Sei sulla pagina 1di 15

1

Issue 1

Are You Protecting Your Data or


Chasing Threats?
In the face of rapidly evolving threats and rampant data growth, data-centric audit
and protection products are displacing fragmented security tools.

Issue 1
2 Introduction
4 Research from Gartner
Market Guide for Data-Centric Audit and Protection

14 Varonis Case Study: The City of San Diego


15 About Varonis
2

Introduction
High-profile data breaches in recent months has never heard of you; ransomware, a form of file
have boardrooms shivering in their seats. First, extortion, is now a $1 billion business.
Alphabet Inc.’s Waymo, a self-driving startup,
claimed 14,000 proprietary design files were Three Big Cybersecurity Mistakes
allegedly stolen by a former Google employee Worldwide cybersecurity spending is expected
and that the information found its way into the to exceed $1 trillion over the next five years,
hands of competitors. Then 8,761 files detailing according to Cybersecurity Ventures. So why do
the CIA Center for Cyber Intelligence’s hacking organizations still have so many breaches?
abilities were leaked online by an allegedly
disgruntled insider. This is frightening. In addition 1. Organizations spend more time and attention
to raising concerns about insider threats, boards protecting networks, systems and supporting
have to worry that new vulnerabilities may affect infrastructure than they spend on protecting
personal and enterprise computing technologies, the data their infrastructure was created for.
representing new vectors of attack. That’s like protecting the refinery but forgetting
the oil.
Most users don’t think of data they create, access
and store in terms of toxicity, but the same assets 2. Too much focus on preventive technologies
that drive revenues or establish organizational leaves organizations vulnerable to threats
goals can and do become toxic more frequently that either they haven’t anticipated or their
than ever before. For Waymo and the CIA, their technologies weren’t designed to prevent.
valuable assets -- proprietary designs and cyber- They simply don’t know when their preventive
espionage tools -- were stolen, devalued and controls fail or when an insider is compromised.
turned into potential liabilities. Furthermore, organizations often fail to realize
the damage an insider or outsider can do.
Data Growth and Risk Have Collided
Within a 25-year period, organizations have 3. The approach to data security has been
presumably spent billions, possibly trillions, fragmented and reactive instead of strategic.
moving almost all analog information to a According to Gartner, “The exponential growth
digital medium. Organizations moved financial in data generation and usage across multiple
information, product plans, strategic initiatives, data silos is rendering current data security
and confidential employee, customer or patient methods obsolete, requiring significant changes
records from paper to digital files spread across in both architecture and product selection
file and email systems, on premises and in the approaches.”
cloud. Many enterprises have underestimated the
risks involved, focusing on increased productivity These mistakes mean that the invaluable assets
without worrying whether data would be safe from organizations spend time and money creating,
hackers, insiders, competitors and other nations. using and storing become toxic liabilities to brand
reputation, revenue and national security.
Data growth raced ahead while information
security fell behind, and the collateral damage is The Cost of Our Cybersecurity Mistakes
making headlines. Data breaches like those that In 2015, a 20-year-old hacker performed an
happened to Sony, Mossack Fonseca, the U.S. unsophisticated infiltration of a major U.S.
Office of Personnel Management (OPM) and retailer’s network and then demanded a $500
the Democratic National Committee (DNC) are ransom to keep the documents from being
practically daily occurrences. Instead of increasing publicly released. Instead of handling the incident
revenues or furthering goals, stolen files and internally, the retail company worked with the
emails disrupt and subvert plans. If an organization FBI, which discovered the hacker was sending
stores valuable data (and most store more than stolen data that contained personally identifiable
they realize), someone will try to steal it. Your information for more than 1,000 military and
next breach may be perpetrated by someone who federal employees to ISIS.
3

Like the retailer, a majority of companies A strategic approach to data security augments
wouldn’t have detected the intrusion prior to detective capabilities so insiders and breaches are
the attacker’s warning. If companies cannot spot found and quickly stopped, reduces the risk to an
suspicious activity from unsubtle, noisy attacks organization by limiting the amount of damage
like ransomware, then how will they flag unusual a compromised insider can do and increases the
activity from legitimate insiders or sophisticated efficiency of these efforts to maintain a more
attackers? The Waymo complaint filed against secure posture with current staff levels. In most
Uber and Otto details how multiple insiders cases, the potential savings are enormous when
accessed at least 9.7 GB of highly confidential compared with the cost of a breach.
data for the competition in the days and hours
prior to their departure. Even the CIA’s data How Does Varonis Factor into This?
reportedly circulated among a cadre of former In 2005, our founders had a vision to build
U.S. government contractors and hackers before a solution focused on protecting the data
making it into the hands of Julian Assange. organizations have the most of and yet know
the least about – files and emails. Executing on
Data Security as a Driver of Revenue and this vision, the Varonis Security Platform gives
Growth organizations full visibility into user behavior,
The alternative to neglecting detective capabilities identifies threats before a data breach occurs,
and pursuing fragmented solutions for data enforces a least privilege model across core IT
security is a unified approach to data security systems.
that combines disparate functionalities, including
detection. Such a solution would combine --
either within a data security platform or through Source: Varonis

tight API integration -- data classification and


discovery, permissions management, encryption,
user behavior analytics, advanced threat detection
and response, auditing and reporting, data access
governance, and data retention and archiving.

