Least Privilege Automation

April 5, 2023

Does your organization have data stored within Microsoft 365? What about Google Drive or even Box? These questions are rhetorical, as my experience indicates most organizations are utilizing cloud-based services.

 

However, did you know that the average organization has millions of distinct permissions that render critical data accessible to an excessive number of individuals? This often includes sharing sensitive data with the entire organization or even the public internet. To properly manage data access, it would require a legion of administrators working for years. But luckily, we can now effortlessly eliminate millions of potential threats using automated remediation.

 

You are likely aware of the “least privilege” access model – whereby a user is given the minimum levels of access or permissions required to perform their job. In a previous post, I talked about identifying sensitive data in Salesforce and the complexities that can exist within the Salesforce permission model to achieve least privileged access around sensitive data. I touched on how Varonis is pioneering solutions that give visibility into sensitive data and permission mappings in critical cloud-based applications like Salesforce.

 

In this post, I will discuss Varonis’ Least Privilege Automation, or as I like to call it, “LPA.” LPA is an intelligent method of enforcing Zero Trust in a scalable fashion. Varonis is providing this new capability within their product stack. LPA is available now for Microsoft 365, Google Drive, and Box, with more supported platforms on the horizon.

 

 

A Refreshing Approach

You might be wondering how LPA functions. Varonis takes a unique approach—one that I am confident will be the next evolution within the landscape of data security.

 

Within the Varonis platform, the UI is abundant with statistics, Key Performance Indicators (KPIs), and Key Risk Indicators (KRIs). Now, one can allow reporting on things visible in the UI. You can save various widgets’ statistics or items as a custom report to be run ad hoc or on a schedule.

 

It’s no secret that many products offer reports and various reporting capabilities out of the box (OOTB). But Varonis has taken reporting to the next level. Let me introduce LPA-integrated reporting. Essentially, it is the ability to allow common reports to automatically generate actions and perform remediation dynamically based on a given report’s content. This is a game-changer.

 

Imagine being able to not only see your risk for each data object within a report, but also automating remediation around the very report that is exposing security gaps.

 

 

Google Drive and Box

Let’s talk about the OOTB remediation policies that exist for Google Drive and Box. These can automatically remove organization-wide sharing links, publicly shared links, and even stale links.

 

First, you would want to gain visibility into security and permissions risks utilizing reports. Varonis allows you to filter reports based on specific criteria. Once a report is filtered with intended criteria, you can assign an intended action to create a policy from the report. In the example below (Figure 1), I have selected the policy action, “Remove Organization-Wide Link.”

 

Image
varonis_least_privilege_img1.png

Figure 1 – Removing Organization-Wide Link

 

Filters that can be used for remediation reports include sensitivity, user(s) and/or user type, staleness, or even permission type. As you can imagine, this allows one to get specific about the report's content – and, as a result, further specify the remediation generated directly from that report. Below are some of the key OOTB reports that have LPA capabilities for Google and Box.

 

  • Overexposed Sensitive Resources - Resources that are shared externally or publicly and contain sensitive data. Figure 2 below shows a report that offers critical insight into sensitive data and allows for actioning LPA from the report.
  •  

    Image
    varonis_least_privilege_img2.png

    Figure 2 – Remediating Overexposed Sensitive Resources

     

  • Remediate Direct Permissions - Remediate direct permissions to data. The blast radius column displays how many resources within a folder will be affected when removing permissions via remediation.
  • Remediate Stale Direct Permissions - Identify stale direct permissions (for non-owners) on files. Typically, a stale permission is one that has not been used for 180 days (about 6 months). Stale permissions on folders indicate that the permissions are also stale for all nested files and folders.

    • This report also provides an indicator of the blast radius on a per-object basis. By securing and tightening permissions, the blast radius is reduced – as seen in Figure 3 below.
  •  

    Image
    varonis_least_privilege_img3.png

    Figure 3 – Identifying Object Blast Radius/Risk

     

  • Remediate Organization-Wide Links - Identify and remediate organization-wide links that permit any internal employee with the link to access data.
  • Remediate Public Links - Identify and remediate public links that permit anyone with the link to access data.

 

Best of all, any remediation report within the system can be filtered, run ad-hoc, or scheduled, exported, and most importantly turned into a remediation policy. Gone are the days of manually building remediation around reports. This functionality is now a seamless integration. See Figure 4 below for an example of scheduling actions for removing organization-wide links on the content of a given report.

