What About Individual Users on ACL's?

One question I received in response to our recent post about aligning windows security groups and automating entitlement reviews was, “If you’re using single-purpose security groups and managing them automatically...
David Gibson
1 min read
Last updated June 23, 2022

One question I received in response to our recent post about aligning windows security groups and automating entitlement reviews was, “If you’re using single-purpose security groups and managing them automatically with an automated solution like DataPrivilege®, why use groups at all? Why not just assign users directly to the ACL?” That’s a great question (even though the idea may seem like heresy in the windows world).

There’s also a great answer: Applying NTFS permissions takes a very long time when you have to write the ACL’s (access control lists) on a large number of subfolders and files—sometimes it can take hours or even days with a large directory structure. Therefore, for now at least, we seem to be better off using groups and relatively static ACL’s to minimize the number of times permissions have to be applied to individual files and folders. In contrast, moving users into and out of groups is relatively quick, though replication can take a while, and users often have to log out and log back into AD for changes to take effect.

Some organizations have opted for a different approach that goes against what has become accepted as best practice—using Windows share permissions instead of NTFS permissions. I’ll discuss the pros and cons of this technique next time.

What should I do now?

Below are three ways you can continue your journey to reduce data risk at your company:

1

Schedule a demo with us to see Varonis in action. We'll personalize the session to your org's data security needs and answer any questions.

2

See a sample of our Data Risk Assessment and learn the risks that could be lingering in your environment. Varonis' DRA is completely free and offers a clear path to automated remediation.

3

Follow us on LinkedIn, YouTube, and X (Twitter) for bite-sized insights on all things data security, including DSPM, threat detection, AI security, and more.

Try Varonis free.

Get a detailed data risk report based on your company’s data.
Deploys in minutes.

Keep reading

Varonis tackles hundreds of use cases, making it the ultimate platform to stop data breaches and ensure compliance.

varonis-enhances-salesforce-security-with-high-risk-permissions-remediation
Varonis Enhances Salesforce Security With High-Risk Permissions Remediation
Identify and automatically remediate high-risk Salesforce permissions to reduce risk and improve your SaaS security posture.
introducing-the-aws-access-graph-to-find-and-fix-cloud-security-issues
Introducing the AWS Access Graph to Find and Fix Cloud Security Issues
Tighten your cloud security posture with the ability to automatically visualize the AWS blast radius and cut off access paths to data.
cloud-security-essentials:-the-case-for-automated-dspm
Cloud Security Essentials: The Case for Automated DSPM
Data security posture management (DSPM) has emerged as a standard for securing sensitive data in the cloud and other environments. However, without automation, DSPM doesn’t stand a chance. Automation is crucial to overcoming the challenges of securing data in the cloud.
what-is-sspm?-overview-+-guide-to-saas-security-posture-management
What is SSPM? Overview + Guide to SaaS Security Posture Management
SaaS security posture management (SSPM) is an automated solution that helps bolster the protection of all SaaS applications used by organizations.