What About Individual Users on ACL's?

One question I received in response to our recent post about aligning windows security groups and automating entitlement reviews was, “If you’re using single-purpose security groups and managing them automatically...
David Gibson
1 min read
Last updated June 23, 2022

One question I received in response to our recent post about aligning windows security groups and automating entitlement reviews was, “If you’re using single-purpose security groups and managing them automatically with an automated solution like DataPrivilege®, why use groups at all? Why not just assign users directly to the ACL?” That’s a great question (even though the idea may seem like heresy in the windows world).

There’s also a great answer: Applying NTFS permissions takes a very long time when you have to write the ACL’s (access control lists) on a large number of subfolders and files—sometimes it can take hours or even days with a large directory structure. Therefore, for now at least, we seem to be better off using groups and relatively static ACL’s to minimize the number of times permissions have to be applied to individual files and folders. In contrast, moving users into and out of groups is relatively quick, though replication can take a while, and users often have to log out and log back into AD for changes to take effect.

Some organizations have opted for a different approach that goes against what has become accepted as best practice—using Windows share permissions instead of NTFS permissions. I’ll discuss the pros and cons of this technique next time.

What should I do now?

Below are three ways you can continue your journey to reduce data risk at your company:

1

Schedule a demo with us to see Varonis in action. We'll personalize the session to your org's data security needs and answer any questions.

2

See a sample of our Data Risk Assessment and learn the risks that could be lingering in your environment. Varonis' DRA is completely free and offers a clear path to automated remediation.

3

Follow us on LinkedIn, YouTube, and X (Twitter) for bite-sized insights on all things data security, including DSPM, threat detection, AI security, and more.

Try Varonis free.

Get a detailed data risk report based on your company’s data.
Deploys in minutes.

Keep reading

Varonis tackles hundreds of use cases, making it the ultimate platform to stop data breaches and ensure compliance.

cloud-security-essentials:-the-case-for-automated-dspm
Cloud Security Essentials: The Case for Automated DSPM
Data security posture management (DSPM) has emerged as a standard for securing sensitive data in the cloud and other environments. However, without automation, DSPM doesn’t stand a chance. Automation is crucial to overcoming the challenges of securing data in the cloud.
varonis-enhances-salesforce-security-with-high-risk-permissions-remediation
Varonis Enhances Salesforce Security With High-Risk Permissions Remediation
Identify and automatically remediate high-risk Salesforce permissions to reduce risk and improve your SaaS security posture.
what's-new-in-varonis:-may-2024
What's New in Varonis: May 2024
Varonis brings a UI refresh, easier policy management, expanded automated remediation capabilities in AWS, automation rollback, and privacy automation.
automatically-remove-salesforce-public-links-with-varonis
Automatically Remove Salesforce Public Links with Varonis
Varonis’ least privilege automation capabilities now remove public Salesforce links automatically.