Barrier Networks

Varonis SaaS Data Security Platform

Varonis is a leader in data security, fighting a different battle than conventional cybersecurity companies. Our cloud-native Data Security Platform continuously discovers and classifies critical data, removes exposures, and detects advanced threats with AI-powered automation.

Features

• Accurate data inventory: Find, classify, label, secure sensitive data.
• Flexible policies: Library of hundreds of customizable classification rules
• Data access intelligence: Control net permissions, reduce exposure/compliance risk
• Policy automation: Automated remediation for exposures, unnecessary permissions, misconfigurations.
• Cross-platform audit trail: Searchable data access and granular permissions.
• Data-centric UEBA: Detect abnormal activity to stop data breaches.
• MDDR: 24x7x365 incident response, threat hunting & forensics.
• DSPM: Reports and dashboards show meaningful risk reduction.
• Email security: Detect exposures, email-based attacks & insider threats.
• Compliance: posture against GDPR, CAF, NHS DSPT, NIST, ISO27001.

Benefits

• Improve your data security posture automatically
• Enable the safe rollout/use of generative AI/LLMs (e.g. Co-Pilot).
• Accurately discover, classify, and label sensitive data.
• Monitor cloud data activity and prevent exfiltration.
• Enforce least privilege, labels, and secure settings.
• Detect abnormal activity from APTs and insider threats.
• Fix critical SaaS misconfigurations and third-party app risk.
• Automate compliance regulations and frameworks
• Lock down sensitive mailboxes and stop exfiltration.
• Reduce risk and minimize cyber insurance claims.

£25.55 a licence a year

• Free trial available

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at info@barriernetworks.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

354714623598016

Contact

Iain Slater
0141 356 0101
info@barriernetworks.com

Service scope

• Software add-on or extension: No
• Cloud deployment model:
  • Public cloud
  • Private cloud
  • Hybrid cloud
• Service constraints: The Varonis Data Security Platform offers both SaaS and self-hosted ; deployment options. ; Our cloud-native Data Security Platform is hosted by Varonis and ; delivered as software-as-a-service (SaaS). Our SaaS platform can ; monitor and protect both cloud and on-premises data. ; Our self-hosted Data Security Platform can be deployed either onprem or in any private cloud that can run Windows servers (e.g., Azure, ; AWS, Google, etc.).
• System requirements:
  • Windows Server 2019/2022 Standard or Enterprise (x64) (Fully Patched).
  • 8 Core, 2 GHz or better CPU
  • 16 GB RAM minimum
  • 250 GB Drive (required to be on C:\\)
  • .NET Framework - 4.7.2 or 4.8

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Varonis standard support is available Monday to Friday from 9am to ; 9pm Central European Time. 24/7 support can be accessed for an ; additional cost.
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: WCAG 2.1 AAA
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: No
• Onsite support: Onsite support
• Support levels: Tickets are opened through the Customer portal on help.varonis.com ; and can be updated online or via email.; Varonis Support has 3 tiers of response- FLS (T1), Tier2, Tier 3. Most ; cases that are open by SEs/Partners/customers will be received by ; FLS, and escalated according to need. SLA is defined upon the level of Support Services the customer has purchased and the severity of the ; case. For further details, please see "Varonis Support Principles" ; document.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: Training can be completed by leveraging Varonis Education Services ; for standard training of the application and advanced/troubleshooting ; classes that are offered. All training is done online. In addition, ; Professional Services can provide online or on-site training that is ; more customised based upon specific products and use ; cases/business needs for the customer. Varonis also offers additional ; learning resources (ex: how-to documents and videos) in the Customer ; Community portal.
• Service documentation: Yes
• Documentation formats:
  • HTML
  • PDF
• End-of-contract data extraction: Users can create and extract Varonis reports from their environment ; and data within the platform until the subscription expires. Varonis ; only collects and stores metadata on the platform. No customer files ; are stored on the platform.
• End-of-contract process: After the subscription has expired Varonis metadata collection and ; data processing will cease. The customer can then decommission ; their collectors and disable relevant service accounts used by Varonis.; Retention of Subscriber Data - Our default retention policy is a sliding ; window of 180 days during the subscription term (unless a longer ; period was approved by Varonis, at its sole discretion, at the request of ; the Client). Upon the end/termination of the subscription term, ; Subscriber Data which is held by Varonis at such time shall be kept for ; a period of up to 30 days after termination of the subscription