The point is to build context around data, similar


to how credit card companies build context
around the way we use our credit cards; they are
very good at understanding which transactions
look right for each person and which ones don’t.
These advancements in detection keep our money
available and protected at the same time. Data
also needs to be available and protected at the
same time.
4

Research from Gartner

Market Guide for Data-Centric Audit and Protection


Security and risk management leaders must use • Ensure that data security policies take account
data-centric audit and protection products to of how data flows and is transposed by users,
mitigate threats and compliance issues to critical business processes, applications or big data
data. These products monitor and respond to analytics.
malicious or inappropriate user access behavior
with data stored pervasively across on-premises or • Implement a DCAP strategy, and “shortlist”
cloud silos. products that orchestrate data security controls
consistently across all silos that store the
Key Findings sensitive data.
• The exponential growth in data generation
and usage across multiple data silos is Strategic Planning Assumption
rendering current data security methods By 2020, data-centric audit and protection
obsolete, requiring significant changes in both products will replace disparate siloed data security
architecture and product selection approaches. tools in 40% of large enterprises, up from less than
5% today.
• Most organizations have established separate
teams for each data silo, with no coordination Market Definition
of data security products, policies, management DCAP is a category of products characterized by
or enforcement. the ability to centrally monitor the activity of users
and administrators in relation to specific datasets.
• Data is not constrained within storage silos but Some vendors are developing machine learning
is constantly transposed by digital business or behavior analytics capabilities to provide
processes and applications accessing structured a greater level of insight through monitoring
and unstructured silos on-premises and in and intelligence. Based upon data security
public clouds. governance (DSG; see Note 1) principles, this is
achieved through the application of data security
• Data-centric audit and protection (DCAP) policies and access controls across unstructured,
vendors are rapidly adding capabilities semistructured and structured data repositories or
organically and through acquisition, especially silos. DCAP products support several capabilities.
in response to increased data thefts and rapidly They:
changing compliance landscape (such as the
new General Data Protection Regulation [GDPR] • Classify and discover sensitive data across
for Europe, due in 2018). Only a few vendors relational database management systems
have already achieved broad coverage both on- (RDBMSs) or data warehouses, unstructured
premises and in the cloud. data file formats, semistructured formats such
as SharePoint, and semistructured big data
Recommendations platforms such as Hadoop. These capabilities
Security and risk management leaders responsible span both on-premises and cloud-based storage
for application and data security must: in infrastructure as a service (IaaS), SaaS and
database as a service (DBaaS).
• Establish organizationwide data security
governance in cooperation with key business • Set, monitor and control privileges of unique user
stakeholders to develop appropriate data security identities (including highly privileged users such
policies that balance business objectives. as administrators and developers) with access
to the data. The ability to provide segregation of
• Identify the data security controls required to duties, whether based on role-based access control
mitigate the risks and threats to each sensitive (RBAC) or attribute-based access control (ABAC)
data type, and then coordinate with each silo’s principles, remains a critical function for access
management team and data owners to apply them control and monitoring against specific sensitive
consistently across all silos and applications. data classifications.
5

