Somerford Associates Limited

Varonis - Track, Visualise, Analyse and Protect Unstructured Data

Varonis is a powerful data security platform that assists in mitigating data risks by enabling organisations to rapidly reduce risk around sensitive data, detect advanced threats, and prove compliance.

Varonis reduces exposure by locking down file and directory permissions so that only essential staff have access.

Features

  • Full enumeration of all directories and Access Control Lists
  • Complete mapping of directory services' user and group membership
  • Bi-directional view of permissions and access to every directory
  • Full auditing for file data, email and Directory Service action
  • Over 150 predefined threat models for advanced and real-time alerts
  • Predefined classification rules including full GDPR coverage and PCI
  • Permissions and membership change
  • Advanced investigation and forensics dashboard interface with automated responses
  • Comprehensive storage platform and file system support
  • Enterprise search to facilitate Data Subject Access Requests

Benefits

  • Identify and prioritise the most at-risk data
  • Automated remediation to secure data to least privilege
  • Analyse user behaviour for signs of compromise, abuse or misuse
  • Automate alert responses to minimise threat and ransomware impact
  • Identify and eliminate stale and toxic data to reduce risk
  • Help satisfy auditing and compliance requirements and sustain secure operations
  • Increase efficiency through business user access provisioning and entitlement re-certification
  • Automate disposition, quarantining and data policy enforcement
  • Increase operational efficiency, devolving responsibility from IT to data owners
  • Provide identity, access and analytics data for security ecosystem integrations

Pricing

£122.58 a user

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at penny.harrison@somerfordassociates.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 12

Service ID

9 7 5 0 2 7 1 9 0 9 7 8 2 1 7

Contact

Somerford Associates Limited Penny Harrison
Telephone: +44 1242 388168
Email: penny.harrison@somerfordassociates.com

Service scope

Software add-on or extension
No
Cloud deployment model
Private cloud
Service constraints
Varonis can be implemented in your own cloud environment. The Varonis architecture requires to be run on Microsoft Windows Server with Active Directory for security and SQL Server for data storage, but can monitor and manage a plethora of Microsoft/LDAP/Linux/UNIX/NAS platforms.
System requirements
  • Windows Server 2008 R2 SP2 or newer
  • .NET Framework 3.5 w/ SP1, 4.0, and 4.5
  • Microsoft SQL Server 2008/2014/2016 - standard/enterprise

User support

Email or online ticketing support
Email or online ticketing
Support response times
Varonis standard support is available Monday to Friday from 9am to 9pm local time. 24/7 support can be accessed for an additional cost.
User can manage status and priority of support tickets
Yes
Online ticketing support accessibility
None or don’t know
Phone support
Yes
Phone support availability
9 to 5 (UK time), Monday to Friday
Web chat support
No
Onsite support
Yes, at extra cost
Support levels
Our Service Desk provides support for P1 to P4 where a part of the software, appliance or license was previously working and is not working as expected or at all.

If an issue requires a level of Professional Services to engage, a member of the support team will liaise with your Account Manager to discuss this further.

Service Desk offer support through several channels, including telephone, e-mail and remote sessions where appropriate. Any employee of our entitled customers can raise a support desk ticket via telephone or e-mail with their company e-mail address. This will be logged and assigned to an engineer who will respond within 1 business hour.

Somerford resolve over 90% of service desk tickets without requiring the involvement of our Partners. Where Partner involvement is required, we will advise you on this the process. Wherever possible, we will manage your service desk case with our Partners.

Our service desk is available between 9am and 5pm Monday to Friday, excluding Bank Holidays. Our service desk will provide support for existing Customers and companies that are engaged in Proof of Concepts.

All our customers have a Technical Account Manager.
Support available to third parties
Yes

Onboarding and offboarding

Getting started
Training can be completed by leveraging Varonis Education Services for standard training of the application and advanced/troubleshooting classes that are offered. All training is done online. In addition, Professional Services can provide online or on-site training that is more customised based upon specific products and use cases/business needs for the customer. Varonis also offers additional learning resources (ex: how-to documents and videos) in the Customer Community portal.
Service documentation
Yes
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction
Varonis can be implemented in your own cloud environment. You control who has access to your Varonis environment, and we do not have access to your data or facilities. Varonis Systems does not host, process, or maintain access to any customer data or facilities. All data processing is performed at the customer facility, under the control of customer staff.
End-of-contract process
Varonis can be implemented in your own cloud environment. You control who has access to your Varonis environment, and we do not have access to your data or facilities. All data processing is performed at the customer facility, under the control of customer staff and therefore, before the contract is terminated, the data in the database can be exported, or afterwards, the database can be kept by the customer.

Using the service

Web browser interface
Yes
Supported browsers
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
Application to install
Yes
Compatible operating systems
Windows
Designed for use on mobile devices
No
Service interface
No
API
Yes
What users can and can't do using the API
Varonis has exposed APIs in its core DatAdvantage and DataPrivilege platforms. These APIs expose reports, file system change information, the capability to change permissions and group membership through the Varonis Commit Engine, and Authorisation and Entitlement review workflows through SOAP and REST APIs .
API documentation
Yes
API documentation formats
PDF
API sandbox or test environment
No
Customisation available
No

Scaling

Independence of resources
Varonis Systems does not host, process, or maintain access to any customer data or facilities. All data processing is performed at the customer facility, under the control of customer staff.

