If you were hired at a top financial institution as a junior analyst tomorrow, chances are you’d have access to 20% of the company’s data on day one. Data available to all employees creates organization-wide exposure (OWE), making the likelihood of a devastating breach skyrocket.
OWE is the exact opposite of Zero Trust and, for many companies, has been an intractable risk for years. Now, due to the rapid adoption of collaboration tools for remote work, OWE is becoming even more prevalent as IT teams begin to focus on deploying new technology before fully understanding how to configure them securely.
Varonis can help you understand where OWE exists and take steps to remediate it.
What is Organization-Wide Exposure?
Organization-wide exposure happens when sensitive data is made available to the entire company. This data is susceptible to a data breach, ransomware attacks, insider threats, and presents privacy and compliance issues.
The very first GDPR fine, issued to a hospital in Portugal, was due to a violation of privacy-by-design as a result of OWE. No data was stolen, but the hospital wasn’t adequately limiting access.
OWE paved the way for a brand new Tesla employee to grab the Autopilot source code and upload it to his personal Dropbox account. He’s now being sued by the company for data theft.
Sensitive data exposure can cripple an organization. Let’s explore the many ways OWE happens, how to visualize and prioritize exposure, and how to remediate the risk without disrupting the business.
Over-permissive folders are some of the oldest contributors to organization-wide exposure. Networked sharing folders have existed for decades and have provided a new way for users to collaborate and share documents for work. As unstructured data propagated, IT organizations couldn’t manage user-created data growth or keep up with the number of incoming data access requests.
To deal with this problem, administrators took a few shortcuts. On Windows servers and legacy SharePoint, administrators granted ‘Full Control’ privileges to the ‘Everyone’ or ‘Domain Users’ groups. On Linux or UNIX, it’s even easier. Admins ran a ‘chmod 777’ on a network file share to grant everyone access to a folder.
Because of these shortcuts and continued data growth, a brand new employee at any organization could have access to 17 million files on their first day, according to the 2019 Varonis Data Risk Report.
These folders are not only over-permissive but also potentially contain sensitive data. In the same report, we found that 53% of organizations had 1,000 files available to all employees. Over-permissive folders facilitate lateral movement, data exfiltration, and are vulnerable to ransomware attacks.
The migration to cloud-based IT infrastructure, like Microsoft 365, introduces a new kind of organization-wide exposure risk in sharing links. Sharing links are the primary method you use to collaborate on or share a file or folder with your team, and you can even use sharing links to collaborate with people outside of your organization.
One of the easiest ways to share links in M365 is to set the permissions to “Anyone in the organization with the link.” That way, you can share the link without specifying a group or list of people who can access the file. And that means the data in the file or folder is accessible by anyone with credentials on the network. Every cloud file sharing service like Google, Box, and Dropbox, provides similar functionality with the accompanying risks.
Open Teams, Chats, and Private Channels
Microsoft Teams usage grew from 32 million daily users in March 2020 to 115 million by the end of October 2020. Organizations enabled Teams to promote collaboration without understanding the impact on data security and before they could figure out best practices to protect their data.
Here’s something most organizations don’t know about sharing data in Teams. Any time you chat with a co-worker or create a new Teams channel, you create either a new OneDrive folder or SharePoint Online (SPO) site on the back end. Users can easily share data in those folders with anyone in the organization, leading to data exposure either by direct access or sharing links.
As we demonstrate in our Teams Explosion webinar, it’s possible to share sensitive data with the entire organization without realizing it, even if the M365 admins turn off external sharing. Tracking down organization-wide sharing with the native M365 tools is not trivial. Experienced administrators have to use Azure AD, Teams, and SharePoint Online tools to piecemeal together what users have access to which sensitive data, and even then, it’s not always clear.
Each system in M365 has a portion of the entire picture, but no single view contains the whole picture and correlates it to sensitive data access or organization-wide exposure.
Identifying OWE with Varonis
Varonis crawls file servers, NAS devices, and cloud storage to regularly gather a clear picture of users’ access to data. We correlate user access with our classification scans to discover where sensitive data is exposed organization-wide.