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
• Application to install: Yes
• Compatible operating systems:
  • Linux or Unix
  • MacOS
  • Windows
  • Other
• Designed for use on mobile devices: No
• Service interface: No
• User support accessibility: WCAG 2.1 AAA
• API: Yes
• What users can and can't do using the API: Varonis has exposed APIs in its core SaaS, DatAdvantage, ; DataPrivilege and DatAlert platforms. These APIs expose reports, file system change information, the capability to change permissions and ; group membership through the Varonis Commit Engine, and ; Authorisation and Entitlement review workflows through SOAP and ; REST APIs.; Varonis APIs can also be used to feed alerts to other security tools e.g. ; SIEM and SOAR solutions.
• API documentation: Yes
• API documentation formats: PDF
• API sandbox or test environment: No
• Customisation available: Yes
• Description of customisation: Reports can be customised, automation and policies can be ; customised, Alerts and Rules can be customised.

Scaling

• Independence of resources: Varonis is designed in high availability. Our SaaS and DAC platforms ; are cloud native solutions which are scalable and elastic for users ; onboarded.; Our selfhosted platform components are scoped based on the ; organisations size and we offer documentation to support the increase ; system specification should there be a need to increase resources for ; the platform.

Analytics

• Service usage metrics: Yes
• Metrics types: Varonis can provide metrics on: platform run/uptime, system health, ; event collection, past incidents, scan progress.
• Reporting types: Real-time dashboards

Resellers

• Supplier type: Reseller providing extra support
• Organisation whose services are being resold: Varonis

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: Up to Developed Vetting (DV)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations:
  • United Kingdom
  • European Economic Area (EEA)
  • Other locations
• User control over data storage and processing locations: Yes
• Datacentre security standards: Managed by a third party
• Penetration testing frequency: At least once a year
• Penetration testing approach: Another external penetration testing organisation
• Protecting data at rest:
  • Encryption of all physical media
  • Other
• Other data at rest protection approach: Varonis can be implemented in your own cloud environment. You ; control who has access to your Varonis environment, and we do not ; have access to your data or facilities. All data processing is performed ; at the customer facility, under the control of customer staff.
• Data sanitisation process: Yes
• Data sanitisation type: Explicit overwriting of storage before reallocation
• Equipment disposal approach: In-house destruction process

Data importing and exporting

• Data export approach: Users can export Varonis reports of their environment and data in CSV, ; PDF, Excel, HTML formats. Varonis only collects and stores metadata ; on the platform.
• Data export formats:
  • CSV
  • Other
• Other data export formats:
  • PDF
  • Excel
  • HTML
• Data import formats:
  • CSV
  • Other
• Other data import formats:
  • XML
  • Syslog

Data-in-transit protection

• Data protection between buyer and supplier networks: TLS (version 1.2 or above)
• Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

• Guaranteed availability: Varonis is designed in high-availability. SaaS and DAC platforms are ; cloud native with 99% availability over a rolling 90 days. For ; selfhosted, the components can be made highly available, and we ; offer disaster recovery best practice documentation. Varonis will use commercially reasonable efforts to assure that ; Subscriber is able to access the Varonis’ web application of the ; Subscription Services at least 99% of the time, as measured by ; Varonis over the course of twelve months period(s) (Availability). If; Varonis does not meet the Availability commitment, Subscriber will be ; eligible to receive Service Credit as described in Varonis SaaS Support ; Policies.
• Approach to resilience: Available on request.; Our SaaS solution is hosted in a UK South region with resiliency ; provided by 3 availability zones.
• Outage reporting: Publicly available dashboard. With the option to subscribe to email ; updates

