Live Cyber Attack Lab 🎯 Watch our IR team detect & respond to a rogue insider trying to steal data! Choose a Session


Maximize your ROI: Maintaining a Least Privilege Model

Data Security

TL;DR: Managing permissions can be expensive. For a 1,000 employee company, the overhead of permissions request tickets can cost up to $180K/year. Automating access control with DataPrivilege can save $105K/year or more and reduce risk. Read on to see the math.

One of the most important requirements of implementing a data security plan in today’s breach-a-day era is to implement and maintain a least privilege model across your enterprise.

Get the Free Pen Testing Active Directory Environments EBook

“This really opened my eyes to AD security in a way defensive work never did.”

The principle of least privilege says that users should only have access to resources that they need to do their work. What does this mean? The marketing team, for example, probably shouldn’t be able to access to corporate finance and HR data. You’d be shocked how often they do.

A least privilege model can drastically limit the damage insiders can do but, perhaps more importantly, it prevents hackers from moving laterally across the organization with a single compromised account.

Without least privilege, hackers can likely move from one share to another, grabbing as much private data they can. On the other hand, if (and when) that least privilege model is implemented, the hacker will be limited to the same resources that the compromised account is able to access.

The downside? Achieving least privilege permissions is no minor feat. You need to analyze access control lists, correlate them to users and groups in Active Directory, and remediate issues like global access, which should be a major red flag. Hackers actively seek out common issues like overly permissive service accounts, broken permissions inheritance, and weak admin passwords.

Once you grab the low-hanging fruit by closing common loopholes, you’ll need to involve business owners to figure out whether current entitlements are legitimately needed and, if not, revoke them.

We’ve helped thousands of companies get to least privilege and, on average, it takes 6 human hours or more per folder to implement a least privilege model manually.

How Much Does it Cost to Manually Maintain a Least Privilege Model?

It’s a major investment to implement least privilege model in money, resources, upkeep, and human capital. Once you’re there, the IT Service Desk traditionally takes on the burden of maintaining that least privilege model.

Based on 2016 industry data, the average service desk call costs the company $15.56 Seems like a reasonable price for a quick service call. Say the end user calls requesting access to a share. IT has to contact the end-user’s manager–or someone else in the approval chain–and then either approve or deny the request. Based on surveys of our customer base, this process on average, takes about 20 minutes over the course of a day for the help desk to complete.

Now, how many times do you think they get this call in a month? 50? 100? 1,000? Some of our customers process up to 7,000 permission changes a month – all in the name of data security, and to maintain a least privilege model.

Here’s a quick chart of that scenario: the number of (service desk calls/month) * (cost per call), for the entire year.

Number of cases per month Cost per case Cost per month Cost per year
100 15 $1,500 $18,000
500 15 $7,500 $90,000
1,000 15 $15,000 $180,000
2,500 15 $37,500 $450,000
5,000 15 $75,000 $900,000
7,000 15 $105,000 $1,260,000

You read that right. Without a way to streamline that access request process, it would cost our customer over one million dollars a year just to keep their permissions in a good place.

Fun desk exercise: if you know your service desk cost-per-case and how many AD changes you process each month, you can do this same calculation for yourself. Now ask yourself, what’s it worth to you?

Besides the monetary cost, there’s the human element to consider.

Based on the above chart, if you’re in the 1,000 AD changes per month range, you’re at a baseline cost of $180,000 dollars per year in service desk calls which, at 20 minutes per call, ends up taking 333 human hours each month just to manage those requests. That’s 2 full time hires working more than 40 hours each month, dedicated to fielding permissions requests. Even if you had a team working non-stop around the clock and on weekends, that would be nearly two weeks of dedicated man hours on permissions requests.

And that’s just the mid range.

In a larger enterprise those 7,000 AD updates roughly comes out to 2,310 work hours a month. That’s 14 people dedicated full time to maintain least privilege permissions per month!

A Better Way to Manage Permissions

DataPrivilege takes the burden off of the Service Desk and gives the data owners – the ones that actually *know* who should be accessing that information – the ability to grant and remove access from their own shares.

This makes removing and granting access as simple as responding to an email: and each data owner will only be doing for their shares – not the entire domain.

We can all probably agree that putting the IT Service Desk in charge of access to the Corporate Finance folder is a bad idea. However, putting the Controller or the Lead Corporate Accountant in charge of access to that folder is a great idea – and you should pat yourself on the back for coming up with it!

DataPrivilege will also automate your entitlement reviews and create reports for auditing and compliance. We provide APIs to integrate with your IAM or ITSM systems. And of course DataPrivilege will integrate with any other Varonis software you own.

But Wait, How Much is That Going to Cost Me?

Let’s consider an average-sized shop in the 1,000 user and 1,000 AD changes range. As we saw earlier, those 1,000 AD changes per month could cost $180,000 per year, and 333 man hours dedicated to permissions management. By using DataPrivilege to help manage permissions, you’ll not only free up resources, but that same shop will save $105,000 a year.

And of course your Service Desk resources are more effective and flexible without the load of permissions changes. Your data owners are in charge of their data – and your auditors have nothing to worry about in regards to access to sensitive data. In one year DataPrivilege pays for itself – and you’ve reduced the ongoing load of permissions management into the future, making your company more secure in the process.

Let’s again look at our 10,000 user enterprise that processes 7,000 AD updates per month. That would cost the organization $1.26 million per year in Service Desk cost and 2,310 human hours per month. By using DataPrivilege in that first year, you’re saving $960,000 – and significantly cut down the dedicated human hours required to manage those permissions! That’s just year one.

In year two and beyond, you save over $1,000,000.

What could your Service Desk accomplish without 7,000 AD changes per month on their plate? Could they increase productivity for the rest of the company by responding faster to more urgent cases? Could you reallocate headcount and move resources to other departments?

Are You Pulling My Leg?


Those numbers are legit. But keep in mind, they’re specific to maintaining a least privilege model. To get there, you have to (and really should) implement least permissive permissions.

And of course you have to balance all of this outlay against the cost of doing nothing and the risks associated with doing nothing. How much do you think the breach at Equifax is going to end up costing them?

The Wall Street Journal says “billions”.

Not to mention you don’t want to have to testify in front of Congress and explain how you messed up. The Cybersecurity and Infrastructure Protection Subcommittee don’t have time for that.

OK, What Next?

There are a few ways to begin to get started with DataPrivilege and Varonis. One of the easiest ways is to get a free Risk Assessment.

Our engineers will analyze your current data security situation – including global group access and overexposed data – and you’ll get a detailed report with recommendations on where your biggest vulnerabilities are and how to manage them. Or, skip all that and go straight for a demo of DataPrivilege. Your call.

Getting to and maintaining a least privilege model is one of the most important steps in protecting your sensitive data – it significantly reduces the risk of your sensitive data being overexposed, leaked, or stolen – and DataPrivilege will help you get there.

Jeff Petters

Jeff Petters

Jeff has been working on computers since his Dad brought home an IBM PC 8086 with dual disk drives. Researching and writing about data security is his dream job.


Does your cybersecurity start at the heart?

Get a highly customized data risk assessment run by engineers who are obsessed with data security.