David Gibson is the vice president of marketing at Varonis, a company for data protection. David studied physics at Duke University and a BM in classical composition from the New England Conservatory of Music. He has more than 17 years of experience in IT as a systems and sales engineer, having worked for Time Inc. and Tripwire. In this interview he talks in detail about metadata and human-generated data and Varonis’ role in protecting that data as far as user access, tracking of data use and auditing is concerned.
Sramana Mitra: David, let’s start by introducing Varonis. What do you do? What is the company all about? Also give us some background about yourself so the audience knows whose perspective they are being brought into.
David Gibson: Varonis provides solutions for human-generated data, which is a kind of unstructured data. When we talk about human-generated data we are typically talking about the spreadsheets, audio files, images, and other different types of formats that people use to put down their thoughts, to present, and to analyze, which contain critical stuff – intellectual property, business plans, HR documents, financial statements, etc. I think of it as the gateway to and from your brain, with additional rules. Varonis suggests to organizations to make sure they can collaborate with these critical digital assets quickly and safely so the data is protected and that only the right people have access to the right data at all times and from all devices.
SM: And what about your personal background?
DG: I have been in IT for almost 20 years. I started out as a systems administrator and then started getting into network management and network security, consulting for different companies. Then I went to work for Tripwire, which is a change auditing company, and then in 2006, I went to work for Varonis.
SM: Can you take us through who the customers are you are catering to and how you are working with them?
DG: Before I do that, I just want to provide one more piece of background. I mentioned human-generated data before. What is important is that we are using metadata to help organizations get more value from this data, and also to help them manage and protect it. This is how we are doing these use cases. I think of Varonis as collecting four distinct metadata streams. All this human-generated data is typically stored on file servers, intranets, e-mail systems, etc. These platforms have a directory structure and file system metadata. That is one stream.
The second is user and group information, which is commonly stored in directory services. The third is “Who is accessing this information?” Who is opening, creating, deleting, modifying, and moving files? Who is sending e-mails to whom? Who is marking them as unread? Who is moving e-mails around? Who is changing permissions? That is a huge metadata stream. The activity is something most organizations don’t have at all. There are lots of use cases in terms of what we can do there. The fourth is, “What does this data contain?”We are able to mine the content, looking for private data, personal identifiable information, regulated content, or other critical terms.
The four metadata streams combined are the key to our technology. Our metadata frameworks that puts those metadata streams together, normalizes them, processes them, and presents actionable results to IT and the business and then executes their decisions, making that process easier.
With that being said, I will talk about the use cases. The first thing is something that happens when you are able to see. What do I mean by that? A lot of organizations don’t know where sensitive data is or where data is in general. They don’t know who has access to it, who is accessing it, what it contains, or any combination of those things. As soon as the lights are on with Varonis, important things happen. First, we have a detective control. We can answer basic questions that come up every day, like, “Where did my files go?” “Who deleted my data?” and “What systems have I been accessing?” Or, “Who has been working on a project?”
We are able to use the activity to make operations easier and more efficient and give the business a bit more insight into what data is being used and not being used and who that data belongs to.
Another key thing we provide is visibility into who has access to data. We provide a map of your infrastructure. “Here is what your data is, here is who has access to it, etc.” When we put those two together, we can start to say, “Here is where people have too much access or here is where sensitive data resides, here is where it is overexposed, and here is where we can lock it down.” Imagine you had a bank account but you didn’t have a register of who has been withdrawing money from that bank account, and then one day you do. The first thing you do is ask if any transaction had been approved – if there was anyone who withdrew money from your account and who you didn’t authorize to do so. Once you eliminate that risk, you start to draw patterns and ask yourself how you can use this information for other things. That auto trail opens up a lot of use cases.
Another thing is being able to map your permissions and start to spot where people have excessive permission. Another example is if we find credit card numbers. If we combine that with the overexposure, we have ways to reduce risk. We can say, “Here is where pockets of sensitive data are, here is where they are exposed to too many people, here is who is making use of that data or not and here is how we can remediate that safely.”
This segment is part 1 in the series : Thought Leaders in Big Data: Interview with David Gibson, VP of Marketing at Varonis
1 2 3 4 5 6