Vormetric Data Security Use Cases


Safeguarding Data with Privileged User Access Control Management

The Flaw in the System

Since the introduction of multi-user computer systems over 40 years ago, there has been a fundamental flaw in their security architecture. The flaw? - The concept of a Root User, Domain Administrator, System Administrator or other high level computer operator – and their user data access rights. These users have always had access to every aspect of a system – software installation, system configuration, user creation, networking, resource allocation and more, as well as user access to all the data associated with the system.

These user access accounts exist because of the need for system maintenance and management. But, as systems have become more closely interlinked and with increasing amounts of private and confidential data accessible to them, there is increased risk from privileged user account access.

Compounding this are the ways that many enterprise IT departments have traditionally done business, and the advent of new technologies and threats:

  • Rights too broadly assigned- Superuser privileges are often assigned to DBAs, application developers, SysAdmins and others that don’t have a real “need” for this level of user access to private and confidential data
  • Sharing of privileged user access accounts– Traditionally, many IT departments allowed unrestricted sharing of privileged user access accounts (logins and passwords), leading to a loss of personal accountability
  • Cloud, virtualization and big data expand the threat- With each new technology layer used as part of system deployment and management new privileged user roles are created
  • Advanced Persistent Threat (APT) attacks target privileged accounts–Attackers have now found that if you want user access to everything, you want to compromise privileged user accounts and their system and data access rights. Though they may initially enter through less sensitive user accounts – privileged user credentials are a primary target.

The Vormetric Data Firewall enables privileged user to do their jobs, and never see protected data

The Solution – The Vormetric Data Security Platform

Allow Privileged Users to access and manage systems without risk to protected data

The tasks performed by privileged users to maintain, repair and initiate systems are not optional – these roles exist in order to meet essential requirements for all enterprise environments. What’s needed is to enable these privileged users to perform their tasks, while removing their ability to access private and confidential data. And when a category of privileged user account has a legitimate need for access to this sensitive data, to have the information available that allows identification of anomalous usage patterns that may indicate that the privileged user account has been compromised.

Transparent– The Vormetric Data Security Platform meets privileged user management needs with a transparent solution - enabling critical system processes to continue, without exposing data.Using protections at the file system and volume level, the privileged user access management solution allows the meta-data and file system structure to be seen by administrators, but reveals only encrypted data to these accounts. At the same time, processes and privileged users that legitimately require access (such as a database process to a database table file) have access to unencrypted data (cleartext).

Strong– The Vormetric solution firewalls your data – using a policy driven approach, linked to LDAP and system accounts, that provides granular access to protected structured information (in databases) or unstructured data (in file systems) by process, user, time and other parameters. Vormetric even monitors and prevents user access by tracking how users become their role. If a Root user creates a new account with data access rights, then escalates to become that account, our privileged user management solution will still identify that user account with the Root user and prevent access to cleartext data. The result of this approach – Privileged users can manage systems without risk of exposure to protected information

Efficient– Vormetric Encryption is a high performance, low overhead solution, leveraging the AES NI hardware encryption built into Intel x86 processors. The result: Minimal changes to response times for operational processes.

Easy– Deployments in days to weeks, not weeks to months, across physical systems, cloud, big data, and virtualized environments that are easy to manage, easy to understand.

Meet Critical Enterprise Requirements

Organizations that need to protect data from the inherent risks of privileged users must do so in order to meet critical requirements:

  • Meet Compliance Requirements– Segregation of roles by user type to protect specific data types such as credit card information for PCI-DSS and Personally Identifiable Information (PII) under the US HIPAA/HITECH acts.
  • Prevent Data Breaches– Data breach laws such as US Federal and State data protection laws, the EU Data Protection Directive, South Korea’s Personal Information Protection Act (PIPA) and the UK Data Protection Act pose fines and costly notification requirements on loss of protected data.
  • Safeguarding Intellectual Property– With government sponsored attacks a reality for manufacturers and infrastructure providers, and their primary target intellectual property (IP), organizations now need to secure data from both malicious insiders as well as from partners and contractors

Vormetric Data Security Elements for Privileged User Management

Vormertic Seamlessly Protects Big Data Environments

Vormetric Encryption seamlessly protects enterprise environments at the file system and volume level from the risks posed by privileged user access. The privileged user access control management allows organizations to secure of their data – with no changes to the operation of the applications or to system administration.

Data Security Platform– Using high performance encryption along with privileged user access controls to provide multi-layer data protection, it protects against both internal and external threats to data.

Encryption and Key Management– Vormetric provides the strong, centrally managed, encryption and key management that enables compliance and is transparent to processes, applications and users.

Fine-grained Access Controls– Vormetric provides fine-grained, policy-based user access controls that restrict user access to encrypted data –ensuring that data is decrypted only for authorized users and processes.

Security Intelligence – Vormetric logs capture all access attempts to protected data, providing high value security intelligence information that can be used with a Security Information and Event Management (SIEM) solution to identify compromised accounts and malicious insiders.

Automation– For fast rollouts and integration with existing infrastructure , both web and command line level APIs provide access to the Vormetric Data Security environment for policy management, deployment and monitoring.


Insider Threat: Edward Snowden – NSA

Big Data, Big Risk – Protect What Matters

Insider threats: The potential of damage from insider threats, such as Edward Snowden who worked at the NSA. More Videos



100% of breaches involved stolen credentials

Mandiant –
April 2013




 With commercial tools, such as Vormetric, you can actually give certain people certain access without root-level privileges. You can encrypt your data in storage to set up roles of who actually gets to see the data. The admins can do their jobs, and they don’t get access to any data files. 

Robert Bigman,
former CISO at the CIA
GovInfoSecurity – June 21, 2013

 I've been a systems engineer, systems administrator … When you're in positions of privileged access like a systems administrator for the intelligence community, you're exposed to a lot more information on a broader scale than the average employee 

Edward Snowden
– Former infrastructure analyst at the NSA – June 2013


Encryption Architecture

Safeguarding Data with Privileged User Access ControlsDownloadRead More



Customer and Partner Success

  • Rackspace Cloud Partners
  • McKesson
  • AWS
  • Google Compute Engine
  • Microsoft
  • IBM
  • CenturyLink
  • FireHost
  • QTS
  • Teleperformance Secures
  • Delta Dental