Automating Permissions Cleanup: An In-Depth ROI Analysis

Previously, we discussed automating data access requests to achieve incredible ROI by cutting down on help desk tickets. We also briefly mentioned the enormous amount of work involved in finding...
Michael Buckbee
4 min read
Last updated June 9, 2023

Implementing a least privilege model can be time-consuming and expensive, but important in any data security strategy. The Varonis Automation Engine helps you automate the process, and drastically reduces the time required get there.

Previously, we discussed automating data access requests to achieve incredible ROI by cutting down on help desk tickets. We also briefly mentioned the enormous amount of work involved in finding and fixing global access–a task which can drastically reduce the risk of data leaks and security breaches.

But what goes on behind the curtain? And how much work and expertise is required to remediate overly permissive folders to get to a least privilege model? Let’s take a look.

Get the Free Pentesting Active
Directory Environments e-book

The global access epidemic

Overexposed data is a common security vulnerability that we see. In fact, our 2017 Data Risk Report revealed that 47% of companies have at least 1,000 sensitive files open to everyone in the company. This issue often stems from the default Global Access groups like Everyone or Authenticated Users.

The Global Access EpidemicThis is an example of a common issue we see, Everyone has Read and Write access to the Legal folder.

Every hacker in the universe knows how to hunt for globally exposed files on the command line. Once a hacker has control of any account in this company, they automatically have free reign of all the data in the Legal folder, and who knows what all else.

Here’s what that remediating this issue might look like in practice:

  • Create a role-based Legal group for the legal team (if it doesn’t already exist)
  • Work with the business stakeholders to validate the group members
  • Add the Legal group to the ACL
  • Remove the Everyone group from the top-level ACL
  • Wait for the users that aren’t in the Legal group to call with complaints that they can’t access their data

On average, it takes about 6 hours to locate and manually remove the global access groups, create and apply new groups, and subsequently populate them with the right users that need access to the data.

The cost of manually fixing permissions

How many teams do you have? How many folders do you have on your main storage?

Whatever that number is, multiply it by 6 and you’ll have a rough estimate of how long it’s going to take to rid your environment of global access.

For 1,000 folders, that’s 6,000 human hours of work. That’s 250 days–50 work weeks. It’s a lot of work. And that’s why permissions management is still a huge job. So let’s do a quick little cost analysis of this situation.

To get started, it’s likely going to require several people of varying levels of seniority to manage and implement the move to a least privilege model. Typically, this requires a 3 person team: a senior leader who makes $100/ hour unloaded, a sysadmin that makes $50/hour, and a junior team member that makes $25/hour.

Math: (2000 * 100) + (2000 * 50) + (2000 * 25) = $350,000

So for our 3-person team, the total spend to get 1,000 folders to least privilege is a $350,000 investment over 250 total work days. And that only covers 1,000 folders.

How many folders do you have on your main storage?

The amount of enterprise data generated by an average sized organization in the 21st century is staggering on a slow day: and far exceeds that 1,000 folder baseline.

Not only is permissions cleanup time-consuming, but there’s risk involved with making such a broad change. What if you accidentally crash a mission-critical application that needs write access to a folder you’ve just remediated?

So how can we remediate global access quickly and safely?

A 3,600% efficiency gain with DatAdvantage

When everyone can access data, it’s very difficult to know who among the large set of potential users actually needs that access. But if we know exactly who’s touching the data, we can be surgical about reducing access without causing any headaches.

DatAdvantage continually monitors and analyzes data access and correlates that activity to access control lists to highlight which users would be impacted if you removed global access. You can run a simulation in a sandbox and commit the changes when you’re happy with the projected outcome.

That means you can safely remediate access to all of the high-risk data without risking productivity. You can actually fix the problem without getting in anyone’s way.

DatAdvantage reduces the time it takes to remediate those global access group permissions, down to less than 10 minutes per folder.

That’s a 3,600% efficiency gain!

On top of that, you can reduce the resources required to maintain and manage these permissions, bringing that 3 person team down to 1.

Our new calculation then goes like this:

((10 minutes * 1000 folders) / 60 min) * $25 + Software cost = $4,166 in 166 hours!

The job went from a major capital investment to a quick month-long project with a small up front software cost.

Staggering ROI with Automation Engine

Countless Varonis customers have had success remediating global access and other hard-to-fix permissions issues with DatAdvantage alone, but many of them started asking, “Can you fix these issues automatically?”

Enter the Varonis Automation Engine. If you can tackle hundreds of folders per day with a small team leveraging DatAdvantage, you can remediate thousands of folders per day with the Automation Engine.

Once configured, the Automation Engine will safely remove global access groups by replacing them with single purpose groups, putting the right users in every time. With flexible configuration options, you can fix tactical issues on a folder-by-folder basis or perform complete global remediation.

Automation is the future

Global access groups with permissions to your sensitive data is like leaving the vault door open with a giant neon sign that says “FREE”! hanging on the outside of your building. Getting to a least privilege model ultimately saves time, resources, closes that vault door, and locks it down.

And once you’re there, you still need to keep an eye on inconsistent ACLs–the permissions that are supposed to be inheriting access, but are different than the parent. Even if there’s a single folder with an inconsistent ACL that contains sensitive data, you might have a major security issue. Compounding this problem is that remediating inconsistent ACLs is another time consuming and tedious process without automation.

The Automation Engine not only takes the guesswork out of it for you, but frees up your team to focus on bigger and better things. You’ll be able to automatically fix inconsistent ACLs on folders, a hierarchy, or even an entire server – and eliminate inconsistent file permissions.

Ready to take stock of your current situation? Get a free Risk Assessment and we’ll show you where those global access groups are and how much data is vulnerable.

Want to skip the line and see the Automation Engine in action? Click here for a demo.

What should I do now?

Below are three ways you can continue your journey to reduce data risk at your company:

1

Schedule a demo with us to see Varonis in action. We'll personalize the session to your org's data security needs and answer any questions.

2

See a sample of our Data Risk Assessment and learn the risks that could be lingering in your environment. Varonis' DRA is completely free and offers a clear path to automated remediation.

3

Follow us on LinkedIn, YouTube, and X (Twitter) for bite-sized insights on all things data security, including DSPM, threat detection, AI security, and more.

Try Varonis free.

Get a detailed data risk report based on your company’s data.
Deploys in minutes.

Keep reading

Varonis tackles hundreds of use cases, making it the ultimate platform to stop data breaches and ensure compliance.

what-is-role-based-access-control-(rbac)?
What is Role-Based Access Control (RBAC)?
Role-Based Access Control (RBAC) is a security paradigm where users are granted access depending on their role in your organization. In this guide, we’ll explain what RBAC is, and how to implement it.
protect-your-data-with-super-easy-file-security-tricks!
Protect Your Data With Super Easy File Security Tricks!
But if you drill down a little in your thinking, it’s easy to see that data security is ultimately protecting a file somewhere on your system—whether desktops or servers. While data security is a good umbrella term, we need to get into more details to understand file security.
how-varonis-limits-organization-wide-exposure
How Varonis Limits Organization-Wide Exposure
If you were hired at a top financial institution as a junior analyst tomorrow, chances are you’d have access to 20% of the company’s data on day one. Data available...
automate-exchange-distribution-list-management
Automate Exchange Distribution List Management
From a business perspective, distribution lists (DLs) for email communications are a powerful and well-understood concept in IT. And they are popular: Exchange admins have voted with their right-clicks, creating...