• Use behavior analytics techniques to monitor also are also beginning to include capabilities
users when accessing data in real time, for cloud SaaS applications.
generate customizable security alerts, and
block unacceptable user behavior, access • CASB — The ability to protect data within SaaS
patterns or geographic access, etc. applications or cloud storage environments
such as Microsoft Office 365, Salesforce,
• Create auditable reports of user access to ServiceNow, Box and Dropbox is growing rapidly
data and security events with customizable through several products. These products
details that can address defined regulations or encompass an evolving set of data security
standard audit process requirements. controls that cross DCAP, data loss prevention
(DLP) and user entity behavior analytics
• Prevent specific data access by individual users (UEBA). CASBs are continuing to evolve varying
and administrators. This may also be achieved mixes of data classification and discovery,
through encryption, tokenization, masking, access controls, activity monitoring, audit,
redaction or blocking. and protection through blocking, redaction,
encryption, tokenization and quarantine. These
• Provide a single management console that products are typically stand-alone and some
enables the application and orchestration CASBs can import policies from enterprise
of data security policies consistently across DLP products, but their management is not
multiple data repository formats (referred to integrated with on-premises DLP.
here as data silos).
• DP — These products traditionally focus on
Segmentation protecting data using encryption, tokenization
Current Gartner research refers to four market or masking across multiple data silos
segments where products are evolving the critical (RDBMSs, data warehouses, unstructured, big
cross-silo DCAP functionality: database audit data, and some cloud-based enterprise file
and protection (DAP); data access governance synchronization and sharing [EFSS] tools). But
(DAG); cloud access security broker (CASB); and a few products have innovated by adding real-
data protection (DP), which includes encryption, time alerting, activity monitoring and audit
tokenization, redaction and data masking. The capabilities. Whereas DAP and DAG products
different evolutionary tracks mean that products may offer monitoring and audit of access to
will inevitably have differing basic objectives and all data within files or databases, these DP
functionality in their product roadmaps. While no products are typically focused on sensitive data
individual product fully meets the requirements of types only.
DCAP, the products in each of these categories are
evolving capabilities across the data silos: Products can use a variety of techniques to
connect via the application layer and/or data layer.
• DAP — These products have developed over Application layer agents, interfaces or integration
several years to cover implementation of with privilege management tools may be required
data security policies, data classification and to control individual access from the application
discovery, privileged access management, data layer when connection pooling that would
activity monitoring or behavior analytics, audit otherwise hide identities is used. Alternatively,
and data protection. Previously, focused on products that operate at the application layer
RDBMSs and data warehouses, a few products and use network monitoring or proxies may not
are beginning to offer support for Hadoop and be able to view activities of database and system
unstructured file shares, and for DBaaS. administrators at the data layer without further
controls.
• DAG — This is sometimes referred to as file-
centric audit and protection (FCAP). Typically, Market Direction
these products are focused on implementation
Data Security Governance Is Driving
of data security access policies, data
Adoption of DCAP
classification and discovery, and activity
There are many data security products available,
monitoring and auditing of file repositories and
each with different security control capabilities,
directories services, such as SharePoint. These
but most focus on particular data silos. The
products are closely tied to identity and access
challenge facing organizations today is that data
management (IAM) approaches. Some products
6

is pervasive and does not stay in a single silo Market Drivers


on-premises, but is compounded by the use of Organizations have experienced an increasing
cloud SaaS or IaaS. There is a critical need to wave of publicized data breaches caused by
establish organizationwide data security policies external hacking, insider threats and human error,
and controls based upon DSG. DSG allows an resulting in significant financial liabilities, brand
organization to achieve a balance between damage and loss of customers. This has been
appropriate security and competitive advantage evidenced by Gartner’s1 publicly available analysis
by classifying data and prioritizing security and of public breaches in the U.S.2
expenditure for particular sensitive datasets.
Each dataset has its own protection, storage and The advent of big data platforms, cloud SaaS and
controls that will vary as a function of time (for IaaS environments and the increasing adoption of
example, sales, intellectual property and personally IoT and digital services are driving organizations to
identifiable information [PII] datasets have different review their strategies for data security.
lifetimes). By using the DSG process to engage
key stakeholders such as business, IT, governance, Data residency and compliance issues continue to
compliance/legal and risk, organizations can then cause increasing risk to organizations when storing
approve whether each dataset merits investment data sourced from different geographies in public
in security controls that mitigate particular risks clouds. In the EU, the new General Data Protection
associated with compliance, data threats or to Regulation (GDPR) will take effect beginning
protect intellectual property. May 2018 and will affect any organization across
the world that processes or stores any PII from
Understanding the relationships between DCAP the EU; and many privacy laws around the world
and DLP capabilities is critical to building an will impact storage locations.3 New York state’s
effective DSG framework. DCAP and DLP are often cybersecurity regulation took effect 1 March
sourced, deployed and utilized by different teams 2017 and follows many principles of the GDPR.4
within an organization. Separate groups might Security and risk management (SRM) leaders will
be responsible for data in one or more silos, and need to ensure that they understand and comply
might have limited communication with others with all relevant and required regulations in all
in the organization. Cross-silo communication is jurisdictions that they conduct business in.
needed to build efficient and optimized policies
and reporting capabilities to effectively track Traditional data security approaches are limited
and measure cross-silo data flows. This problem because the manner in which products address
amplifies with each new application (whether policy is siloed, and thus the organizational
on-premises or SaaS) that touches a new data data security policies themselves are siloed. For
repository. The only effective answer is to look at example, the approach to structured database
tools and processes with which an organization security governance is frequently different
can map end-to-end data flows and identify from the approach taken for unstructured
when applications or business processes deviate or semistructured data in an organization.
from the accepted methods of data movement Transposing data from one silo to another (for
established by DSG. example, through analytics or extracting data for
reporting or sharing) creates an interrelated data
The need to apply consistent policies at the processing environment that lacks consistency
application layer and data layer is a critical and synchronization of security policies. This leads
challenge when the application hides the user to security chaos because SRM leaders have not
identity, for example, due to connection pooling. developed processes to deal with it.
Gartner predicts this will force product innovation
to integrate with application layer identity These critical risks are forcing SRM leaders to
governance and administration (IGA) and privileged urgently prioritize their security strategy across all
access management (PAM) products. silos containing sensitive data. SRM leaders must
7

