INTEGRITY360 LIMITED

Varonis Data Security Platform

Varonis specialize in software for data security, governance, compliance, classification, and analytics. Varonis detects insider threats and external cyberattacks like ransomware by analyzing cloud data stores and monitoring user behavior, mitigating risk in M365, Teams, Salesforce, Slack, Box and on-premise file servers by locking down sensitive data and remediating access.

Features

• Full enumeration of all directories and Access Control Lists
• Complete mapping of directory services' user and group membership
• Bi-directional view of permissions and access to every directory
• Full auditing for file data, email, and Directory Service action
• Over 150 predefined threat models for advanced and real-time alerts
• Pre-defined classification rules including full GDPR coverage, PCI, and more
• Permissions and membership change
• Advanced investigation and forensics dashboard interface
• Enterprise search to facilitate Data Subject Access Requests
• Comprehensive storage platform and file system support

Benefits

• Prioritise the most at-risk data and remediate to least-privilege access
• Automated remediation at scale
• Analyse user and device behaviour for signs of inappropriate behaviour
• Automate alert responses to minimise impact of ransomware/other threats
• Identify and eliminate/manage stale and toxic data to reduce risk
• Help satisfy auditing and compliance requirements
• Increase efficiency through business user access provisioning and entitlement re-certification
• Automate disposition, quarantining, and data policy enforcement
• Increase operational efficiency, devolving responsibility from IT to data owners
• Provide identity, access and analytics data for security ecosystem integrations

£6.49 a licence

• Free trial available

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

• Modern Slavery statement

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at bidreviewboard@integrity360.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 13

Service ID

826101772222067

Contact

Davide Poli
02083721000
bidreviewboard@integrity360.com

Service scope

• Service constraints: EULA Governance ; Varonis can be implemented in your own cloud environment. The Varonis architecture requires to be run on Microsoft Windows Server with Active Directory for security and SQL Server for data storage, but can monitor and manage a plethora of Microsoft/LDAP/Linux/UNIX/NAS platforms
• System requirements:
  • On prem:
  • DA Cloud: Virtual machines running in AWS
  • Linux OS
  • Windows server 2008 R2 SP2 or newer
  • Cloud:
  • .NET framework 4.7.2 and 3.5 SP1 installed on all nodes
  • Microsoft SQL Server 2014/2016/2017 - standard/enterprise

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Varonis standard support is available Monday to Friday from 9am to 9pm local time. 24/7 support can be accessed for an additional cost.
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: WCAG 2.1 AA or EN 301 549
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: Varonis Support has 3 tiers of response- FLS (T1), Tier2, Tier 3. Most cases that are open by SEs/Partners/customers will be received by FLS, and escalated according to need. ; SLA is defined upon the level of Support Services the customer has purchased and the severity of the case. ; For further details, please see ""Varonis Support Principles"" document
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: Training and Education available from Varonis. Caretower can also provide professional services to help install and configure the solution at a cost.
• Service documentation: Yes
• Documentation formats: HTML
• End-of-contract data extraction: Varonis can be implemented in your own cloud environment. You control who has access to your Varonis environment, and we do not have access to your data or facilities. Varonis Systems does not host, process, or maintain access to any customer data or facilities. All data processing is performed at the customer facility, under the control of customer staff
• End-of-contract process: Varonis can be implemented in your own cloud environment. You control who has access to your Varonis environment, and we do not have access to your data or facilities. Varonis Systems does not host, process, or maintain access to any customer data or facilities. All data processing is performed at the customer facility, under the control of customer staff

Using the service

• Web browser interface: Yes
• Using the web interface: The Data Security Platform Web Interface enables users to review high-level summarized data via metrics in dashboards and perform investigation flows based on the data collected by DatAdvantage.
• Web interface accessibility standard: None or don’t know
• How the web interface is accessible: Apache Solr and Zookeeper must be installed to access the Varonis Web Interface.
• Web interface accessibility testing: As a company with more than 7,000 customers we regularly get feedback from our customers and throughout the years improved accordingly.
• API: Yes
• What users can and can't do using the API: Yes - but it's supplemental, the service can be used without an API
• API automation tools: Other
• Other API automation tools: Please refer to Varonis Portal
• API documentation: Yes
• API documentation formats: Other
• Command line interface: No

Scaling

• Scaling available: No
• Independence of resources: Conducting a proper sizing of the system prior deployment. In addition, the system has many internal mechnisms (queuing, back-pressure, etc) to cope with high load.
• Usage notifications: Yes
• Usage reporting: API

Analytics

• Infrastructure or application metrics: Yes
• Metrics types: Other
• Other metrics:
  • Some metrics are collected (memory, cpu etc)
  • But are not customer-facing
• Reporting types: Reports on request

Resellers

• Supplier type: Reseller providing extra support
• Organisation whose services are being resold: Varonis

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: Up to Developed Vetting (DV)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: Other locations
• User control over data storage and processing locations: No
• Datacentre security standards: Supplier-defined controls
• Penetration testing frequency: At least once a year
• Penetration testing approach: Another external penetration testing organisation
• Protecting data at rest: Other
• Other data at rest protection approach: N/A for the on-prem SW. For the cloud SW - we rely on AWS. Operating System (OS) level encryption can be utilized, such as BitLocker encryption to encrypt data at rest.
• Data sanitisation process: Yes
• Data sanitisation type: Explicit overwriting of storage before reallocation
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Backup and recovery

• Backup and recovery: Yes
• What’s backed up:
  • The DatAdvantage installation and its data can be backed up
  • With any software. However, all MS SQL installations in the
  • DatAdvantage system must use the simple recovery mode.
• Backup controls: Via Portal
• Datacentre setup: Multiple datacentres with disaster recovery
• Scheduling backups: Supplier controls the whole backup schedule
• Backup recovery: Users contact the support team

