One question I received in response to our recent post about aligning windows security groups and automating entitlement reviews was, “If you’re using single-purpose security groups and managing them automatically with an automated solution like DataPrivilege®, why use groups at all? Why not just assign users directly to the ACL?” That’s a great question (even though the idea may seem like heresy in the windows world).
There’s also a great answer: Applying NTFS permissions takes a very long time when you have to write the ACL’s (access control lists) on a large number of subfolders and files—sometimes it can take hours or even days with a large directory structure. Therefore, for now at least, we seem to be better off using groups and relatively static ACL’s to minimize the number of times permissions have to be applied to individual files and folders. In contrast, moving users into and out of groups is relatively quick, though replication can take a while, and users often have to log out and log back into AD for changes to take effect.
Some organizations have opted for a different approach that goes against what has become accepted as best practice—using Windows share permissions instead of NTFS permissions. I’ll discuss the pros and cons of this technique next time.
What should I do now?
Below are three ways you can continue your journey to reduce data risk at your company:
Schedule a demo with us to see Varonis in action. We'll personalize the session to your org's data security needs and answer any questions.
See a sample of our Data Risk Assessment and learn the risks that could be lingering in your environment. Varonis' DRA is completely free and offers a clear path to automated remediation.
Follow us on LinkedIn, YouTube, and X (Twitter) for bite-sized insights on all things data security, including DSPM, threat detection, AI security, and more.