Analytics

Service usage metrics
No

Resellers

Supplier type
Reseller providing extra support
Organisation whose services are being resold
Varonis

Staff security

Staff security clearance
Conforms to BS7858:2012
Government security clearance
Up to Developed Vetting (DV)

Asset protection

Knowledge of data storage and processing locations
Yes
Data storage and processing locations
  • European Economic Area (EEA)
  • EU-US Privacy Shield agreement locations
  • Other locations
User control over data storage and processing locations
Yes
Datacentre security standards
Managed by a third party
Penetration testing frequency
Less than once a year
Penetration testing approach
Another external penetration testing organisation
Protecting data at rest
  • Encryption of all physical media
  • Other
Other data at rest protection approach
Varonis can be implemented in your own cloud environment. You control who has access to your Varonis environment, and we do not have access to your data or facilities. All data processing is performed at the customer facility, under the control of customer staff.
Data sanitisation process
No
Equipment disposal approach
In-house destruction process

Data importing and exporting

Data export approach
Varonis has a number of reports and APIs which can be used to pull data from the system into various formats or feed the information into other tools.
Data export formats
  • CSV
  • Other
Other data export formats
  • PDF
  • Excel
  • HTML
  • TIFF
  • Web Archive
Data import formats
CSV

Data-in-transit protection

Data protection between buyer and supplier networks
  • TLS (version 1.2 or above)
  • Legacy SSL and TLS (under version 1.2)
  • Other
Other protection between networks
Varonis is an on-premise software solution. Varonis is not a SaaS offering, nor does Varonis Systems host, process, or maintain access to any customer data or facilities. All data processing is performed at the customer facility, under the control of customer staff.
Data protection within supplier network
  • TLS (version 1.2 or above)
  • Legacy SSL and TLS (under version 1.2)
  • Other
Other protection within supplier network
Varonis can be implemented in your own cloud environment. You control who has access to your Varonis environment, and we do not have access to your data or facilities. All data processing is performed at the customer facility, under the control of customer staff.

Availability and resilience

Guaranteed availability
Components can be made highly available and we offer DR best practice documentation with our solution.
Approach to resilience
Our support and professional services are located in 3 different continents, and act as a backup for each other in case of disaster. More information is available on request.
Outage reporting
Components can be made highly available and we offer DR best practice documentation with our solution. Varonis provides email alerts if there are component connection issues, and additional details are available in the Varonis Management Console, and in the Event Viewer logs.

Identity and authentication

User authentication needed
Yes
User authentication
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
  • Other
Other user authentication
Varonis authentications via Active Directory
Access restrictions in management interfaces and support channels
Varonis DatAdvantage has application RBAC and resource based custodianship. There are currently 27 different roles. RBAC and Custodianship provides:
• Separation of front end user roles and back end solution configuration roles
• Segregate resource views by administrative region or resource type
• Asia-Pac administrators can only see Asia-Pac Servers
• SharePoint administrators can only see SharePoint resources
• Content based access separation for lower level operational IT roles.
• Hide information views such as sensitive content locations from Help-Desk admins.
Access restriction testing frequency
At least once a year
Management access authentication
Other
Description of management access authentication
Varonis authenticates all access, including management access, using active directory.

Audit information for users

Access to user activity audit information
Users have access to real-time audit information
How long user audit data is stored for
User-defined
Access to supplier activity audit information
No audit information available
How long system logs are stored for
User-defined

Standards and certifications

ISO/IEC 27001 certification
Yes
Who accredited the ISO/IEC 27001
Available upon request
ISO/IEC 27001 accreditation date
We should receive it within 30 days (as at 22 May 2018)
What the ISO/IEC 27001 doesn’t cover
We cover our services and information security. You will be able to see the description in the certificate as soon as we receive it.
ISO 28000:2007 certification
No
CSA STAR certification
No
PCI certification
No
Other security certifications
Yes
Any other security certifications
Common Criteria EAL2+

Security governance

Named board-level person responsible for service security
Yes
Security governance certified
Yes
Security governance standards
ISO/IEC 27001
Information security policies and processes
The customer controls the access control policies to Varonis and is in complete control of the data access policies and processes. All data processing is performed under the control of customer staff.

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
Varonis provides customers with maintenance and upgrade releases periodically. We ensure that customers are notified of new versions via email and or the Varonis customer portal. When implemented within the customer's cloud environment configuration and change management processes are the responsibility of the customer.
Vulnerability management type
Undisclosed
Vulnerability management approach
All data processing is performed within the customer's cloud environment, under the control of customer's staff.

Internally, Varonis is committed to strong IT security controls and policy which includes regular reviews by C-level.
Protective monitoring type
Undisclosed
Protective monitoring approach
All data processing is performed within the customer's cloud environment, under the control of customer staff.

Internally, Varonis is committed to strong IT security controls and policy which includes regular reviews by C-level.
Incident management type
Undisclosed
Incident management approach
All data processing is performed within the customer's Cloud environment, under the control of customer staff.

Incidents can be reported to Varonis' Incident Management team through the support process. Varonis' Incident Management will work collaboratively with the customers Incident Management team.

Internally, Varonis is committed to strong IT security controls and policy which includes regular reviews by C-level.

Secure development

Approach to secure software development best practice
Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Connection to public sector networks
No

Pricing

Price
£122.58 a user
Discount for educational organisations
No
Free trial available
Yes
Description of free trial
Varonis offers a free Data Risk Assessment report - a custom security assessment designed specifically for you. You will receive a comprehensive report that highlights your at-risk sensitive data, flags access control issues, quantifies risk, and describes concrete steps to improve your data security.
Link to free trial
https://info.varonis.com/start

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at penny.harrison@somerfordassociates.com. Tell them what format you need. It will help if you say what assistive technology you use.