Least Privilege Automation

April 5, 2023

Does your organization have data stored within Microsoft 365? What about Google Drive or even Box? These questions are rhetorical, as my experience indicates most organizations are utilizing cloud-based services.

However, did you know that the average organization has millions of distinct permissions that render critical data accessible to an excessive number of individuals? This often includes sharing sensitive data with the entire organization or even the public internet. To properly manage data access, it would require a legion of administrators working for years. But luckily, we can now effortlessly eliminate millions of potential threats using automated remediation.

You are likely aware of the “least privilege” access model – whereby a user is given the minimum levels of access or permissions required to perform their job. In a previous post, I talked about identifying sensitive data in Salesforce and the complexities that can exist within the Salesforce permission model to achieve least privileged access around sensitive data. I touched on how Varonis is pioneering solutions that give visibility into sensitive data and permission mappings in critical cloud-based applications like Salesforce.

In this post, I will discuss Varonis’ Least Privilege Automation, or as I like to call it, “LPA.” LPA is an intelligent method of enforcing Zero Trust in a scalable fashion. Varonis is providing this new capability within their product stack. LPA is available now for Microsoft 365, Google Drive, and Box, with more supported platforms on the horizon.

A Refreshing Approach

You might be wondering how LPA functions. Varonis takes a unique approach—one that I am confident will be the next evolution within the landscape of data security.

Within the Varonis platform, the UI is abundant with statistics, Key Performance Indicators (KPIs), and Key Risk Indicators (KRIs). Now, one can allow reporting on things visible in the UI. You can save various widgets’ statistics or items as a custom report to be run ad hoc or on a schedule.

It’s no secret that many products offer reports and various reporting capabilities out of the box (OOTB). But Varonis has taken reporting to the next level. Let me introduce LPA-integrated reporting. Essentially, it is the ability to allow common reports to automatically generate actions and perform remediation dynamically based on a given report’s content. This is a game-changer.

Imagine being able to not only see your risk for each data object within a report, but also automating remediation around the very report that is exposing security gaps.

Google Drive and Box

Let’s talk about the OOTB remediation policies that exist for Google Drive and Box. These can automatically remove organization-wide sharing links, publicly shared links, and even stale links.

First, you would want to gain visibility into security and permissions risks utilizing reports. Varonis allows you to filter reports based on specific criteria. Once a report is filtered with intended criteria, you can assign an intended action to create a policy from the report. In the example below (Figure 1), I have selected the policy action, “Remove Organization-Wide Link.”

Image

Figure 1 – Removing Organization-Wide Link

Filters that can be used for remediation reports include sensitivity, user(s) and/or user type, staleness, or even permission type. As you can imagine, this allows one to get specific about the report's content – and, as a result, further specify the remediation generated directly from that report. Below are some of the key OOTB reports that have LPA capabilities for Google and Box.

Best of all, any remediation report within the system can be filtered, run ad-hoc, or scheduled, exported, and most importantly turned into a remediation policy. Gone are the days of manually building remediation around reports. This functionality is now a seamless integration. See Figure 4 below for an example of scheduling actions for removing organization-wide links on the content of a given report.

Image

Figure 4 – Scheduling Remediation

Additionally, there are options to build custom policies, and the many filter sets allow for granular customizations. Perhaps you need to remove all organization-wide links for a specific folder and only consider GDPR data. Maybe there is a need to remove external sharing for Accounting. All of this is possible. The power of customization within the platform allows you to create and configure policies to meet your organization’s needs.

Microsoft 365

Varonis likewise enables secure collaboration in Microsoft 365 through the implementation of LPA. The solution ensures the removal of stale group memberships, sensitive public links, and other potential security risks without compromising productivity. By providing the platform with your organization’s guidelines, the platform ensures their enforcement with intelligent and automatic monitoring.

Varonis SaaS collects data across three core categories: sensitivity, permissions, and activity. The combination of these aspects enables intelligent prioritization of risks and execution of effective remediation policies. Without this information, I would argue that it is impossible to make informed and accurate data security decisions or have confidence in understanding desired and undesired access.

So, what does using LPA for your organization’s Microsoft 365 environment look like? Let’s examine a few key aspects.

Real-time risk dashboards are a staple within Varonis. These tools help answer critical questions, like how much sensitive data your M365 tenants contain, what type of data it is, and how much is publicly exposed. You can monitor risk trends over time and drill into specific areas to view affected sites, folders, files, and links.

In Figure 5 below, we see an example of KRIs for an organization’s SharePoint Online environment, including sensitive data in focus.

Image

Figure 5 – SPO Dashboard

From there, we can directly click the badge to remediate the risk.

As Figure 6 illustrates below, multiple OOTB remediation policies allow organizations to cover a wide range of areas.

Image

Figure 6 – OOTB M365 Remediation

Although you can opt for least privilege automation as needed, Varonis recognizes whenever users infringe on data sharing policies. Because of this, the platform can correct undesired security controls and permissions automatically—continuously keeping your organization aligned to your data security framework.

What about customized policies for remediation? The pre-made policies are available for cloning and customization to meet your organization's specific requirements. Policies can be modified according to a range of factors, such as sensitivity, staleness, location, and link type, among others.

The platform provides a user-friendly interface that enables you to preview the outcomes of your policy, thus allowing you to ensure that the right conditions are set, adjust criteria, and gain assurance before finalizing your policy. You can even choose the schedule and approvals.

To build a custom LPA policy, you simply choose the scope, conditions, and action schedule. Then, let Varonis do the rest.

Image

Figure 7 – Building a Custom Remediation Policy

So, What Now?

In a world where data growth is exponential and organizations are drastically unprepared to protect their data, reducing the data blast radius is paramount. This holds especially true for sensitive data. After all, data is what organizations have the most of and know the least about. Let Optiv help. We can connect to and assess your data in minutes. The output of these assessments is eye-opening and leads to larger conversations around data, data governance, and compliance. Contact your Optiv client manager to inquire about an assessment for your organization. Together, Optiv and Varonis provide meaningful results and will present a snapshot of the health and protection of an environment. Google? Box? Microsoft 365? On-premises data stores? We have you covered!