develop a comprehensive policy — based on data • DCAP will extend capabilities across data
security governance principles — and apply security and application layers to avoid connection
controls that are appropriate and in balance with pooling issues. The application layer is the new
organizational business objectives across all affected battleground for product differentiation, with
data silos. This may require the purchase of more potential for acquisitions, mergers and new
than one DCAP product to match the targeted entrants.
silos, as well as the development of management
structures that coordinate and align data security • Competition between vendors will intensify
policy and accountability across silos. through support for newer NoSQL DBMSs,
such as Hadoop or MongoDB, requiring the
Market Dynamics integration of policy enforcement functionality
The DCAP market is on track to become a across multiple platforms.
very different market by the end of 2018, with
repositioned and more comprehensive product • Vendors will expand capabilities to the rapidly
offerings. Several vendors will offer full DCAP emerging DBaaS platforms.
products, covering all of the data silos, while many
other vendors will continue niche strategies that will • More vendors will either directly integrate
limit their coverage to one or two silos. However, their own data protection functionality within
Gartner estimates the total market grew rapidly in the management console or will develop
2016, more than 20% to exceed $1.2 billion. functionality where it is lacking.

Gartner has seen several vendors already stretch The Market Is in Flux
into adjacent silos, and, in the near term, many There are new entrants, as some vendors have
of these vendors will continue to develop been subject to acquisition and even demerger.
capabilities across adjacent silos and across cloud Some notable changes to the DCAP competitive
and big data platforms, either organically or via landscape include:
partnerships. While CASB vendors lack support
for on-premises data silos, this is beginning to • Forcepoint acquires Skyfence from Imperva
change due to acquisition activity. The innovation (January 2017)
through cross-siloed product offerings and the
important shift to address identity management at • Huawei acquired HexaTier (December 2016)
the application layer are changing the dynamics
and attractiveness of separate market segments • Elliott Management and Francisco Partners
into one larger market. Currently, the DCAP, DLP acquired Dell Software Group business and
and data protection markets are typically serviced renamed it Quest (November 2016)
by different vendors. But this will change through
• Symantec acquired Blue Coat (June 2016),
2018, with increasingly converging capabilities,
which had previously acquired Elastica and
especially through the addition of CASB and
Perspecsys
behavior analytics. As on-premises structured
and unstructured product capabilities naturally
• Cisco acquired CloudLock (June 2016)
converge and integrate with NoSQL and cloud
products, innovation and product diversification
• Oracle acquired Palerra (September 2016)
will intensify in the following ways:
• Imperva announces CounterBreach — an
• Many vendors will offer machine learning or
integrated DCAP behavior analytics product
behavior analytics as a feature to improve real-
integrating its Skyfence CASB and on-premises
time intelligence and monitoring of user access
SecureSphere products (March 2016)
to data. This will be critical to tackle the risks
from growing compliance requirements and • Blue Coat acquired Elastica (November 2015)
security threats.
• Symantec sold Veritas to an investment group
• Most of the DCAP vendors will offer centralized led by The Carlisle Group with DLP remaining
management platforms that can directly control with Symantec and DCAP moving to Veritas
data security policies across multiple data silos. (August 2015)
8

• SailPoint acquired Whitebox Security (July 2015) and care should always be taken to ensure that the
selected products properly address your data security
• Blue Coat acquired Perspecsys (July 2015) governance policy and control requirements.

