Managing user access rights is an essential part of any network administrator’s job. Ensuring that each and every user only has access to the resources they need is the most elementary step in securing any network. There used to be a time when computer threats originated on the internet and reached networks via email or malicious websites. While this is still the case, an ever-increasing risk to precious corporate data comes from the inside. Either through malicious intents or stupid ignorance, your users can be the source of your data leaks. Access rights management tools can help you ensure that users can only access what they truly need and that any resource can only be accessed by users who truly need it. Read on as we review some of the best access rights management tools available today.
But before we have a deeper look at the best available tools, Let’s first explore access rights management. We’ll explain why it is such an important aspect of securing your data and what challenges are faced by network administrators. We’ll also explore access rights management from an ITIL perspective. After all, Access Management is one of the basic processes of the ITIL framework. And we’ll finish by discussing access rights management from a security standpoint. Finally, we’ll review a handful of some of the best access rights management tools we could find.
Access Rights Management
Everyone in the Information Technology community knows that data breaches have become a common—and almost unavoidable—occurrence. And while we may be tempted to think it is only done by malicious hackers and criminals or by intelligence agencies of shady countries, both having access to sophisticated technology devised to break into even the most secure networks, it is, unfortunately, far from true. While these outside attacks do exist, part of the risk comes from the inside. And the inside risk might be just as high as the outside one.
This internal risk can take many forms. On one hand, unscrupulous employees might be looking for a way to make some quick money by selling confidential data to competitors. But in addition to being the act of ill-intentioned individuals within a company, data breaches might also happen accidentally. For example, some employees might be ignorant of security policies. Even worse, they might have too much access to corporate data and other resources.
CA Technologies states in its 2018 Insider Threat Report (!pdf link) that 90% of organizations feel vulnerable to insider attacks. Furthermore, the report also indicates that the main causes of insider attacks are excessive access privileges, the increasing number of devices with access to confidential data, and the overall growing complexity of information systems as a whole. This goes to show the importance of access rights management. Giving users limited access to file shares, Active Directory and other resources within an organization based on actual need is one of the best ways to reduce the possibility of both malicious and accidental attacks and data breaches and losses.
Unfortunately, this is easier said than done. Today’s networks often spread wide geographical areas and they are comprised of thousands of devices. Managing access rights can quickly turn into a huge task, full of risks and pitfalls of all sorts. This is where access rights management tools can come in handy.
Access Rights Management and ITIL
The IT Infrastructure Library, or ITIL, is a set of guidelines and recommended processes for Information Technology teams. Concretely, ITIL’s objective is to develop effective and efficient methods for the provision of IT services or, in other words, a catalog of sorts of the best practices for the IT organization. Access Management is one of those ITIL processes. The objective of the process is very simply described as the “granting authorized users the right to use a service while preventing access to non-authorized users”.
Access Rights Management As A Security Measure
While some will argue that access rights management is a component of network administration, others will say that it is instead part of IT security. In reality, it’s probably a bit of both. But in fact, this only matters in larger business that have separate network administration and IT security teams. In smaller organizations, the same teams often handle both administration and security, effectively mooting the question.
The Best Access Rights Management Tools
Finding dedicated access rights management tools proved to be harder than anticipated. This is likely due to the fact that many tools are actually sold as security tools or as AD auditing tools. What we’ve decided to include on our list are tools that can assist administrators in ensuring that users have access to what they need and nothing else. Some are tools that assist with assigning rights and managing them while others are auditing tools that can scan your network and report on who has access to what.
SolarWinds needs no introduction with network administrators. The company, which has been around for years, is famous for publishing some of the best network administration tools. Its flagship product, called the SolarWinds Network Performance Monitor, consistently scores among the best network monitoring tools. SolarWinds is also famous for making great free tools which address specific needs of network administrators. Among these tools, a free subnet calculator and a simple yet useful TFTP server are some of the best known.
The SolarWinds Access Rights Manager (which is often referred to as ARM) was created with the goal of helping network administrators stay on top of user authorizations and access permissions. This tool handles Active Directory-based networks and it is aimed at making user provisioning and unprovisioning, tracking, and monitoring easy. And it can, of course, help minimize the chances for insider attacks by offering an easy way of managing and monitoring user permission and ensuring that no unnecessary permissions are granted.
One thing that will likely strike you as you use the SolarWinds Access Rights Manager is its intuitive user management dashboard where you can create, modify, delete, activate and deactivate user accesses to different files and folders. This tool also features role-specific templates that can easily give users access to specific resources on your network. The tool lets you easily create and delete users with just a few clicks. And this is just the beginning, the SolarWinds Access Rights Manager does not leave many features behind. Here’s a rundown of some of the tool’s most interesting features.
This tool can be used to monitor and audit changes to both the Active Directory and Group Policy. Network administrators can use it to easily see who has made what changes to the Group Policy or Active Directory settings, as well as the date and time stamp of these changes. This information certainly makes it easy to spot unauthorized users and both malicious or ignorant acts committed by anyone. This is one of the first steps to ensure that you maintain some degree of control over access rights and that you are kept aware of any potential issues before they have an adverse effect.
- FREE TRIAL: SOLARWINDS ACCESS RIGHTS MANAGER
- Official download site: https://www.solarwinds.com/access-rights-manager
Attacks will often happen when folders and/or their contents are accessed by users who are not—or should not be—authorized to access them. This kind of situation is common when users are granted wide-reaching access to folders or files. The SolarWinds Access Rights Manager can help you prevent these types of leaks and unauthorized changes to confidential data and files by providing administrators with a visual depiction of permissions for multiple files servers. In summary, the tool lets you see who has what permission on what file.