Global Access and Over-Permissive Folders
The bi-directional view in DatAdvantage highlights access by user, group, or by folder across multiple data stores at once. You can either click on a folder to see who has access to that folder or click on a user to see what resources they can access. In this same view, DatAdvantage shows you where sensitive data is exposed to prioritize remediation efforts. It’s possible to reduce OWE when you can visualize where the problems exist, and DatAdvantage simplifies that process with this unique functionality.
Sharing Links in OneDrive and SharePoint Online
Also in DatAdvantage, you can see where you have user-generated sharing links in M365 that allow for organizational-wide exposure so you can quickly visualize where sensitive data is at risk.
The WebUI provides a different way to visualize user-generated sharing links that allow you to drill into and view the details of what files are shared.
From the Analytics tab, you can see exactly which files are exposed to organization-wide sharing and whether or not they are sensitive. You can even filter results based on total hits of sensitive information so that you can prioritize risk reduction efforts around links that expose high concentrations of sensitive data.
You can easily customize this search for deeper investigation and save it for future use, and these reports live in DatAdvantage as well.
Varonis makes it easy to track down where you have OWE, both on-premises and in M365. Once you can visualize and know where the organization-wide risk exists, you can start to remediate and remove that risk.
Reports and APIs
If you prefer to review the data Varonis gathers about OWE offline or need to share this information with other teams, there are several reports to choose from.
For example, the 4.c.01 Global Group Access Analysis report shows which users access data with global access so organizations can investigate and remove permissions where possible.
There are dozens of pre-built reports that provide information that organizations can use to reduce organization-wide exposure. Security teams can even subscribe to and schedule reports for regular reviews. There is an API to the reporting engine so you can integrate Varonis data with any other system’s data. And if you still need to see the data differently, Varonis Professional Services will work with you to create a custom process.
How Varonis Remediates OWE
Not only can Varonis help organizations pinpoint where they have OWE, but we also help remediate excessive access.
How Varonis Remediates Global Access
DatAdvantage provides the visibility and functionality to achieve least-privilege access. The bi-directional permissions view highlights where sensitive data is overexposed. You can make changes to folder permissions in the UI and then model those changes to verify you will not remove access to data that users need. DatAdvantage audits all of the changes so you can revert or report on your progress towards a more secure position.
The DatAdvantage approach is a more precise way to reduce sensitive data exposure. Sometimes, the problem requires a giant hammer, which is where Automation Engine comes in.
Automation Engine can remove OWE at a massive scale. By monitoring how users interact with data, Varonis knows who actually uses data. With Automation Engine, you can automatically remove open access and replace those permissions with single-purpose groups of those who actually access that data. This allows you to remove OWE from folders without interrupting day-to-day work.
Once the major issues with OWE of sensitive data get resolved, DataPrivilege steps in to help you maintain your secure position. DataPrivilege implements a process for data owners to manage access to their folders that enables organizations to maintain least-privileged access. Data owners complete regular entitlement reviews to certify that access to their data is up to date.
How Varonis Detects Abnormal Access to Sensitive Data
Visibility and awareness of OWE are vital to maintaining data security. However, real-time alerts when users create new risk with sharing links to sensitive data is arguably better.
DatAlert provides hundreds of pre-built threat models that detect abnormal behaviors and indicators of compromise that point towards insider threats or cyberattacks. There are specific alerts for new sharing links to sensitive data and public sharing links so your team can respond, investigate, and remediate OWE as quickly as possible.
Varonis helps organizations reduce OWE and detects threats to sensitive data across multiple data stores. Our customers can maintain a low attack surface area even as users create new data and introduce new risk.
Sign up for a demo and see how Varonis can manage your data security.
We've been keeping the world's most valuable data out of enemy hands since 2005 with our market-leading data security platform.How it works
Michael has worked as a sysadmin and software developer for Silicon Valley startups, the US Navy, and everything in between.