• Imperva acquired Skyfence (February 2014) A vendor’s ability to integrate these capabilities
across multiple silos will vary between products
SRM leaders should expect these activities to and also in comparison with vendors in each
continue and increase as compliance issues market subsegment. Below is a summary of some
relating to data privacy and financial regulations key features to investigate:
escalate and the risk of data breaches intensifies,
resulting in increasing need for DCAP products. • Data Classification and Discovery — Many
products come with built-in dictionaries
Market Analysis or search algorithms tailored for use with
The market segments that contribute to DCAP compliance regimes such as PCI, HIPAA or
have evolved over vastly different time scales with GDPR. But the search capabilities of different
different security focal points and business drivers. products will vary, for example, in terms of
Convergence of product capabilities toward NoSQL, speed and false-positive performance. The
from vendors previously focused on database and ability to search within a specific DBMS, file
unstructured files, has created a surge of interest type, Hadoop or cloud will vary from vendor to
in a much larger market opportunity through the vendor. If you are planning to use the product
combined segments. Convergence of these adjacent with DBMS silos, note that some products may
markets is driving current organic developments, only search the column/table metadata or
but has also attracted new entrants from the DP within fields. Also, check if data can be searched
market. The continued growth in adoption of cloud within a binary large object (BLOB) or character
services is driving market exposure to existing CASB large object (CLOB) that may be stored within
vendors that have been developing data protection the database. Some vendors may only have a
and activity monitoring functions. capability to search within unstructured files
and rely on tagging through the attachment of
Most vendors have developed a common metadata to each file. If data is encrypted or
functionality to classify and discover data, manage tokenized, then discovery may not be possible
and monitor access, provide auditable reports, and unless that protection product is integrated with
provide some form of protection (see Figure 1). the DCAP product and it is provided with access
However, these capabilities are not created equally, privileges via automatic decryption.

FIGURE 1 Summary of the Core DCAP Capabilities Offered by Vendors in Each Segment

Data Security Data Activity Enforcement


Policy Monitoring

Assessment and
Data Classification Monitoring of User Behavior Analysis,
and Discovery Alerting, Reporting
Roles and Permissions

Data Security User Monitoring Block, Encrypt, Tokenize,


Controls and Auditing Mask, Quarantine

© 2017 Gartner, Inc.

Source: Gartner (March 2017)


9

• Data Security Policy Management — The highly privileged users such as database
ability to offer a single management console administrators, system administrators or
that controls policy across each silo is the developers. Therefore, it is also important
desired goal, and it will evolve as vendors for a product to be able to intercept access
encompass more silos. Most products will split by various administrators at both the data
this functionality, or separate vendor products and application layers. Products need to
will be required. In either case, separate demonstrate continuous operation during peak
software interfaces or separate management loading of servers or network communications
consoles will be required. Coordination of roles congestion. If intensive monitoring is
and responsibilities against the underpinning required while infrastructure is highly loaded,
data security governance will be important. The consideration must be given to the network
application of policy is typically based on user architecture and to the demands required of
identities and business roles as authenticated products. This can lead to latency or, in extreme
through third-party products such as active cases, failure to monitor some activity.
directory (AD) or LDAP. Membership of groups
can help define access to particular data • Auditing and Reporting — As the data analysis
within a silo, or even multiple groups when requirements continue to grow, the demands
granting access to multiple silos. The ability on the reporting capabilities will grow also.
to identify individual users at the application Auditors in various regulatory environments
level can be a differentiator if applications use will require an ability to produce insights into
connection pooling to provide a more efficient the activity of users on a historical basis, which
group access account. This can sometimes be can require at least one month of accessible
enabled by communication with the application data. Compliance will also require an audit
through authentication protocols such as trail of various monitoring capabilities, such
Kerberos, but not all applications provide this as unusual user behaviors, changes to data,
capability. Other products may use application policy violations or changes to privileges. In
layer agents to gather identities, correlate the event of a breach or security incident, it is
logs from application tools, or use proxy-type important to be able to use the audit logs as a
technologies to intercept and analyze network forensic analysis aid to investigate all activities
commands from the application or web servers. including access, data changes or privileges.
Application-layer-focused tools will not have a
view of administrator access at the data layer. • Behavior Analysis, Alerting and Blocking
Care should be taken that additional controls — An ability to create security alerts based
are also in place to address this, such as upon preselected monitoring criteria is critical,
additional agent software monitoring agents or and this might result in different levels of
encryption at the data layer. alert that range from policy violations to
suspicious behavior in relation to the data
• Monitoring User Privileges and Data Access accessed. Mechanisms for alerting include
Activity — Security policies are specified to console displays and automatic messaging
manage and monitor the privileges for all to key security staff, data owners or business
application users and administrators with staff. Other functionalities may be enabled,
access to specific datasets. It is important to such as automatic blocking of a process, access
monitor for changes to AD membership or or removal of privileges. Extreme responses
changes to individual privileges to ensure they might include shutting down all access in
match requirements associated with business the event of very large data downloads.
role, data type or geographic location. The Future products may even correlate rules
ability to detect changes and create alerts to detect unusual behaviors. The ability to
for privilege escalation or for changes to data analyze historical access trends will provide
is important to detect potential malicious increasingly important forensic insights to
insider or external hacking activities and to detect inappropriate behaviors. Products vary
meet certain compliance mandates. However, in the ease of use of the management console
not all products operate at the storage level, interfaces to manage and report security alerts,
and they may not offer the ability to assess and in the granularity of reporting within the
different data storage platforms. For example:
10

