Maximize your ROI: Maintaining a Least Privilege Model

TL;DR: Managing permissions can be expensive. For a 1,000 employee company, the overhead of permissions request tickets can cost up to $180K/year. Automating access control with DataPrivilege can save $105K/year...
Michael Buckbee
5 min read
Last updated June 6, 2022

TL;DR: Managing permissions can be expensive. For a 1,000 employee company, the overhead of permissions request tickets can cost up to $180K/year. Automating access control with DataPrivilege can save $105K/year or more and reduce risk. Read on to see the math.

One of the most important requirements of implementing a data security plan in today’s breach-a-day era is to implement and maintain a least privilege model across your enterprise.

Get the Free Pen Testing Active Directory Environments EBook

“This really opened my eyes to AD security in a way defensive work never did.”

The principle of least privilege says that users should only have access to resources that they need to do their work. What does this mean? The marketing team, for example, probably shouldn’t be able to access to corporate finance and HR data. You’d be shocked how often they do.

A least privilege model can drastically limit the damage insiders can do but, perhaps more importantly, it prevents hackers from moving laterally across the organization with a single compromised account.

Without least privilege, hackers can likely move from one share to another, grabbing as much private data they can. On the other hand, if (and when) that least privilege model is implemented, the hacker will be limited to the same resources that the compromised account is able to access.

The downside? Achieving least privilege permissions is no minor feat. You need to analyze access control lists, correlate them to users and groups in Active Directory, and remediate issues like global access, which should be a major red flag. Hackers actively seek out common issues like overly permissive service accounts, broken permissions inheritance, and weak admin passwords.

Once you grab the low-hanging fruit by closing common loopholes, you’ll need to involve business owners to figure out whether current entitlements are legitimately needed and, if not, revoke them.

We’ve helped thousands of companies get to least privilege and, on average, it takes 6 human hours or more per folder to implement a least privilege model manually.

How Much Does it Cost to Manually Maintain a Least Privilege Model?

It’s a major investment to implement least privilege model in money, resources, upkeep, and human capital. Once you’re there, the IT Service Desk traditionally takes on the burden of maintaining that least privilege model.

Based on 2016 industry data, the average service desk call costs the company $15.56 Seems like a reasonable price for a quick service call. Say the end user calls requesting access to a share. IT has to contact the end-user’s manager–or someone else in the approval chain–and then either approve or deny the request. Based on surveys of our customer base, this process on average, takes about 20 minutes over the course of a day for the help desk to complete.

Now, how many times do you think they get this call in a month? 50? 100? 1,000? Some of our customers process up to 7,000 permission changes a month – all in the name of data security, and to maintain a least privilege model.

Here’s a quick chart of that scenario: the number of (service desk calls/month) * (cost per call), for the entire year.

Number of cases per month Cost per case Cost per month Cost per year
100 15 $1,500 $18,000
500 15 $7,500 $90,000
1,000 15 $15,000 $180,000
2,500 15 $37,500 $450,000
5,000 15 $75,000 $900,000
7,000 15 $105,000 $1,260,000

You read that right. Without a way to streamline that access request process, it would cost our customer over one million dollars a year just to keep their permissions in a good place.

Fun desk exercise: if you know your service desk cost-per-case and how many AD changes you process each month, you can do this same calculation for yourself. Now ask yourself, what’s it worth to you?

Besides the monetary cost, there’s the human element to consider.

Based on the above chart, if you’re in the 1,000 AD changes per month range, you’re at a baseline cost of $180,000 dollars per year in service desk calls which, at 20 minutes per call, ends up taking 333 human hours each month just to manage those requests. That’s 2 full time hires working more than 40 hours each month, dedicated to fielding permissions requests. Even if you had a team working non-stop around the clock and on weekends, that would be nearly two weeks of dedicated man hours on permissions requests.

And that’s just the mid range.

In a larger enterprise those 7,000 AD updates roughly comes out to 2,310 work hours a month. That’s 14 people dedicated full time to maintain least privilege permissions per month!

A Better Way to Manage Permissions

DataPrivilege takes the burden off of the Service Desk and gives the data owners – the ones that actually *know* who should be accessing that information – the ability to grant and remove access from their own shares.

This makes removing and granting access as simple as responding to an email: and each data owner will only be doing for their shares – not the entire domain.

We can all probably agree that putting the IT Service Desk in charge of access to the Corporate Finance folder is a bad idea. However, putting the Controller or the Lead Corporate Accountant in charge of access to that folder is a great idea – and you should pat yourself on the back for coming up with it!

