Now You Know – Rev Your Automation Engine!

November 2, 2021

NOW YOU KNOW: PART 2 of a Series.


How are proper file system permissions achieved? How can open access remediation be achieved at scale?


One of the challenges that became quickly apparent back in the late '90s when I started my career (and is still at the apex of data security concerns and discussions) is that of proper file system permissions. This is a foundational topic that any organization serious about preventing ransomware attacks, dealing with insider threats and ensuring data compliance must recognize. Then they must address the importance of aligning their file system permissions to personnel needs.


I’m working under the assumption that you're familiar with Least Privileged Access model, but if you’d like to brush up on this, there is an excellent write-up here. The basic premise of least privilege is that users should only have access to the resources they need to accomplish their work.


For organizations to hit the ground running when it comes to achieving a least privileged environment, the following are a few key items to understand and implement:


  • Establish a data governance program that includes identified data owners.
  • Know what type of data exists and where it's located (particularly sensitive data).
  • Understand who has access to company data, what level of access they have and who is using their access.
  • Know about Global Access Groups and where they’re utilized throughout an organization's file permissions.
  • Ensure proper permission inheritance is in place.


If your business struggles or lacks understanding of any of these items, Optiv and Varonis can help you develop more familiarity. We regularly address these issues on behalf of our clients.


I’d now like to focus on Global Access Groups and Inheritance as they relate directly to file system permissions. Understanding these topics will go a long way in achieving and maintaining a Least Privileged Access model.


We'll see how using the Varonis Automation Engine allows you take control of your file permissions in an efficient and automated way that can drastically mitigate hundreds of hours, and in some cases years, of manual effort from the process of tightening, cleaning and maintaining secure permissions. Let’s discuss.



Global Access Groups

For those unfamiliar with Global Access Groups, let's dig in a bit.


Simply put, Global Access Groups are any security groups that contain either all the users in your organization or most of the users in your organization and/or department. These groups can be automatically or manually created.


The out-of-the-box or automatically created groups that fit this description (otherwise known as "Abstract” groups) often come standard as part of certain Directory Services products like Microsoft Active Directory. Examples of these groups in Active Directory include “Everyone”, “Domain Users” or “Authenticated Users”.


In the case of manually created security groups that fit the description of a Global Access Group, think about groups that department/organizational leaders would create to include all the people in their purview. Examples include “All Finance”, “Legal_Everyone” or “New Employees”.


These Global Access Groups may be useful for certain circumstances within a business but should not be considered as a means by which to control least privileged access. Utilizing these groups is counteractive to the least privilege process. When organizations utilize global groups as a “catch-all” bucket to open permissions to a wider audience, they leave the door open to significant risk.



Broken Inheritance

Sometimes called “Inconsistent Permissions,” broken inheritance is the situation that every IT or Security admin has found themselves in at least once. I have seen this issue arise mostly within the sphere of Microsoft Windows and its NTFS file system. Administrators will often assign permissions at a parent folder level and set inheritance to propagate down the file tree to child objects (subfolders and files). If initially configured correctly, and assuming that a least privileged model is strictly adhered to, your chances of incurring inconsistent inheritance are much lower (but not necessarily zero).


Let’s assume that an IT/Security administrator has designed a proper set of access controls that adhere to the practice of least privileged and applied them to a given file structure. This is a great start. Inevitably there will be users who will be granted the Modify permission and other admins that will be granted the Full Control permission. When other admins come along later and are required to modify permissions for a new business-related reason, or when tasked with doing a data migration, problems can arise.


Let’s expand on these scenarios for a closer look. What if, in the case of file system permissions needing modifications to fit evolving business needs, a different administrator sets new permissions and starts propagating them throughout the file tree – but during propagation realizes they made a mistake and aborts the propagation? Now only part of the tree has received those permissions. Likely they will fix the initial misconfiguration and start another propagation task. But now there is concern about inconsistent or broken permissions. It is the nature of the OS, in this case, to not give a report or an accounting of which objects were touched with the initial/aborted propagation.


What if, in a data migration scenario, you have an IT admin who is tasked with migrating data from one location to another? There is no shortage of ways to move data. Tools like Robocopy, xcopy, dragging/dropping data from source to destination, etc., all allow for data moves, copies and migrations. Some of these tools are more robust than others, but they all rely on the administrator using them to ensure proper configuration of the migration job. If the administrator accidentally uses a wrong configuration parameter they could wipe out all permissions in a certain location on a destination data source, causing that location to not adhere to its parent’s permission structure.


