Access control technology helps Arnold Worldwide protect client data, meet compliance requirements

Dark Reading Staff, Dark Reading

July 25, 2008

4 Min Read

In the high-risk, high-reward advertising industry, Arnold Worldwide has been a winner. In fact, it has helped to formulate the advertising plans for a whole range of heavyweights, including ESPN, Fidelity Investments, Hershey’s, Tyson Foods, and Vonage. Yet, although these client are happy with the ad agency’s creativity, they haven't always been enamored with the company’s IT environment.

That’s because, just a few years ago, Arnold was answering the question, “Are you sure that no one else is looking at our confidential data?” with a shrug of the shoulders, a scratch on the cheek, and a lot of stammering. The ad agency needed a better way of controlling and auditing data access.

It wasn't a simple challenge. Arnold has a distributed workforce. The bulk of the company’s 900 employees are stationed in its headquarters in Boston, but others work in satellite offices in New York City, Los Angeles, Milwaukee, Philadelphia, and McLean, Va. The agency serves mainly North American companies, but it has an office in London to support its European clients.

Like many other well established companies, the advertising agency has been moving to make its systems compliant with emerging regulatory requirements, such as Sarbanes-Oxley. After an initial checkup in 2005, Arnold found itself in good shape -- except for a few blank spots on its compliance report that questioned how the company protected its own, as well as its clients’, confidential data.

“We had password-protected the information and put policies in place to guard against data intrusion, but more was needed,” admits Greg Folsom, senior vice president and IT director at Arnold Worldwide.

The main issue was controlling data access. Problems could arise if employees switched departments or accounts -- the ad agency was not sure that the users’ new sets of privileges moved along with them. Also, the company lacked a good logging facility, so it was unclear which individuals had access to what applications.

The issue percolated on the back burner in 2006. At that time, the IT staff was on the lookout for compliance packages, but its evaluation process was ad hoc. Whenever vendors (Folsom isn’t sure which products the company looked at) notified the company about product demonstrations at local tradeshows or as part of their ongoing road shows, Arnold IT professionals came and took a peek.

In the fall of 2006, Arnold's IT team finally found an answer: Varonis Systems’ DatAdvantage, which seemed effective yet simple to deploy. The vendor agreed to supply the advertising company with a trial package, which ran for a few months. “Initially, we were leery of loading agents onto servers which had been performing well, but system performance was not impacted,” says Folsom.

Arnold then decided to switch from a trial run to a production system (Folsom declines to say how much the company spent) as the year ended. “We liked what we saw. Why examine 500 different products when the one we had did what we needed?” Folsom asks.

By early 2007, Varonis Systems’ DatAdvantage was monitoring data access for all of Arnold’s unstructured data files. The tool shows which users touch what unstructured data files, how much disk space is being used, and whether any changes are made to documents on file servers. With the product’s logging function, the advertising agency can definitively tell clients that no unauthorized users have accessed their information.

If Varonis has a drawback, it's that it's too flexible, Folsom says, noting that it can be difficult to determine which features to use and which to ignore. Even though it has used the product for a year, Arnold is still trying to make those decisions.

The vendor provided ad-hoc training, which enabled Arnold to get the system up and running quickly. However, the company had difficultly remembering how to fine-tune the system later on. The agency would have preferred a more formalized training, such as a series of Webinars, according to Folsom.

To date, however, the benefits of being fully compliant with Sarbanes Oxley requirements outweigh any of the product's drawbacks. And with the new system in place, Arnold is now confident that it can handle its clients’ IT questions, as well as their advertising queries.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

About the Author(s)

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights