For most organizations, the evolution of their environment is focused on addition. Such as adding new servers, applications, connections, cloud resources, and directory services. The same scenario applies to your organization. With each part of this growth comes an equally growing number of permission assignments. These permissions make up your current state of security. But we all know, once a permission assignment is made, it is usually never thought of again.
But now, among the many obstacles businesses are facing amidst COVID-19, data theft is at the second position. Many of the recent attacks were aimed at hospitals where cybercriminals locked away critical systems and data – such as medical records and billing details.
Keeping the recent events aside, organizations today lack even the most rudimentary understanding of what permissions have been assigned to whom, making security and related compliance mandates impossible to manage. But more IT organizations are realizing the responsibility they have around securing data that, if put in the wrong hands, could harm the organization.

Read more: 5 Reasons Why Cyberattackers Love AD Groups
The responsibility of securing data is collectively addressed through proper governance. Governance can be thought of as the sum of all the related policies, processes, standards, reporting, and roles that are used by both people and technology. They are to ensure that applications and data are used effectively and appropriately to assist an organization in achieving its business objectives.
The Three Steps – Pause and Assess
The focus of governance is generally around the data itself, but in this article, we’d like to turn your attention to permissions as one tactical aspect of governance that needs to be addressed across the entire hybrid environment. This article will cover the three steps you can take to work towards having proper governance over permissions – whether to resources on-premises, in the cloud, or a mix of both.
Step 1: Understanding (what data you have to manage)
Before IT can establish some degree of governance over permissions to critical data, it is necessary for them to know exactly where that data exists within any part of the organization. But, because organizations today no longer define their environment by bricks and mortar but by clouds and virtual networks, visibility into where data resides is diminished.
Today, 82% of organizations don’t know where their critical data is located. About 67% of IT professionals consider their environment over-permissioned or are unsure of the state of its security. The fact that organizations aren’t sure where their data resides is even more alarming.
So, it is important for organizations to both classify their data and discover relevant permissions based on the data’s importance to business, its application to compliance mandates, its sensitivity, and its value outside the organization. Let’s briefly discuss these two tasks.
1- Data Classification: The first step in gaining control and applying some degree of governance over the access granted is to identify data that exists, organizing it into categories so that it may be protected more efficiently. Data classification can be based on the content itself (such as matching text formatting to that of a credit card), contextual details (such as the application used to create the data), or the user responsible for the data. Data that needs to be classified can be stored in a few ways and locations:
- On-Premises and in the Cloud – The long-running default location, data can reside on file servers and within application databases of just about any kind (think email, collaboration, and data-centric applications). But it can be hosted on the cloud as well. Take the not-so-simple example of Microsoft 365 (and Office 365) alone, and you have OneDrive, Exchange Online, SharePoint Online, Teams, and more that can equally contain valuable data.
- Structured and Unstructured – Data can be easily searchable when stored in a structured format, such as a file in a file system. But it can also be unstructured, such as text stored as part of an email message.
2- Permissions Discovery: Once you understand what data is critical to the success and longevity of the organization, the next step is to ascertain exactly who has permissions to access such data. This is not a simple process, and in many cases, this may need to just be accomplished manually. For every data set – whether in the cloud or on-prem, structured or unstructured – it’s imperative to begin with a baseline of access to establish some degree of governance over your permissions. To establish a grasp on what data exists within your organization and what kind of access is being granted to it, consider the following best practices:
- Define your critical data types – Consider data that is subject to compliance (e.g., credit card data, personal data of customers and employees), data that could hurt the business if obtained by a competitor (e.g., customer lists, intellectual property, product roadmaps, etc.), and data that would be of value if sold on the dark web.
- Discover where that data resides – The easiest means to accomplish this is using a 3rd party data classification tool designed to take patterns and identifying characteristics and automatically search across the various locations and methods of data storage to find every bit of your critical data.
- Report on the Permissions – What you need here is a rundown of the tactical permissions assigned and to what accounts. You’ll likely need to use a combination of application or platform-specific reporting, PowerShell scripting, and 3rd party solutions to accomplish this.
Step 2: Implementing (the principle least privilege)
The principle of Least Privilege has been around for some time now. It is the practice of restricting access to data, applications, and systems down to the minimum – to facilitate necessary actions only. However, the advent of the cloud has multiplied the complexity of the environment, making the task of implementing least privilege much more difficult. Like governance, least privilege is an on-going, ever-changing effort to ensure the organization finds the perfect balance of security and productivity.
The following best practices can be helpful in implementing least privilege:
- Use groups to manage permissions – Any use of one-off permissions should be avoided, as they tend to be forgotten over time. Groups facilitate consistency in execution around both permission assignments and restrictive policies.
- Use role-based groups – The use of roles is foundational to governance, as roles are used to define access. Use solutions that offer management of dynamic groups based on object attributes (e.g., location, title, etc.) within Active Directory. This ensures group memberships are automatically and continually updated.
- Establish group attestation – The process of attesting to a group’s existence, memberships, and assigned permissions is a key element in both least privilege and governance. Groups should be assigned an owner – someone who understands the business needs and repercussions of that group’s existence and who is responsible for any changes made to that group. Periodically, each owner should review their group(s) and attest that the configuration, memberships, permissions, and existence are correct, updated, and still necessary for operations.
- Consider an identity management platform – All of the work accomplished in best practices above needs to impact the entirety of your hybrid environment. Having a means to centrally manage groups, members, and permissions, and then synchronize the current state of the directory out to all cloud-based applications and other directories in use ensures a single configuration exists enterprise-wide.
Read more: Insider Threats, Least Privilege, and the Risk in Active Directory Groups
Step 3: Defining (data access management and processes)
Part of governance includes establishing policies and processes that will be in place to ensure the secure environment you’ve theoretically created at this point. This will ensure that it remains secure as the needs of the business change over time. So, with permissions corrected and owners in place, it’s necessary to put processes in place that ensure the state of permissions is constantly in check.
IT is already stretched thin, so leveraging technically savvy users outside of IT can be beneficial. Obviously, providing any delegation of responsibility is done with some form of “handrails” in place to ensure any changes made are still approved by IT.
Consider the following processes be put in place as best practices to maintain a state of governance over permissions:
- Use self-service – No one knows what they need to access better than the individual contributor. But no IT department in their right mind is going to give users the reigns and allow them to make any changes to permissions they want. The use of a self-service portal provides IT-sanctioned changes users can request themselves – such as being added to a group with permissions to a specific resource – delegating out the task of managing access needs in a controlled manner.
- Use workflow –The use of automated workflow behind the scenes is also necessary. Automation can be as simple as performing the requested change within your directory or can involve notifications to and approvals from group owners and IT. Workflow ensures all changes made adhere to governance policies, are approved as needed. They are completely automated to ensure the needed level of consistency with any governance policies and least privilege parameters established.
Getting Permissions Under Governance
The steps above are all designed to work towards the common goal of governance. Implemented policies, processes, roles, and standards can be accomplished in many cases with technology. By implementing data access management solutions that aid the organization’s ability to understand where their data is and to manage the access to that data in a controlled fashion, the organization’s governance mandates can be effectively met while consistently implementing security and maximizing user productivity.
As one of our most powerful and important Identity and Access Management Solutions, GroupID enables an organization to manage the access of their data in a controlled manner. Learn more about the suite of solutions under GroupID.
Jonathan Blackwell
View ProfileSince 2012, Jonathan Blackwell, an engineer and innovator, has provided engineering leadership that has put GroupID at the forefront of group and user management for Active Directory and Azure AD environments. His experience in development, marketing, and sales allows Jonathan to fully understand the Identity market and how buyers think.

