Google Drive is among the SaaS applications getting least privilege automation from Varonis. (Photo by Alex Wong/Getty Images)

Varonis on Tuesday announced least privilege automation for Microsoft 365, Google Drive and Box, a move that analysts say offers security teams the ability to more effectively manage SaaS apps.

“Securing SaaS is currently a critical blind spot for many organizations,” said Frank Dickson, who covers security and trust at IDC. “The accelerating movement to SaaS apps is viewed as a strategic weapon as companies digitally transform. However, SaaS application data, such as Office 365 is still the responsibility of the customer, and the reality of today's business application data is complex.”

Dickson explained that Varonis made an important move here because it aims to link the sensitivity of the data being accessed to the identity role. Dickson said by eliminating unnecessary data access permissions to sensitive data, Varonis can reduce the attack surface in the event of credentials being compromised.

Varonis said in a statement that unlike other products that take an all-or-nothing approach, the Varonis platform makes intelligent decisions about who needs access to data and who doesn’t based on usage, data sensitivity and exposure. Companies can now customize remediation policies to fit their security and compliance requirements, and the least privilege automation continually enforces them without impacting employee collaboration.

“When excessive data access goes unchecked, a single compromised user or rogue insider can inflict untold damage on a business," said Jim Reavis, co-founder and CEO of the Cloud Security Alliance. “Reducing the data blast radius is a top priority for CISOs, but manual remediation isn’t possible with today’s pace of data growth and collaboration.”

Jack Poller, a senior analyst with Tech Target’s Enterprise Strategy Group, said the new least privilege automation from Varonis promises to automate enforcement of the least privilege access principle: provide only the necessary access levels for the person to do their work — no more, no less.

The new capability lets an organization define policies that automatically remove stale or excess permissions and right-size permissions for over-provisioned accounts, as well as remove stale or overly permissive collaboration links, said Poller.

While many identity products offer tools that let administrators understand which accounts or collaboration links are over-permissive, automating the remediation process serves as a big win for admins who now face the mantra of "do more with less," Poller continued.

“The last thing an IT admin wants is a call from the bosses complaining that an employee can’t complete a super-critical project because they don’t have access to the key files and folders,” said Poller. “This leads to admins habitually over-provisioning accounts — providing more access privileges than necessary — in anticipation of avoiding those midnight calls. Unfortunately, these over-provisioned accounts factor highly in data breaches. Another factor in data breaches is employees over-sharing sensitive information. Of particular concern is sharing via file sync-and-store services like Microsoft 365, Google Drive, or Box, where employees don’t set the proper access controls, and inadvertently makes sensitive information accessible by anyone.”

Piyush Pandey, chief executive officer at Pathlock, added that it’s very interesting to see dynamic access controls extended to collaboration applications. 

“Looking at the Varonis announcement today, I’d say the big challenge will be how they can effectively partition sensitive data in a way that still allows for collaboration,” said Pandey. “In enterprise apps, that often means applying a data masking or obfuscation capability, so that certain data sets are removed from view, while still allowing users access to relevant data to proceed with their processes.”