Managing permissions is a colossal job fraught with peril, and over-permissive folders are the bane of InfoSec and a hacker’s delight. Many organizations employ IAM (Identity Access Management) to help manage and govern access to applications and other corporate resources.
One of the challenges that remains after implementing an IAM solution, however, is how to apply its principles to unstructured data. IAM may be able to help you manage group memberships in Active Directory, but can’t tell you which data each group gives access to. It’s like managing the keys on a keyring without knowing which doors they unlock.
That’s where Varonis comes in. DatAdvantage has a bi-directional permissions view: just double-click on a folder, site, or mailbox to see who has access to it or click on a user or group to see everything they can access – across all your data stores.
Our customers often find that IAM is overprovisioning access based on roles, and Varonis will bring attention to those issues and help you fix them.
Varonis integrates with IAM to enhance and increase their capabilities, bringing together a holistic data security solution.
How Varonis Integrates with IAM
Varonis DataPrivilege enhances the IAM process by taking the IT staff out of the approval chain for data access and putting that decision back with the data owners. Once that’s taken care of, you can implement a workflow to maintain least privilege permissions.
Varonis facilitates the integrations with both SOAP and REST API. With the API, you can synchronize managed data with your IAM/ITSM solution, and return instructions to DataPrivilege to execute and report on requests and access control changes. You’ll be able to use the integration to externally control DataPrivilege entitlement reviews, self-service access workflows, ownership assignment, and more.
The integrations allow for several standard use cases:
- Data-Side Entitlement Review: From the IAM system, a user can request a report of the permissions on a folder for auditing, with options for removal
- Line Manager User Side Entitlement Review: A manager selects one of their direct reports to pull a list of all groups/permissions that user is a member, and can request changes directly from the list
- Self Service Access Request Workflow: Users request folder or group access, and DataPrivilege manages the approval process
- Provisioning/Deprovisioning Workflow: Creating a new user in the IAM triggers a process to provide that user with standard permissions based on their job function, and conversely deprovisioned users get removed from all groups, so there are no orphaned accounts left in groups
Advantages of Adding Varonis to Your IAM Strategy
If you have an IAM or you are planning on implementing an IAM as part of your 2018 data security initiatives, we’ll show you how to get even more out of your IAM by integrating with the Varonis Data Security Platform – click here for a personalized demo to get started.