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
  • Other
• Other user authentication: Varonis authenticates via Active Directory. In cloud, using Microsoft ; Entra ID
• Access restrictions in management interfaces and support channels: Varonis has application Role Based Access Control and resource ; based custodianship. There are currently 28 different roles. RBAC and ; Custodianship provides: ; • Separation of front-end user roles and back-end solution ; configuration roles ; • Segregate resource views by administrative region or resource ; type ; • Asia-Pac administrators can only see Asia-Pac Servers ; • SharePoint administrators can only see SharePoint resources ; • Content based access separation for lower level operational IT ; roles.; • Hide information views such as sensitive content locations ; from Help-Desk admins.
• Access restriction testing frequency: At least every 6 months
• Management access authentication:
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
  • Other
• Description of management access authentication: Varonis authenticates all access, including management access, using ; active directory. In cloud, using Microsoft Entra ID.

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: User-defined
• Access to supplier activity audit information: Users have access to real-time audit information
• How long supplier audit data is stored for: User-defined
• How long system logs are stored for: User-defined

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: The Standards Institute of Israel
• ISO/IEC 27001 accreditation date: 08/01/2021
• What the ISO/IEC 27001 doesn’t cover: There are no exceptions, the certification covers - Development, ; Research, Software Delivery, Support, Professional Services, Delivery Cloud Based Software Solutions, Sales, Training, Project Management, Design and planning of risk assessment, protection of information systems, security of corporate and cloud networks.
• ISO 28000:2007 certification: No
• CSA STAR certification: Yes
• CSA STAR accreditation date: 11/01/2023 (Varonis Cloud), 17/05/2022
• CSA STAR certification level: Level 1: CSA STAR Self-Assessment
• What the CSA STAR doesn’t cover: The certificate covers relevant security controls in place for the ; services offered by Varonis.
• PCI certification: Yes
• Who accredited the PCI DSS certification: 1 Cyber Valley
• PCI DSS accreditation date: 30/11/2023
• What the PCI DSS doesn’t cover: Varonis has completed an SAQ-D for Service Providers and Attestation of Compliance (AoC) which can be provided upon request. The Varonis Service has not been designed to store or process cardholder data. There is, however, a very low-level risk of card contamination within the file analysis process. To mitigate this risk, the requirements for card transmission and encryption were assessed as part of the assessment.
• Cyber essentials: Yes
• Cyber essentials plus: Yes
• Other security certifications: Yes
• Any other security certifications:
  • ISO 27017:2015
  • ISO 27018:2019
  • SOC2
  • ISO/IEC 27701
  • NIAP Common Criteria Certification
  • HIPAA
  • Data Privacy Framework

