Varonis announces strategic partnership with Microsoft to accelerate the secure adoption of Copilot.

Learn more

Automating Permissions Cleanup: An In-Depth ROI Analysis

Previously, we discussed automating data access requests to achieve incredible ROI by cutting down on help desk tickets. We also briefly mentioned the enormous amount of work involved in finding...
Michael Buckbee
4 min read
Last updated June 9, 2023

Implementing a least privilege model can be time-consuming and expensive, but important in any data security strategy. The Varonis Automation Engine helps you automate the process, and drastically reduces the time required get there.

Previously, we discussed automating data access requests to achieve incredible ROI by cutting down on help desk tickets. We also briefly mentioned the enormous amount of work involved in finding and fixing global access–a task which can drastically reduce the risk of data leaks and security breaches.

But what goes on behind the curtain? And how much work and expertise is required to remediate overly permissive folders to get to a least privilege model? Let’s take a look.

Get the Free Pentesting Active
Directory Environments e-book

The global access epidemic

Overexposed data is a common security vulnerability that we see. In fact, our 2017 Data Risk Report revealed that 47% of companies have at least 1,000 sensitive files open to everyone in the company. This issue often stems from the default Global Access groups like Everyone or Authenticated Users.

The Global Access EpidemicThis is an example of a common issue we see, Everyone has Read and Write access to the Legal folder.

Every hacker in the universe knows how to hunt for globally exposed files on the command line. Once a hacker has control of any account in this company, they automatically have free reign of all the data in the Legal folder, and who knows what all else.

Here’s what that remediating this issue might look like in practice:

  • Create a role-based Legal group for the legal team (if it doesn’t already exist)
  • Work with the business stakeholders to validate the group members
  • Add the Legal group to the ACL
  • Remove the Everyone group from the top-level ACL
  • Wait for the users that aren’t in the Legal group to call with complaints that they can’t access their data

On average, it takes about 6 hours to locate and manually remove the global access groups, create and apply new groups, and subsequently populate them with the right users that need access to the data.

The cost of manually fixing permissions

How many teams do you have? How many folders do you have on your main storage?

Whatever that number is, multiply it by 6 and you’ll have a rough estimate of how long it’s going to take to rid your environment of global access.

For 1,000 folders, that’s 6,000 human hours of work. That’s 250 days–50 work weeks. It’s a lot of work. And that’s why permissions management is still a huge job. So let’s do a quick little cost analysis of this situation.

To get started, it’s likely going to require several people of varying levels of seniority to manage and implement the move to a least privilege model. Typically, this requires a 3 person team: a senior leader who makes $100/ hour unloaded, a sysadmin that makes $50/hour, and a junior team member that makes $25/hour.

Math: (2000 * 100) + (2000 * 50) + (2000 * 25) = $350,000

So for our 3-person team, the total spend to get 1,000 folders to least privilege is a $350,000 investment over 250 total work days. And that only covers 1,000 folders.

How many folders do you have on your main storage?

The amount of enterprise data generated by an average sized organization in the 21st century is staggering on a slow day: and far exceeds that 1,000 folder baseline.

Not only is permissions cleanup time-consuming, but there’s risk involved with making such a broad change. What if you accidentally crash a mission-critical application that needs write access to a folder you’ve just remediated?

So how can we remediate global access quickly and safely?

A 3,600% efficiency gain with DatAdvantage

When everyone can access data, it’s very difficult to know who among the large set of potential users actually needs that access. But if we know exactly who’s touching the data, we can be surgical about reducing access without causing any headaches.

DatAdvantage continually monitors and analyzes data access and correlates that activity to access control lists to highlight which users would be impacted if you removed global access. You can run a simulation in a sandbox and commit the changes when you’re happy with the projected outcome.

That means you can safely remediate access to all of the high-risk data without risking productivity. You can actually fix the problem without getting in anyone’s way.

DatAdvantage reduces the time it takes to remediate those global access group permissions, down to less than 10 minutes per folder.

That’s a 3,600% efficiency gain!

On top of that, you can reduce the resources required to maintain and manage these permissions, bringing that 3 person team down to 1.

Our new calculation then goes like this:

((10 minutes * 1000 folders) / 60 min) * $25 + Software cost = $4,166 in 166 hours!

The job went from a major capital investment to a quick month-long project with a small up front software cost.

Staggering ROI with Automation Engine

Countless Varonis customers have had success remediating global access and other hard-to-fix permissions issues with DatAdvantage alone, but many of them started asking, “Can you fix these issues automatically?”

Enter the Varonis Automation Engine. If you can tackle hundreds of folders per day with a small team leveraging DatAdvantage, you can remediate thousands of folders per day with the Automation Engine.

Once configured, the Automation Engine will safely remove global access groups by replacing them with single purpose groups, putting the right users in every time. With flexible configuration options, you can fix tactical issues on a folder-by-folder basis or perform complete global remediation.

Automation is the future

Global access groups with permissions to your sensitive data is like leaving the vault door open with a giant neon sign that says “FREE”! hanging on the outside of your building. Getting to a least privilege model ultimately saves time, resources, closes that vault door, and locks it down.

And once you’re there, you still need to keep an eye on inconsistent ACLs–the permissions that are supposed to be inheriting access, but are different than the parent. Even if there’s a single folder with an inconsistent ACL that contains sensitive data, you might have a major security issue. Compounding this problem is that remediating inconsistent ACLs is another time consuming and tedious process without automation.

The Automation Engine not only takes the guesswork out of it for you, but frees up your team to focus on bigger and better things. You’ll be able to automatically fix inconsistent ACLs on folders, a hierarchy, or even an entire server – and eliminate inconsistent file permissions.

Ready to take stock of your current situation? Get a free Risk Assessment and we’ll show you where those global access groups are and how much data is vulnerable.

Want to skip the line and see the Automation Engine in action? Click here for a demo.

What you should do now

Below are three ways we can help you begin your journey to reducing data risk at your company:

  1. Schedule a demo session with us, where we can show you around, answer your questions, and help you see if Varonis is right for you.
  2. Download our free report and learn the risks associated with SaaS data exposure.
  3. Share this blog post with someone you know who'd enjoy reading it. Share it with them via email, LinkedIn, Reddit, or Facebook.

Try Varonis free.

Get a detailed data risk report based on your company’s data.
Deploys in minutes.

Keep reading

Varonis tackles hundreds of use cases, making it the ultimate platform to stop data breaches and ensure compliance.

Threat Update 27 – Concentrations of Power
Why are there certain account types that are often targeted by attackers? Why can it be really difficult to detect certain types of account misuse? What are some of the biggest AD hygiene issues we run into?
SecurityRWD - Introduction to AWS Identity and Access Management (IAM)
Kilian Englert and Ryan O'Boyle from the Varonis Cloud Architecture team compare and contrast Amazon Web Services Identity and Access Management against a traditional on-prem setup with Active Directory. Listen in as the team discusses how AWS IAM goes beyond simple user and group management to creating an entire network and defining access to network resources and infrastructure.
What is Role-Based Access Control (RBAC)?
Role-Based Access Control (RBAC) is a security paradigm where users are granted access depending on their role in your organization. In this guide, we’ll explain what RBAC is, and how to implement it.
What is Role-Based Access Control (RBAC)?
Role-Based Access Control (RBAC) is a security paradigm where users are granted access depending on their role in your organization. In this guide, we'll explain what RBAC is, and how to implement it.