Permissions, access controls, user rights, or privileges define what an identity can see or do in an organization. These terms are often used interchangeably based on context, and essentially perform the same function—granting or denying access to the resources in an enterprise. Permissions are applied to nearly every resource in a network, and are used for the simplest of tasks, like allowing a user to access a guest machine temporarily, to the most critical and complex of tasks, like making configuration changes on a server that hosts company-sensitive data. The scope of duties that permissions cover is incredibly broad, which makes it challenging for enterprises to secure them.

How do you discover permissions?

Permissions are widespread across traditional in-house and cloud deployments, devices, and apps. Different tools and interfaces are used to view and discover the permissions assigned to various resources, but the insights on permissions are limited. It’s possible to use scripts using command-line tools such as PowerShell or CMD, but it’s difficult to find scripts that cater to the unique needs of enterprises; more often than not, scripts also introduce unwarranted changes. The lack of a unified interface to grant or revoke permissions, or even obtain a holistic view of all the permissions granted to all the resources in an enterprise, make for extremely complex permission management and security.

The triangle approach to identity and secure permissions

Whether you’re a small or medium-sized business, or a larger enterprise with resources and users scatterred across the world, securing access and permissions is paramount. Securing permissions and configuring sufficient access controls will prevent unauthorized access and leakage of company-sensitive data, and will also aid you in administering resources better, especially when they grow in number.

Permissions are used to dictate control for simple and complex tasks alike, such as providing read or write access to a text file or granting permission to manage privileged user identities or servers.  A seemingly unimportant permission can lead to escalation of privileges and wreak havoc. So when you set out to secure your permissions, ask yourself these three simple yet crucial questions:

  • Do the right users have the right access to the right resources? [Visibility on permissions]

  • Are there systems in place to manage permissions and access?  [Administration of permissions]

  • Are there security controls to monitor permission changes? [Auditing permission changes]

Let’s address the three sides of the triangle, which work together to secure permissions and access.

 

#1: Discovering permissions and access

Before we look into the various methods of  discovering permissions, it’s important to understand the scope and extent of permissions—the different areas in your IT infrastructure where permissions can apply.

Evolution of IT infrastructures

Organizations are quickly adopting cloud environments, with half of the workload split between traditional in-house and cloud deployments.

Image source: Microsoft

The above illustration depicts the state of IT in organizations. Data, identities, and permissions are split between traditional in-house setups like Active Directory (AD) and apps like on-premises Exchange or Lync; across cloud deployments like Azure AD and apps that run on the cloud, like Office 365; and of course, data storage devices like file servers, NAS devices, etc.

An ideal scenario

A hybrid user identity could usually be a member of security groups across on-premises AD, store information in folders on-premises, have a mailbox in Exchange, and could also be a member of an Azure AD security group that provides access to Office apps like OneDrive or Skype for business.

 Using native tools to understand permissions has its disadvantages. The tools are extremely restrictive in their capabilites, and working with them is time-consuming and repetitive.

 As an example, let’s assume you need to determine permissions on a nested folder structure for a Windows file server. The only way to do this natively is to manually check the Security tab of each file and folder.

You can start to see why using native tools can be a hassle, especially when you consider the additional complexity of inherited and explicit permissions.

ManageEngine AD360 can help decode the permissions in your hybrid infrastructure so you can quickly start to understand problem areas and fix them.

  • Permissions on data storage and critical objects:

    • With customized reports and exclusive features such as granular permission searches, you can obtain a birds-eye view of permissions for all Windows file servers and critical security objects.

  • Privileged group and nested group reports:

    • Direct or indirect (nested) membership to administrative or privileged groups that provide access to sensitive resources can result in confidential data leakage or privilege escalation. Group-based reports in AD360 can help you determine group memberships to in-house resources (AD, Exchange, etc.) and even the cloud (Azure, Office 365, etc.).

  • Privileged and admin roles (on-premises and cloud):

    • Admins often delegate tasks to trusted users. But permissions granted once to do a task are typically not revoked, nor are admin roles delegated to end users documented. AD360 can help you maintain a checklist of delegated users and permissions, and also document the acitivites performed by the users with the delegated role.

AD360 offers many variations of permission-based reports, resource-based reports (such as licenses utilized or storage consumed), and compliance-based reports (for SOX, HIPAA, PCI-DSS, etc.). With these reports, you can more easily optimize and ensure the judicial usage of resources and stay compliant.

#2: Managing permissions and access

Discovering and understanding the state of permissions in the IT infrastructure was the first step; it’s equally important to fix vulnerable permissions, and also have an efficient administration system in place to manage permissions.

AD360 offers a centralized console to view and manage permissions across hybrid infrastructure (both on-premises and cloud).

  • Built-in management actions:

    • Obtain detailed membership information of privileged groups, and also perform bulk management actions like removing unwanted users from a group or disabling an account,enabling you to fix vulnerabilites when you spot them.

  • Automate management tasks across on-premises and cloud:

    • No more switching between tools and toggling multiple screens; AD360 can help you perform tasks across hybrid environments, all from a single console. Here’s an example of hybrid user provisioning:

 

 

  • Set time-based access for permissions:

    • Administrators and help desks often give end users access to resources, like granting access to a confidential folder or permission to read a malibox, but they also often forget to revoke these permissions. AD360 can help you set time-based permissions on resources, automatically revoking and securing the permissions after the specified time they’re needed.

#3: Monitoring permissions for changes

The only way to monitor the permissions and access changes happening in your environment is to look into the audit logs.

The sheer volume of audit logs produced across AD, Azure AD, different file servers, and other apps makes it difficult to collect all the logs in one place and manually comb through them to spot suspicious actions or anomalies.

AD360 provides customized reports that you can instantly leverage to change-monitor your on-premises and cloud environments, set customized alerts to notify the administrator about the changes, and implement a countermeasure scheme.

Activities like a user being granted privileged access or changing the ownership of a confidential folder are critical, and must be alerted upon to ensure any changes made are authorized.

 The problem with any IT setup, whether it be on-premises, cloud, or hybrid, is the absence of centralization. The absence of a unified interface makes it difficult to view, manage, or even monitor permissions and accesses.

 AD360 is an integrated identity access and IT governance solution for managing user identities, governing access to resources, enforcing security, and ensuring compliance. All you need to do is choose the modules you need, and seize back control of permissions across on-premises, cloud, and hybrid environments from within a single console!

Download a fully functional, 60-day trial of AD360, and try out all these features for yourself today.