Data-in-transit protection

• Data protection between buyer and supplier networks:
  • TLS (version 1.2 or above)
  • Other
• Other protection between networks: Varonis uses a layered security strategy as part of a defence in depth approach to detect and respond to threats targeting our environment. The layered security strategy includes industry recognized premier solutions for perimeter, network, endpoint, cloud, and data security (i.e. Firewalls, SIEM, AV, EDR, Encryption, Network Segmantation, Content Filtering, Access Control, least-privilege, etc.). The defence in depth approach includes other security preparations other than directly protective which address such concerns as:; ; 1) Monitoring, alerting, and emergency response; 2) Authorized personnel activity accounting; 3) Disaster recovery and business continuity; 4) Criminal activity reporting; 5) Forensic analysis
• Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

• Guaranteed availability: 99%, subject to commerical agreement
• Approach to resilience: There is an established business resiliency program that has been approved by management, communicated to appropriate constituents, and an owner to maintain and review the program
• Outage reporting: We currently not support status updates.

Identity and authentication

• User authentication:
  • 2-factor authentication
  • Username or password
  • Other
• Other user authentication: SSO based on AD/Azure AD ; IAM authentication with Active Directory and Varonis user credentials
• Access restrictions in management interfaces and support channels: Permission and Role based
• Access restriction testing frequency: At least every 6 months
• Management access authentication:
  • 2-factor authentication
  • Username or password
  • Other
• Description of management access authentication: SSO based on AD/Azure AD
• Devices users manage the service through: Directly from any device which may also be used for normal business (for example web browsing or viewing external email)

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: Less than 1 month
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: Between 1 month and 6 months
• How long system logs are stored for: Between 1 month and 6 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: The Standards Institution of Israel
• ISO/IEC 27001 accreditation date: 22/05/2018
• What the ISO/IEC 27001 doesn’t cover: N/A
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: No
• Cyber essentials plus: No
• Other security certifications: Yes
• Any other security certifications:
  • SOC 2 Type 2
  • ISO/IEC 27701
  • ISO/IEC 27018:2019
  • ISO/IEC 27017:2015

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: Check varonis.com/trust

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: The change management process includes communication to the relevant stakeholders and business owner and security team approvals
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: Varonis has a Vulnerability and Threat Management Policy. Varonis systems are scanned and results are reviewed by the CISO and IT departments. Security vulnerabilities are remediated within the timeline defined within the policy which includes procedures decided by the CISO for zero-day and other urgent patches.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: Varonis uses a layered security strategy as part of a defence in depth approach to detect and respond to threats targeting our environment. The layered security strategy includes industry recognized premier solutions for perimeter, network, endpoint, cloud, and data security (i.e. Firewalls, SIEM, AV, EDR, Encryption, Network Segmentation, Content Filtering, Access Control, least-privilege, etc.). The defence in depth approach includes other security preparations other than directly protective which address such concerns as:; ; 1) Monitoring, alerting, and emergency response; 2) Authorized personnel activity accounting; 3) Disaster recovery and business continuity; 4) Criminal activity reporting; 5) Forensic analysis
• Incident management type: Supplier-defined controls
• Incident management approach: Varonis has an Incident Response Policy that includes notification to the relevant stakeholders (including customers) as needed. Varonis will notify customers with all relevant information and cooperate with reasonable requests for information. This policy is aligned with industry best practices and included prepartion, identification, reporting, containment, discovery, eradication, recovery, and post incident report.

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Separation between users

• Virtualisation technology used to keep applications and users sharing the same infrastructure apart: Yes
• Who implements virtualisation: Supplier
• Virtualisation technologies used: Hyper-V
• How shared infrastructure is kept separate: N/A

Energy efficiency

• Energy-efficient datacentres: Yes
• Description of energy efficient datacentres: We are using AWS

Social Value

• Fighting climate change:

  Fighting climate change

  We continuously strive to minimize the impact of our operations on the environment, while maximizing sustainable business practices to better serve our employees, customers, partners, shareholders and communities.
• Tackling economic inequality:

  Tackling economic inequality

  We support and strengthen our local communities by enabling employees to donate time and resources where they are most passionate, by investing in causes that have a positive social impact, and by providing skills to people around the world to help maximize their full potential. Through our giving back program, our employees have helped hundreds of students realize more of their limitless potential with consistent, hands on mentoring in life skills and academic subjects.
• Equal opportunity:

  Equal opportunity

  We are dedicated to the success of Varonis employees worldwide through an inclusive workplace experience that supports their growth and well-being. We are committed to hiring the best talent and bringing together individuals across unique backgrounds, cultures and identities. We are proud to have been recognized as one of the top places to work in several of our locations, including New York City and North Carolina. "Modern Slavery Statement : https://info.varonis.com/hubfs/Website_Reboot/Policies/Varonis%20(UK)%20Limited%20Modern%20Slavery%20Statement.pdf?hsLang=en Code of Business Conduct and Ethics:; https://s1.q4cdn.com/401483577/files/doc_downloads/2020/04/08/CODE-OF-BUSINESS-CONDUCT-AND-ETHICS.pdf

Pricing

• Price: £6.49 a licence
• Discount for educational organisations: No
• Free trial available: Yes
• Description of free trial: Customers are provided an evaluation of our platform to use for 30 days.; Evaluations are provided by our sales and engineering team.

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

• Modern Slavery statement

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at bidreviewboard@integrity360.com. Tell them what format you need. It will help if you say what assistive technology you use.