Varonis debuts trailblazing features for securing Salesforce. Learn More

Varonis named a Leader in The Forrester Wave™: Data Security Platforms, Q1 2023

Read the report

Introducing Least Privilege Automation for Microsoft 365, Google Drive, and Box

4 min read
Last updated May 26, 2023


    When excessive data access goes unchecked, one compromised user or rogue insider can inflict untold damage on your business. 

    Reducing the data blast radius is the No. 1 challenge for CISOs today, but it can’t be solved with a one-time cleanup project or manual remediation. At the rate data is created and shared, even an army of admins couldn’t keep up with removing unused or risky permissions.

    Now, imagine you had a robot that could intelligently and continually remove unnecessary access and enforce least privilege while you sleep.

    Varonis is thrilled to announce least privilege automation for Microsoft 365, Google Drive, and Box. This enhancement represents yet another way Varonis is delivering effortless data security outcomes to our customers.

    Read on to learn how it works!

    Least privilege automation for Microsoft 365

    Varonis helps collaboration in Microsoft 365 flourish — without sacrificing security — by automatically and safely removing stale group memberships, stale sharing links, sensitive public links, and more. You give us your rules, we’ll enforce them.

    Intelligent enforcement of least privilege is only possible because Varonis collects all three dimensions of data:

    • Sensitivity
    • Permissions
    • Activity 

    Without sensitivity, you can’t prioritize. Without permissions, you’re completely blind. Without activity, your only choice is to take a shotgun approach and remove all links or permissions to sensitive data, even if they’re valid and in use.

    Quantify data risk and track progress.

    Before you set up an automated remediation policy, it’s important to understand your baseline data risk. Our real-time risk dashboards help you answer critical questions: How much sensitive data do you have in your M365 tenants? What kind of data is it? How much is exposed publicly or to the entire company?

    You can trend risk over time and even drill into any widget and see exactly which sites, folders, files, and links are affected. 

    SPO dashboard

    Don’t just measure data security posture, strengthen it.

    Out-of-the-box policies

    Now that you understand your risk, you can leverage our popular out-of-the-box remediation policies to eliminate it. Some of our policies for M365 include:

    • Removing collaboration links that expose sensitive data
    • Removing any collaboration link that exposes data publicly or externally
    • Removing collaboration links that share data with "anyone on the internet"  
    • Removing collaboration links that share data with "anyone in the organization"  
    • Removing collaboration links that share data with "specific people" in OneDrive
    • Removing non-organization users from "specific people" links
    • Removing links that haven’t been used in a certain amount of time
    • Removing group memberships
    • Removing stale permissions from ACLs

    You can choose to run least privilege automation on-demand, but the real magic is auto-enforcement. Whenever users violate your data sharing policies, Varonis will fix it without human intervention.

    Custom remediation policies 

    You can easily clone and customize our pre-made policies to fit your organization’s needs. Policies can be customized based on sensitivity, staleness, location, link type, and more. 

    Varonis lets you preview the results in the UI to see precisely which permissions will be remediated by your policy. This lets you ensure you’ve set the right conditions, tweak criteria, and gain confidence before you commit.

    Once you’re happy with your policy, you can select the schedule and approvals, and least privilege automation will take care of the rest. 

    Create remediation policy - gif 2

    Create a new policy or edit an existing one. Preview results before committing. 

    Least privilege automation for Box and Google Drive 

    Countless Varonis customers are multi-cloud organizations — storing sensitive across a multitude of cloud apps and infrastructures. The dev team uses M365 and Azure. Marketing uses Box. HR uses Google Workspace. What does the CISO want? Unified visibility and policy enforcement across all of the above.
    Varonis customers can now continually eliminate overexposed data in Box and Google Drive. 

    Like our offerings for Microsoft 365, our out-of-the-box remediation policies for Google Drive and Box can automatically eliminate org-wide sharing links, stale links, or links shared publicly.

    Surface your permissions risk with reports.

    Least privilege automation for Google and Box starts with reports. Use our powerful reporting filters to identify the data risk you want to remediate. You can filter based on specific criteria to remove links shared publicly or to the whole organization such as:

    • Data sensitivity and sensitivity type (PII, PCI, etc.)
    • Exposure level — organization-wide and publicly shared data
    • Data marked as stale

    Facet selection for orgwide and publicly shared docsSelect criteria for automated sharing link removal.

    Along with remediating org-wide and public access at scale, you can take a more precise approach and remove users’ direct permissions to folders and files. 

    You can filter direct permissions removal by:

    • Data sensitivity and sensitivity type
    • User type: external, privileged, and personal accounts
    • Stale permissions (permissions not used over an extended period)
    • Stale users
    • Permission type (CRUDS)
    • Specific users

    Facet selection for direct permissionsFilter criteria for direct permissions removal.

    Once you’ve defined your scope, you can turn your report into a policy that Varonis will continually enforce with least privilege automation! 

    Run your remediation job-1Automatically revoke access to sensitive data in Box and Google Drive.

    Much like within Microsoft 365, you can use our built-in Box and Google policies or build custom ones with unique selection criteria and actions that fit your organization's various sharing policies. 

    For example, you could build one policy to automatically remove all public links in HR’s Google Drive folders, regardless of data sensitivity, and create another policy for Marketing that only removes org-wide and external sharing links to data marked sensitive. 

    You can configure each policy to either execute automatically (and continually with a customizable schedule) or require them to be reviewed and approved by your admins before they execute. 

    Customize automatic remediation jobsCustomize your least privilege automation jobs.

    Share risk reduction progress with your exec team and auditors.

    Your executive team will be thrilled to receive concise reports that show meaningful risk reduction week after week. Most customers see a big drop-off in exposure after the first remediation job runs and then subsequent reports prove that they’re keeping risk low.

    Exposure change over time-1Create a scheduled report to track your risk reduction.

    Get to least privilege with Varonis.

    With an ever-increasing amount of data today and a projected 100 zettabytes to exist in the cloud by 2025, IT teams are simply not set up to proactively reduce their organization’s attack surface. 

    Varonis is on a mission to provide effortless outcomes for our customers using automated, set-it-and-forget-it data security. Our cloud-native Data Security Platform takes a few minutes to install and delivers instant insights. Improve your organization’s ability to withstand security attacks through an adaptive, agile, and highly automated approach to data protection. 

    What you should do now

    Below are three ways we can help you begin your journey to reducing data risk at your company:

    1. Schedule a demo session with us, where we can show you around, answer your questions, and help you see if Varonis is right for you.
    2. Download our free report and learn the risks associated with SaaS data exposure.
    3. Share this blog post with someone you know who'd enjoy reading it. Share it with them via email, LinkedIn, Twitter, Reddit, or Facebook.

    Free Data Risk Assessment

    Join 7,000+ organizations that traded data darkness for automated protection. Get started in minutes.