little to no persistent long-term value to the business. Powerpoints, Word and Excel docs, emails, pdfs, etc are generated at an incredible rate. Most of them are utilised for a limited audience at a point in time and then never looked at again, but they remain in storage. They are perceived to occupy no space and cost nothing to retain. That’s not true, but that is the perception. Out of sight, out of mind. Many years ago I read a study (performed by a microforms company) that asserted once a completed paper document was put in a file cabinet, it had a less than 3% chance of ever being retrieved again until such time it was permanently removed to make space for new documents. The argument was that microfiche was a far more space efficient way to store completed documents. With electronic documents I would venture that statistic has gone to less than 1%. Do you even know what’s on your hard drive?

Varonis targets files. There’s a reason it leaves relational database records out of scope. They are not coherent. The information relevant to a business function is scattered across the database as related records. The relationships are managed by the keys to the records. A given information asset, for example a purchase order, is presented to the user as if it were an analog of the old paper form from which the design was originally derived, but that’s not at all how it’s stored. The keys are managed and maintained by the DBMS, the related records are retrieved by SQL calls, the information is assembled, organized and presented as eye-readable information to the user by the application. Because the information is in a database rather than separate files you can ask the question, “What is the total value of all outstanding purchase orders we have with vendor X?” Answering this question in a split second with a file system would be an enormous computing effort or maybe impossible (or it was as little as seven years ago).

So in summary, I had a hard time doing a review of Varonis’ product offerings, they just don’t provide any depth. I assume a lot of questions are asked and answered during their sales presentations and pilot programs. But the website just doesn’t reveal a great deal.

The real question is do they occupy a unique space in the information protection arena (their stated focus) and do they have anything that can’t be copied by a competitor? I find it difficult to answer that question. My initial impression is that their products taken as a whole appear to offer quite a lot of functionality. Provision of an aware computing environment was not something that was available seven years ago when I retired. They appear to have taken a pretty big step in that direction. Unfortunately, I don’t know enough about competitive products to know if they really cover a unique space or if they just compete in a crowded space. Of course they claim to have a unique and comprehensive approach to information security, but I’m not in a position to judge that. After all, what else are they going to claim?

Is Varonis a good investment based on their product offerings (I’ll leave financial analysis to someone else). I really don’t know, but they might be worth a nibble just to keep an eye on them. I wish I could be more assertive but there’s simply not enough information available for me to make a determination.

45 Likes

Brittle, that’s one hell of a post. Interesting. Have a rec.

1 Like

Brittle,
excellent post. I usually don’t post unless I have something from my expertise that can benefit the board (which isn’t finance or experience managing money). My experience is with IT, cyber, communications, and information management.

First, I want to second and third what Brittle said. All the seemingly technical stuff about information management is correct. A very complex problem which is hard for people to visualize (unlike more physical problems), and so management doesn’t usually take it as seriously (so far).
Surprisingly, management (where I worked) cared little about the life cycle or quality of information, thought these aspects got a lot of attention for physical assets.

The US Army, fairly recently (past 10 years), has started a additional skill identifier (ASI) for knowledge management. There are roughly 1000 or so qualified folks, I am one. It can be both a full time job or an additional duty, like strategic planning or logistic systems manager (IM/KM is ASI 1E for those that care). https://www.part-time-commander.com/army-officer-skill-ident…

The Army has not solved this problem that Varonis seems to be applying their skills to, not by any means, and that is with a formal training program and key leadership positions in Brigades and above. BTW, the Army does

I proposed a group of information stewards to be created The Army calls this group Knowledge Representatives and are appointed by commanders.

I know of no company that would archive or disposition information simply because it was “stale” (unaccessed for some period of time), but that appears to be the criteria they offer. The Army, or at least my unit, uses this criteria.

The upshot is that managing information assets is labor intensive. This was the single biggest inhibitor to adoption. The one thing the Army has, or differentiates it from commercial business, is ‘free’ labor. Most managers never calculated the labor cost of a project. The Army is not the most efficient beast, but it is the most deadly in the world.

Other businesses that do asset management and permission management are:
Tanium (not public)
CyberArk

4 Likes