These are just a couple examples of how file system permissions can become quickly and radically inconsistent. Maintaining consistent and properly inherited permissions is critical to maintaining data security and data governance. Until Varonis released their Automation Engine suite there was no accurate and efficient way to remediate these in an automated fashion. Instead, remediation would often involve incalculable and unreasonable amounts of time to manually resolve even smaller numbers of inconsistent permissions. Varonis has changed the game. Enter the Automation Engine.



Varonis Automation Engine

Now that we have set the groundwork and understand Global Access Groups and broken (or inconsistent) file system permissions, let’s focus our attention on how we can achieve secure file system permissions and get to a least privileged state. How can organizations perform remediation to achieve a secure environment – an environment that adheres to least privilege and resolves inconsistent permissions throughout its file systems?


It can be done manually, but the process of remediating these issues is so daunting because it quickly leads to a realization of the time-sink it requires. There is nothing native to most operating systems that indicate when you have inconsistent permissions nor a broad mechanism to fix them.


The Automation Engine can help streamline both types of remediation. Whether your environment is rife with open access due to utilization of global groups, or has an abundance of inconsistent permissions, the Automation Engine should be your go to product. Varonis estimates 58% of companies have more than 100,000 folders open to every single employee. Imagine the ramifications of this from a risk perspective. It only takes one sensitive file getting into the wild to cause a data breach to make headlines.


Let’s look at both aspects of the Automation Engine. First, we’ll dive into how it can be run on file systems’ tree structures to automatically remove global groups throughout the hierarchy and even replace those groups with proper groups. Proper groups are those single purpose groups containing only personnel with a need to have access to specific data. We’ll conclude by examining how the engine can bulk-remediate inconsistent or broken permissions.


Remediation of Global Access Group

The Varonis Automation Engine safely removes Global Access Groups by replacing them with single purpose groups and putting the correct users in these groups. Remember, the Varonis Data Security Platform monitors all user activity on your data resources. It analyzes all user activity and knows who is using their access and therefore who needs to retain access and what level.


Additionally, the Automation Engine allows for fixing items on a folder-by-folder basis, fixing stale datasets or increasing in scale and performing remediation on a much larger, enterprise-level scale.


The brilliance is that all this can be done with accuracy, efficiency and speed. Prior to the Automation Engine the manual effort required could take weeks, months or even years, depending on the size of the organization and the amount of data configured with open access. In the past, these types of issues fell by the wayside or were only partially addressed by organizations. Simply put, manually remediating open access is extremely time consuming, expensive and prone to human error.


Let’s look at a brief example. In Picture 1 and Picture 2 below, we see the NTFS permissions (ACL) of a folder named “legal”. We can also see at the right of Picture 2 that this folder and its subfolders have a significant amount of sensitive data Varonis identified.


Picture 1 shows the built-in Active Directory group known as the “Everyone” group assigned Full Control of this folder. Picture 2 shows that nearly all the direct subfolders of the “legal” folder inherit its permissions.


Note: In Varonis DatAdvantage a folder that is displayed with a plain folder icon indicates this folder inherits the permissions of the parent.



Picture 1




Picture 2



As you can tell from the above example, this is not an optimal situation. Let’s look at what the Automation Engine can do.


To do this, we’ll look at an Automation Engine policy, or rule. The rule will execute on the parent folder and children and allow criteria to be defined by which it can remediate. Again, this open access exists due to the “Everyone” global group that currently exists on this tree structure’s permissions. See Picture 3 below.


We can see the folders to be included in the remediation rule, any exceptions and a calculated scope. There are over 460 folders to be remediated.



Picture 3



If we progress from here and move to Picture 4 below we can see there’s a choice of the method that the Automation Engine will use to remediate these Global Access Groups. Those choices are to either: remediate only non-used global access group permissions or remediate all Global Access Group permissions.


I’ve included the tool tips in Picture 4b & Picture 4c which explains the difference.



Picture 4




Picture 4b – Remediate only non-used global access group permissions (Default option)




Picture 4c – Remediate all global access group permissions



As you can see from Picture 4, Picture 4b and Picture 4c the product provides options. Remember, the Automation Engine utilizes Varonis analytics and monitoring to understand what activity is being performed on your data resources and by whom. That way the Automation Engine knows what permissions are and are not being used.


For example, one could remediate all Global Access Group permissions. If this method is chosen, then several additional options become configurable within the Automation Engine. Options such as how to map any newly created and applied groups permissions in relation to the Global Access Groups that will be removed. See Picture 5 below.


Additionally, because the Automation Engine can create new groups to replace these Global Access Groups, it also allows for the ability to create a new group naming convention.