Monitoring AD, GPO, files, and folders is one thing—and an important one—but the SolarWinds Access Rights Manager goes way further than that. Not only can you use it to manage users, but you can also analyze which users have accessed which services and resources. The product gives you an unprecedented visibility into the group memberships within the Active Directory and file servers as well. It puts you, the administrator, in one of the best position to prevent insider attacks.
No tool is complete if it can’t report on what it does and what it finds. If you need a tool which can generate evidence that can be used in case of future disputes or eventual litigation, this tool is for you. And if you need detailed reports for auditing purposes and to comply with the specifications set by regulatory standards that apply to your business, you’ll find them as well.
The SolarWinds Access Rights Manager will easily let you generate great reports that directly address auditors’ concerns and regulatory standard compliance. They can be quickly and easily created with just a few clicks. The reports can include any information you can think of. For example, log activities in Active Directory and file server accesses can be included in a report. It is up to you to make them as summarized or as detailed as you need.
The SolarWinds Active Rights Manager offers network administrators the possibility to leave the access rights management for a given object in the hands of the person who created it. For instance, a user who created a file could determine who can access it. Such a self-permission system is instrumental in preventing unauthorized access to information. After all, who knows who should access a resource better than the one who creates it? This process is accomplished through a web-based self-permission portal that makes it easy for resource owners to handle access requests and set permissions.
The SolarWinds Access Rights Manager can also be used to estimate, in real-time and at any point in time, the level of risk to your organization. This percentage of risk figure is computed for each user based on their level of access and permissions. This feature makes it convenient for network administrators and/ IT security team members to have complete control over user activity and the level of risk posed by each employee. Knowing which users have the highest risk levels will let you keep a closer watch on them.
This tool doesn’t only cover Active Directory rights management, it will also handle Microsoft Exchange rights. The product can greatly help you simplify your Exchange monitoring and auditing as well as help you prevent data breaches. It can track changes to mailboxes, mailbox folders, calendars, and public folders.
And just like you can use it with Exchange, you can also use this the SolarWinds Access Rights Manager alongside SharePoint. The ARM user management system will display SharePoint permissions in a tree structure and let administrators quickly see who is authorized to access a given SharePoint resource.
As much as it’s great to have an automated system that monitors your environment, it is even better if it has the possibility of notifying you whenever something odd is detected. And this is precisely the purpose served by the SolarWinds Access Rights Manager’ alerting system. The subsystem will keep support staff informed of what is happening on the network by issuing alerts for predefined events. Among the types of events that can trigger alerts are file changes and permission changes. These alerts can help to mitigate and prevent data leaks.
The SolarWinds Access Rights Manager is licensed based on the number of activated users within Active Directory. An activated user is either an active user account or a service account. Prices for the product start at $2 995 for up to 100 active users. For more users (up to 10 000), detailed pricing can be obtained by contacting SolarWinds sales but expect to pay in excess of $130K for that many users. And if you’d rather try the tool before purchasing it, a free, user-unlimited 30-day trial version can be obtained.
- FREE TRIAL: SOLARWINDS ACCESS RIGHTS MANAGER
- Official download site: https://www.solarwinds.com/access-rights-manager
Netwrix is actually not really an access rights management tool. It is, in its publisher’s own words, “a Visibility Platform for User Behavior Analysis and Risk Mitigation”. Wow! That is a fancy name but in reality, Netwrix is the type of tool you can use to reach the same goals as you have when using.
Concretely, you can use Netwrix to detect data security risks and anomalous user behavior before they result in a data breach. This tool will give you a bird’s-eye view of your security posture with interactive risk assessment dashboards. It can help quickly identify your biggest security gaps and use its built-in actionable intelligence to reduce the ability of intruders and insiders as well to cause damage.
The product also features alerts that can be used to be notified about any unauthorized activity as it happens, giving you a better chance to prevent security breaches. You can, for instance, choose to be notified whenever someone is added to the Enterprise Admins group or when a user modifies many files in a short period of time, which could be a sign of a ransomware attack.
Pricing information for Netwrix can be obtained by directly contacting the vendor. And if you want a taste of the product, a free trial is available although it only lasts 20 days whereas most trials are 30-days.
Varonis is a cyber-security company whose primary mission is protecting your data from loss. So, despite the fact that they don’t have a direct user access management tool available, we felt it deserves to be on our list. After all, isn’t that the primary goal of any access right management system?
Varonis’ industry-leading platform is built to protect your most valuable and most vulnerable data. And to accomplish that, it starts at the heart: the data itself. Using the platform, users can defend their data against attacks from the inside as well as from the outside. The system eliminates repetitive, manual clean-up processes and automates manual data protection routines. The concept is unique in that it brings security and cost-savings together, something that not too common.
The Varonis platform detects insider threats and cyber attacks by analyzing data, account activity, and user behavior. It prevents and limits disaster by locking down sensitive and stale data and it efficiently and automatically maintains your data in a secure state.
STEALTHbits offers a suite of Active Directory management and security solutions which enable organizations to inventory and clean-up Active Directory, audit permissions and manage access, rollback and recover from unwanted or malicious changes and monitor and detect threats in real-time. It offers an all-encompassing protection of your corporate data. The process of cleaning up and governing access can effectively harden the Active Directory against attacks, both from inside and from outside threats.
The tool’s main function include AD auditing. It will inventory, analyze, and report on Active Directory to secure and optimize it. STEALTHbits can also do Active Directory change auditing, achieving security and compliance through real-time reporting, alerting, and blocking of changes. Another useful feature of the tool is its Active Directory cleanup function which you can use to clean up stale AD objects, toxic conditions, and group owners.
The tool’s Active Directory permissions auditing and reporting can be used to report on the AD domain, organizational unit, and object permissions. There is also Active Directory rollback and recovery to easily fix unwanted Active Directory changes and domain consolidation which will let you take back control of Active Directory through an easy workflow.