DataPrivilege will also automate your entitlement reviews and create reports for auditing and compliance. We provide APIs to integrate with your IAM or ITSM systems. And of course DataPrivilege will integrate with any other Varonis software you own.

But Wait, How Much is That Going to Cost Me?

Let’s consider an average-sized shop in the 1,000 user and 1,000 AD changes range. As we saw earlier, those 1,000 AD changes per month could cost $180,000 per year, and 333 man hours dedicated to permissions management. By using DataPrivilege to help manage permissions, you’ll not only free up resources, but that same shop will save $105,000 a year.

And of course your Service Desk resources are more effective and flexible without the load of permissions changes. Your data owners are in charge of their data – and your auditors have nothing to worry about in regards to access to sensitive data. In one year DataPrivilege pays for itself – and you’ve reduced the ongoing load of permissions management into the future, making your company more secure in the process.

Let’s again look at our 10,000 user enterprise that processes 7,000 AD updates per month. That would cost the organization $1.26 million per year in Service Desk cost and 2,310 human hours per month. By using DataPrivilege in that first year, you’re saving $960,000 – and significantly cut down the dedicated human hours required to manage those permissions! That’s just year one.

In year two and beyond, you save over $1,000,000.

What could your Service Desk accomplish without 7,000 AD changes per month on their plate? Could they increase productivity for the rest of the company by responding faster to more urgent cases? Could you reallocate headcount and move resources to other departments?

Are You Pulling My Leg?


Those numbers are legit. But keep in mind, they’re specific to maintaining a least privilege model. To get there, you have to (and really should) implement least permissive permissions.

And of course you have to balance all of this outlay against the cost of doing nothing and the risks associated with doing nothing. How much do you think the breach at Equifax is going to end up costing them?

The Wall Street Journal says “billions”.

Not to mention you don’t want to have to testify in front of Congress and explain how you messed up. The Cybersecurity and Infrastructure Protection Subcommittee don’t have time for that.

OK, What Next?

There are a few ways to begin to get started with DataPrivilege and Varonis. One of the easiest ways is to get a free Risk Assessment.

Our engineers will analyze your current data security situation – including global group access and overexposed data – and you’ll get a detailed report with recommendations on where your biggest vulnerabilities are and how to manage them. Or, skip all that and go straight for a demo of DataPrivilege. Your call.

Getting to and maintaining a least privilege model is one of the most important steps in protecting your sensitive data – it significantly reduces the risk of your sensitive data being overexposed, leaked, or stolen – and DataPrivilege will help you get there.

Frequently Asked Questions

Q: What is the Principle of Least Privilege (POLP)?

A: The Principle of Least Privilege (POLP) refers to the practice of only allowing users in a work environment access to resources that are needed to complete their work.

It’s all too common in the workplace for employees to have access to a variety of different tools, accounts, and more, leaving the door open for security breaches. The Principle of Least Privilege/Authority allows for workers to have access to the resources they need without accidentally or intentionally stepping out of their lane, and controlling information that is outside of their responsibilities.


What should I do now?

Below are three ways you can continue your journey to reduce data risk at your company:


Schedule a demo with us to see Varonis in action. We'll personalize the session to your org's data security needs and answer any questions.


See a sample of our Data Risk Assessment and learn the risks that could be lingering in your environment. Varonis' DRA is completely free and offers a clear path to automated remediation.


Follow us on LinkedIn, YouTube, and X (Twitter) for bite-sized insights on all things data security, including DSPM, threat detection, AI security, and more.

Try Varonis free.

Get a detailed data risk report based on your company’s data.
Deploys in minutes.

Keep reading

Varonis tackles hundreds of use cases, making it the ultimate platform to stop data breaches and ensure compliance.

NTFS Permissions vs Share: Everything You Need to Know
NTFS permissions are used to manage access to the files and folders that are stored in NTFS file systems. When you are using share and NTFS (NT File System) permissions together, the most restrictive permission wins.
Permission Propagation: Info and Tips
It's vital to understand permission propagation and its effect on cybersecurity—learn about roles, inheritance, broken folder permissions and more.
Share Permissions
In one of our recent posts, What About Individual Users on ACL’s? I mentioned that some organizations have opted for using Windows share permissions instead of NTFS permissions for file...
Another Look at Folder Permissions: Beyond AGLP
AGLP is Microsoft’s four-letter abbreviation for guiding admins in setting permissions in an Active Directory environment. Account, Global, Local, Permission just means the following: you put user accounts (A) into...