• In relation to databases, there may need either case, these protection products may
to be a trade-off between the number of not be integrated into a single management
commands that can be inspected against console and will require careful coordination
the ability of software/hardware technology with data security policies. The selection of
to process and communicate the results these tools requires careful assessment of
for analysis. This can happen if servers or the threats and risks that each can offer. For
network communications are already heavily example, implementing transparent, database-
loaded and the ability of local monitoring level encryption can prevent access by system
agents to process the large volume of administrators, but database administrators
commands is then constrained. Data access would still have access. Applying dynamic data
can be blocked based upon data content and masking through an agent on the database
group membership or privileges. server, and linked via AD, can be used to
prevent access by database administrators.
• When consoles are overseeing multiple silos However, the data is not protected when
through agents or software with devolved stored at rest; it may still be accessible by
policy management or different monitoring system administrators. Encrypting or tokenizing
capabilities, there may be different false- fields can protect the data elements in use
positive results. and at rest, but care must be taken that this
does not affect the operation of applications.
• Data Protection — Some vendors offer Management of data protection tools is also
separate data protection tools using encryption, critical, but will produce its own overheads.
tokenization or data masking, while others
do not offer any tools and will require the
purchase of separate vendor products. In

FIGURE 2 Schematic Diagram for the DCAP Market Showing a Sample of Vendor’s Coverage of Overlapping Data Silos

Intel Security Mentis


IaaS SecuPi WareValley Database
Trustwave
BlueTalon
Cisco (Cloudlock) Dataguise
Netskope
Skyhigh Networks IBM Datiphy
NextLabs
Imperva
Oracle
Informatica
Protegrity
SaaS Big Data

CipherCloud
AvePoint
Fasoo
SailPoint
STEALTHbits
Varonis
Veritas

Quest

File Storage
© 2017 Gartner, Inc.

Source: Gartner (March 2017)


11

Representative Vendors • Management of privileges such as read/


The vendors listed in this Market Guide do not write or access must be based upon specific
imply an exhaustive list. This section is intended to classified datasets. Privilege management of
provide more understanding of the market and its individual users may not always be possible at
offerings. the application level due to connection pooling,
and vendors may only be able to enforce
The DCAP market is characterized by vendors with controls broadly across all users or none.
product strategies covering DBMSs; unstructured
file stores (files); semistructured environments • Activity monitoring of users and administrators
such as SharePoint, NoSQL, MongoDB and may be limited to monitoring access to certain
Hadoop; and cloud services. Some innovative data classified datasets, and some products focus
protection vendors are developing a centralized on only classified datasets. Products that
management console approach across multiple are based in the application layer, monitor
silos, but lack comprehensive DCAP capabilities. A network traffic or use proxies may not be able
representative mapping is shown in Figure 2, but to monitor activity by administrators in the data
note that none of these vendors can currently be layer. Additionally, due to connection pooling,
assessed as yet offering a complete DCAP product. monitoring application users directly from the
data layer may not be possible.
Table 1 shows a sample list of DCAP vendors that
are categorized by the main capabilities outlined • Audit and reporting capabilities are typically
in this research (see the Market Analysis section). focused around specific compliance
The following bullet points should be used when requirements.
reviewing the list of capabilities:
• Data protection can be one, or a combination,
• This table does not compare the extent of each of the capabilities of blocking, encryption,
vendor’s capabilities, nor how they compare tokenization and data masking. Quarantine is
across each of the data silos — DBMS, file an additional useful feature, but not considered
stores, big data, DBaaS, SaaS or IaaS. sufficient by itself. Only a few vendors currently
integrate policies for data protection with
• Vendors must offer all of the DCAP capabilities activity monitoring and access privileges.
before being considered to have a “Y” in any
particular silo.

• Vendors may require the installation of more


than one product to provide their full set
of capabilities. For example, tools for data
classification and discovery may not be
integrated with the core activity monitoring
product, or the vendor may rely on another
vendor’s product.
12