 

Image
varonis_least_privilege_img4.png

Figure 4 – Scheduling Remediation

 

Additionally, there are options to build custom policies, and the many filter sets allow for granular customizations. Perhaps you need to remove all organization-wide links for a specific folder and only consider GDPR data. Maybe there is a need to remove external sharing for Accounting. All of this is possible. The power of customization within the platform allows you to create and configure policies to meet your organization’s needs.

 

 

Microsoft 365

Varonis likewise enables secure collaboration in Microsoft 365 through the implementation of LPA. The solution ensures the removal of stale group memberships, sensitive public links, and other potential security risks without compromising productivity. By providing the platform with your organization’s guidelines, the platform ensures their enforcement with intelligent and automatic monitoring.

 

Varonis SaaS collects data across three core categories: sensitivity, permissions, and activity. The combination of these aspects enables intelligent prioritization of risks and execution of effective remediation policies. Without this information, I would argue that it is impossible to make informed and accurate data security decisions or have confidence in understanding desired and undesired access.

 

So, what does using LPA for your organization’s Microsoft 365 environment look like? Let’s examine a few key aspects.

 

Dashboards & Policies

Real-time risk dashboards are a staple within Varonis. These tools help answer critical questions, like how much sensitive data your M365 tenants contain, what type of data it is, and how much is publicly exposed. You can monitor risk trends over time and drill into specific areas to view affected sites, folders, files, and links.

 

In Figure 5 below, we see an example of KRIs for an organization’s SharePoint Online environment, including sensitive data in focus.

 

Image
varonis_least_privilege_img5.png

Figure 5 – SPO Dashboard

 

From there, we can directly click the badge to remediate the risk.

 

As Figure 6 illustrates below, multiple OOTB remediation policies allow organizations to cover a wide range of areas.

 

Image
varonis_least_privilege_img6.png

Figure 6 – OOTB M365 Remediation

 

Although you can opt for least privilege automation as needed, Varonis recognizes whenever users infringe on data sharing policies. Because of this, the platform can correct undesired security controls and permissions automatically—continuously keeping your organization aligned to your data security framework.

 

Customizations

What about customized policies for remediation? The pre-made policies are available for cloning and customization to meet your organization's specific requirements. Policies can be modified according to a range of factors, such as sensitivity, staleness, location, and link type, among others.

 

The platform provides a user-friendly interface that enables you to preview the outcomes of your policy, thus allowing you to ensure that the right conditions are set, adjust criteria, and gain assurance before finalizing your policy. You can even choose the schedule and approvals.

 

To build a custom LPA policy, you simply choose the scope, conditions, and action schedule. Then, let Varonis do the rest.

 

Image
varonis_least_privilege_img7.png

Figure 7 – Building a Custom Remediation Policy

 

 

So, What Now?

In a world where data growth is exponential and organizations are drastically unprepared to protect their data, reducing the data blast radius is paramount. This holds especially true for sensitive data. After all, data is what organizations have the most of and know the least about. Let Optiv help. We can connect to and assess your data in minutes. The output of these assessments is eye-opening and leads to larger conversations around data, data governance, and compliance. Contact your Optiv client manager to inquire about an assessment for your organization. Together, Optiv and Varonis provide meaningful results and will present a snapshot of the health and protection of an environment. Google? Box? Microsoft 365? On-premises data stores? We have you covered!

Jeremy Bieber
Partner Architect for Varonis | Optiv
Jeremy is Optiv's Partner Architect for Varonis, specializing in understanding unstructured data, data governance/compliance and data protection.

With over 22 years of experience, Jeremy began professionally working with technology during the late 1990s at Electronic Data Systems and later at Hewlett-Packard. In 2016 he joined Varonis, consulting with clients and implementing the Varonis Data Security Platform to ensure client achievement of least-privileged access models and proactive threat detection, locating and ensuring sensitive-data compliance on-premise and in the cloud.

Over the course of his career, Jeremy has achieved a range of industry certifications including over a dozen Microsoft certifications, certifications from VMware, Hewlett-Packard, Smarsh and Varonis. He can pull from his lengthy experience including system administration, architecture, engineering and consulting to provide a seasoned focus on data security.

At Optiv, he uses this real-world experience to relate how the Varonis Data Security Platform will enhance the overall security goals for our clients, reduce risk, detect abnormal behavior and ensure compliance.

Optiv Security: Secure greatness.®

Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to nearly 6,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit www.optiv.com.