Picture 5



The Automation Engine can even be configured to send notifications to any number of recipients. These notifications span several action types as shown in Picture 6 below.



Picture 6



Lastly, I wanted to mention that if you make a mistake or there is a need, Varonis gives you the ability to roll back changes on rules that have finished executing.


Now that you understand what the Automation Engine can do to bulk-remediate open access and remove Global Access Groups from your file system permissions while simultaneously applying proper single purpose groups in their place, you can imagine the possibilities of the Automation Engine. Imagine this at scale!


Remediation of Inconsistent Permissions

Now we will look at an example of how easy it is to identify Inconsistent Permissions in the Varonis DatAdvantage UI. This is something that OS and other products do not readily display. Additionally, the Varonis platform offers comprehensive reporting on all Inconsistent Permissions in an environment in a single document. The report also shows what makes the permissions inconsistent.


Now, let’s look at Picture 7. At the top level of the tree structure, we see the root level folder named “Share”. Notice this folder has an informational icon (blue box with the letter “i”) to the left of the folder. If we look to the “Explanations” column we can see that there is a problem at a child folder level. This is what the explanation “Child directory permission is broken” indicates.


If you follow the informational icon down to the sub-level folder “dsr” the informational explanation is “Broken Permissions.” I have expanded the folder to show subfolders. Every folder that now exists underneath “dsr” has inconsistent permissions and we can also see that many of these folders contain various PCI sensitive data.


How secure can a file system be when the security permissions applied at a parent level with intentional inheritance are not being inherited correctly by the child objects?



Picture 7



We can use the Varonis platform to begin building a rule that is scoped to automatically handle these issues and repair them to the desired state. The Automation Engine can be launched from the standard Varonis UI. One can simply select the folder that needs repair and via a context menu tell the Automation Engine to begin building a rule to bring this folder back into permissions compliance.


Once you start this process, you will be able to see and validate the scope of your intended remediation. See Picture 8 below.



Picture 8



Next, a method must be decided. There are two repair methods available as shown below in Picture 9. If orphaned permissions are encountered the product can be configured to preserve those orphaned permissions as unique permissions or remove them. Orphaned permissions are simply permissions that should but do not have a valid inheritance source.



Picture 9



The rule to remediate can either be scheduled at a specific date and time or be run immediately. When scheduling the rule there is even an option for recurrence. Recurring schedules can be handy if you find you’re incurring broken permissions on a regular basis. Of course, one would want to investigate why those incidents keep happening and further shore up the file system permissions to reduce this possibility. Varonis nicely allows you to handle these situations with the Automation Engine’s scheduling ability.


As you can see, the Varonis Automation Engine is so intuitive and accurate at what it does that one must only walk through a few screens to build a remediation rule and you’re ready to go.


Rev your Automation Engine!




Now, you should have a good understanding of the most efficient and accurate way to bulk remove and replace your Global Access Groups and remediate Broken Permissions. If you skipped here because TL; DR, the answer is the Varonis Automation Engine.


If you would like to learn more, please reach out to your Optiv Client Manager to schedule a Varonis demo. Additionally, there is a free Varonis Data Risk Assessment that will utilize the capabilities of the Varonis Data Security Platform to illuminate topics such as where your open access exists, where sensitive data is located, where your data may be at risk and how the Varonis Automation Engine can quickly and accurately remediate Global Access Groups and resolve Inconsistent Permissions. Let us help you get to a Least Privileged Access model and avoid potential security threats.


If you didn’t know, now you know.

Jeremy Bieber
Partner Architect for Varonis | Optiv
Jeremy is Optiv's Partner Architect for Varonis, specializing in understanding unstructured data, data governance/compliance and data protection.

With over 22 years of experience, Jeremy began professionally working with technology during the late 1990s at Electronic Data Systems and later at Hewlett-Packard. In 2016 he joined Varonis, consulting with clients and implementing the Varonis Data Security Platform to ensure client achievement of least-privileged access models and proactive threat detection, locating and ensuring sensitive-data compliance on-premise and in the cloud.

Over the course of his career, Jeremy has achieved a range of industry certifications including over a dozen Microsoft certifications, certifications from VMware, Hewlett-Packard, Smarsh and Varonis. He can pull from his lengthy experience including system administration, architecture, engineering and consulting to provide a seasoned focus on data security.

At Optiv, he uses this real-world experience to relate how the Varonis Data Security Platform will enhance the overall security goals for our clients, reduce risk, detect abnormal behavior and ensure compliance.