Table 1. Sample List of DCAP Vendors Against Capabilities for Five Data Silos

DCAP Capabilities Data Silos


Behavior Simple Integrates Integrated Appli- Data Data- Files Big SaaS IaaS
Analytics Monitoring Policies Data Discovery cation Protection base Data
& Alerting Across or Structured User Policy
All Silos (S) or Access Enforce-
Covered Unstructured Control ment
(U) Only
AvePoint Y Y Y Y Y Y Y
BlueTalon Y Y Y Y Y Y Y
CipherCloud Y Y Y Y Y
Cisco Y Y U Y Y Y Y
(Cloudlock)
Dataguise Y Y Y Y Y Y Y Y
Datiphy Y Y Y S Y Y Y
Fasoo Y U Y Y Y Y
IBM Y Y Y Y Y Y Y Y Y Y
Imperva* Y Y Y* S Y Y Y Y Y* Y
Informatica Y Y Y Y Y Y Y Y Y Y
Intel Y Y Y Y
Security
Mentis Y Y Y Y Y
Netskope Y Y U Y Y Y Y
NextLabs Y Y Y Y Y Y Y Y Y
Oracle Y Y Y Y Y Y Y Y
Protegrity Y Y Y Y Y Y Y Y Y Y
Quest Y Y U Y Y
SailPoint Y Y U Y Y Y
SecuPi Y Y Y S Y Y Y Y
Skyhigh Y Y Y Y Y Y Y
Networks
STEALTHbits Y Y U Y Y Y Y
Trustwave Y S Y Y Y
Veritas Y Y U Y Y Y
Varonis Y Y Y U Y Y Y Y
WareValley Y S Y Y Y
*Note — Imperva’s monitoring of SaaS is achieved using its CounterBreach product, but also requires a separate license of the Forcepoint
CASB product.
Source: Gartner (March 2017)
13

Note, the capabilities of products from each to verify if the privileges are appropriate, given
vendor can vary significantly in relation to the original data sensitivity. Decide if privileges
breadth and depth of functionality, integration need to be managed for the application as
with applications and data silos, and even the a whole (connection pooling) or if individual
policies or analytics. Therefore, SRM leaders need access controls are required. Therefore, identify
to select products that suit their data governance how the controls need to be implemented,
strategy and security requirements. For example, with appropriate DCAP product or products to
if there are compliance requirements to provide address each silo.
full auditable assessments of users accessing a
database, then DAP vendors will have the most • Given the shortlist of relevant DCAP products,
comprehensive RDBMS abilities to inspect all SQL analyze the internal architectural loading
commands. and network communication constraints to
determine each product’s ability to deliver the
Market Recommendations necessary monitoring and data protection.
• Establish a data security governance strategy
supported by DCAP that is approved by key Evidence
business stakeholders, which should include 1
Over the past year, Gartner has spoken to more
business, IT, security, compliance and risk. than 300 clients to discuss requirements for
The main outcomes will be a classification of data protection and activity monitoring. These
sensitive data types, compliance requirements, discussions have highlighted the shortcomings
risks and threats. These will be balanced of existing siloed products and their lack of a
against any necessary trade-offs to business coordinated data security policy across silos.
access through, for example, IT systems, staff Discussions with many vendors have also
locations or customer needs. highlighted their desire to address unmet needs for
data security governance and data security policy
• Establish and develop data security policies through a DCAP approach.
that set out the necessary security controls for
specific datasets and storage locations. This will 2
Identity Theft Resource Center Data Breaches.
require coordination and cooperation with the
data owners and various security management
3
“Data Protection Laws of the World.” DLA Piper.
teams that are deployed for each of the data
silos to coordinate the controls that will be
4
“Cybersecurity Requirements for Financial
implemented by the DCAP products. Services Companies.” New York State Department
of Financial Services.
• Evaluate the data controls required and which
silos need protection, and decide if any DCAP Note 1
product options meet these requirements Data Security Governance
against each category. The early market trends Data security governance refers to a subset of
have shown that some vendors already cross information governance that deals specifically
silos (see Figure 2 and Table 1). with protecting corporate data (in both structured
database and unstructured file-based forms)
• If you only have one RDBMS platform or file
through defined data policies and processes, and
storage type, such as SharePoint, you may be
implemented via technologies that are drawn
able to provide basic controls through native
from products such as DCAP, CASB and data loss
capabilities and extraction of log data to
prevention, among others.
other network security tools, such as security
information and event management. Note that Source: Gartner Research, G00298197, Brian Lowans,
reliance on SIEM tools for monitoring typically Marc-Antoine Meunier, Brian Reed, Deborah Kish, Merv Adrian,
David Anthony Mahdi, 21 March 2017
loses the context of which sensitive data is the
subject of activity.