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards:
  • ISO/IEC 27001
  • Other
• Other security governance standards: • ISO 27017:2015; • ISO 27018:2019; • CSA CCM version 4.0; • SOC2; • ISO/IEC 27701; • NIAP Common Criteria Certification; Page 12 of 18; www.varonis.com; • HIPAA; • Data Privacy Framework; • CSA STAR certification; • PCI-DSS
• Information security policies and processes: Varonis is a pioneer in data security and analytics specialising in data ; protection, threat detection and response, and compliance. Varonis ; adopts a risk-based approach for its information security management ; system (ISMS). This approach requires identifying, assessing, and ; appropriately mitigating vulnerabilities and threats to information ; assets. Deploying an ISMS reduces the risk of unauthorized, ; accidental, or intentional information disclosure, modification, or ; destruction.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: Varonis provides customers with maintenance and upgrade releases. Ensuring customers are notified of new versions via email/Varonis customer portal. When implemented within the customer's cloud environment configuration and change management processes are the responsibility of the customer.; Varonis maintains an inventory of our components to ensure they are ; monitored and tracked.; Changes within all our environments are subject to a structured ; change-management procedure. They undergo design and impact ; analysis and are continuously monitored. As with all our processes, ; the procedure is subject to annual external audits (SOC 2 and ISO/IEC 27000 series)
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: Varonis has a Vulnerability and Threat Management Policy. Varonis ; systems are scanned and results are reviewed by the CISO and IT ; departments. Security vulnerabilities are remediated within the ; timeline defined within the policy which includes procedures decided ; by the CISO for zero-day and other urgent patches.; We deploy patches according to Varonis internal policy which aligns ; with industry standards and best practices. Our patch management ; policy requires security updates be installed promptly.; Our SOC teams constantly monitor sources to ensure they are ; informed of new threats and vulnerabilities.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: Varonis' Security Operations Centre, which comprise information ; security personnel are responsible for the review and/or monitoring of ; information security incidents or events. Our SOC and Cloud ; operations teams constantly monitor our environments to ensure they ; are aware of any threats or security incidents. We have processes and ; playbooks in place to respond to threats and incidents. ; Varonis responds to incidents according to our internal incident ; management policy and processes which align with industry standards ; and best practices. The Incident Response Team analyses and ; validates each incident, following a pre-defined process and ; documenting each step taken according to Varonis internal policy.
• Incident management type: Supplier-defined controls
• Incident management approach: Varonis has an Incident Response Policy that includes notification to ; the relevant stakeholders (including customers) as needed. Varonis ; will notify customers with all relevant information and cooperate with ; reasonable requests for information. This policy is aligned with ; industry best practices and included preparation, identification, ; reporting, containment, discovery, eradication, recovery, and post ; incident report.; We test our response plans periodically with a red team and a blue ; team. As highly qualified and experienced security professionals and ; forensic experts, our IR team is trained to detect and respond quickly ; to any security incident.

Secure development

• Approach to secure software development best practice: Conforms to a recognised standard, but self-assessed

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  • Equal opportunity
  • Wellbeing

  Equal opportunity

  • To create an environment in which individual differences and the contributions of all our staff are recognised and valued.; • Every employee is entitled to a working environment that promotes dignity and respect to all. No form of intimidation, bullying or harassment will be tolerated.; • Training, development and progression opportunities are available to all staff.; • To promote equality in the workplace which we believe is good management practice and makes sound business sense.; • We will review all our employment practices and procedures to ensure fairness.; • Breaches of our Equality Policy will be regarded as misconduct and could lead to disciplinary proceedings.; • This policy is fully supported by Senior Management.; • The policy will be monitored and reviewed regularly.

  Wellbeing

  • We promote an open, supportive company culture where employees look out for one another and feel comfortable discussing any difficulties. Mental health is valued equally to physical health.; • Employees have access to confidential counselling, therapy, and other mental health resources through our employee assistance program.; • We encourage taking time off when needed for mental health days in addition to sick days. Employees are trusted to manage their time off responsibly.; • Training is provided to managers on recognizing signs of burnout, ; work overload, and other mental health concerns. Managers work to ; proactively address issues and reduce employee stress.; • Employee workloads and schedules are designed to be reasonable ; and sustainable. ; • Wellness initiatives like meditation breaks, stress management ; workshops, mindfulness programs, and social events are offered ; throughout the year.

Pricing

• Price: £25.55 a licence a year
• Discount for educational organisations: No
• Free trial available: Yes
• Description of free trial: Varonis offers a free Data Risk Assessment - designed specifically for ; your organisation’s needs/outcomes/controls.; These include:; Cyber Resiliency Assessment,; Insider Threat Risk Assessment,; Compliance Risk Assessment (e.g. GDPR),; Ransomware Readiness Assessment,; Data Security Posture Management (DSPM) Assessment,; 3rd-party app risk assessment,; M365 Risk Assessment,; Co-pilot readiness assessment.
• Link to free trial: https://info.varonis.com/en/data-risk-assessment

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at info@barriernetworks.com. Tell them what format you need. It will help if you say what assistive technology you use.