• Identify applications that extract data or


transfer data to adjacent silos, given certain
user privileges. Any new user access to the
data must be understood within the new silo
14

Varonis Case Study: The City of San Diego


Background is largely due to the fact that ransomware makes
Gary Hayslip, hired by the City of San Diego as cyber criminals money. Varonis DatAlert helps us to
its first CISO in 2013, has been involved with identify and stop these breaches. It helps us better
cybersecurity for nearly 30 years and co-authored understand if the ransomware was successful and
the book, “The CISO Desk Reference Guide.” In his whether it reached any of our share drives. We need
current role, he is responsible for the development this context so we can respond quickly and stop it
and implementation of the city’s information from expanding and destroying folders.”
security strategies, policies, procedures and
internal controls. For a city of more than 1.3 Data-Centric Audit and Protection
million people, Hayslip advises the city’s executive “We process everything from credit card payments
leadership and protects a network that blocks to trading municipal bonds. There are several
about half a million cyber-attacks a day. different regulatory verticals that our data,
accounts and business practices fall into, and I
After a careful evaluation, the City of San Diego wanted to build a data security platform to look
chose to implement the data security platform at all the various types of data the city has, who
from Varonis, which includes Data Classification is accessing it and the practices we have for
Framework, DatAdvantage for Windows and processing it. Varonis is that platform for us.”
Directory Services and DatAlert solutions.
Hayslip added, “As we started using Varonis,
Hayslip said, “The more I began to examine the particularly the Data Classification Framework
cybersecurity landscape, the more I realized that and DatAdvantage for auditing and protection, we
the traditional perimeter security strategy was were able to see data that was stale and hadn’t
inadequate for the threats we currently face today. been touched in years. The interesting thing about
In my present enterprise environment, we don’t cities is that if a technology works they will keep
have one network. We have 24 networks, with that technology and its data forever. Unfortunately,
about 40,000 endpoints spread across the county, that can mean cities won’t innovate and try a
and we have employees on mobile devices like new technology unless the old one breaks or they
smart phones and laptops in the field. It’s this are forced to change. Currently, we estimate we
disparate view that brought me to the conclusion have more than five petabytes of data – copies of
I needed to move security from the edge down copies of copies of copies. We estimate that we
to the data level, where my data flows are at, can probably reduce that amount by about 30%
and actually start tracking who’s accessing it and through understanding how our data is used and
what’s being done with it.” identifying what we truly need for operations.
One of the most valuable things that Varonis has
Ransomware been able to do for us is to identify stale data that
Hayslip continued, “We have 14,000 desktops, in isn’t needed for business operations. We’re able
everything from police cars to trash trucks, sitting to store it in less expensive facilities and remove
in city buildings or laptops out in the field, and unnecessary duplicates, freeing up a lot of critical
they get phishing emails. In the last year, we’ve space and saving money.”
gone from averaging five ransomware attacks a
Source: Varonis
month to now around 10-15 times a day – all
because someone clicks on something they
shouldn’t have. The growth in malicious activity
15

About Varonis
Varonis is a leading provider of software
solutions that protect data from insider threats
and cyberattacks. Through its innovative Data
Security Platform, Varonis allows organizations
to analyze, secure, manage, and migrate their
volumes of unstructured data. Varonis specializes
in file and email systems that store valuable
spreadsheets, word processing documents,
presentations, audio and video files, emails, and
text. This rapidly growing data often contains
an enterprise’s financial information, product
plans, strategic initiatives, intellectual property,
and confidential employee, customer or patient
records. IT and business personnel deploy Varonis
software for a variety of use cases, including
data security, governance and compliance,
user behavior analytics, archiving, search, and
file synchronization and sharing. With offices
and partners worldwide, Varonis had more than
5,500 customers as of March 31, 2017, spanning
leading firms in financial services, healthcare,
public, industrial, insurance, energy and utilities,
media and entertainment, consumer and retail,
technology and education sectors.

Click here for a free data risk assessment to find


and fix your data security risks.

Are You Protecting Your Data or Chasing Threats? is published by Varonis. Editorial content supplied by Varonis is independent of Gartner analysis. All Gartner research is used
with Gartner’s permission, and was originally published as part of Gartner’s syndicated research service available to all entitled Gartner clients. © 2017 Gartner, Inc. and/or its
affiliates. All rights reserved. The use of Gartner research in this publication does not indicate Gartner’s endorsement of Varonis’s products and/or strategies. Reproduction or
distribution of this publication in any form without Gartner’s prior written permission is forbidden. The information contained herein has been obtained from sources believed
to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. The opinions expressed herein are subject to change without
notice. Although Gartner research may include a discussion of related legal issues, Gartner does not provide legal advice or services and its research should not be construed or
used as such. Gartner is a public company, and its shareholders may include firms and funds that have financial interests in entities covered in Gartner research. Gartner’s Board
of Directors may include senior managers of these firms or funds. Gartner research is produced independently by its research organization without input or influence from these
firms, funds or their managers. For further information on the independence and integrity of Gartner research, see “Guiding Principles on Independence and Objectivity” on its
website, http://www.gartner.com/technology/about/ombudsman/omb_guide2.jsp.