Varonis is a well-known provider of data security solutions. Its DatAdvantage product is the heart of its Data Security Platform, and it gives users complete visibility and control over their critical data and hybrid IT infrastructure. It provides a clear view of who has access to what. As good as Varonis can be, we thought it would be interesting to have a quick look at what alternatives there are to it. We’ve concentrated on one aspect of Varonis: permissions analysis. After all, it this is all the functionality you need, Varonis may be too much for you. We’ve scoured the market looking for the best Varonis alternatives for permission analysis and we’re glad to present our findings.
But before we review the different alternatives, we’ll have a deeper look at the Varonis DatAdvantage tool and see what it does exactly. It will help us evaluate the available alternatives. We’ll also explore permissions and access rights management as they are the key elements of permissions analysis. Finally, we’ll review the best alternatives we could find and describe each product’s best and most interesting features.
Varonis Systems is an American-Israeli company that developed a security software platform to let organizations track, visualize, analyze and protect their unstructured data. Varonis performs User Behavior Analytics to identify abnormal behaviour and defend enterprise data from cyber attacks. The software uses metadata collected from an organization’s infrastructure to map relationships among employees, data objects, content, and usage.
The company’s DatAdvantage product maps who can and who do access data across file systems and email. It can show where users have too much access and safely automate changes to access control lists and security groups. As such, it offers more than many competing permission management tools.
DatAdvantage is a bi-directional tool. You can select a resource and see who has access to it or you can select a user or group to see everything they can access. The tool will figure out nested groups, permissions, and inheritance. It will even identify folders where permissions aren’t functioning correctly.
The tool’s AI-powered machine learning algorithm can also identify users with unnecessary access and recommend mitigation measures. It is a fast and accurate way to reduce risk. Permissions changes can be modelled in a sandbox before being committed with just a few clicks.
The Need For Access Rights Management
We all know that data breaches have become a common occurrence. We may be tempted to think it is only done by malicious hackers and criminals or by covert organizations with access to sophisticated technology but unfortunately, this is far from the truth. While outside attacks do exist, part—if not most—of the risk comes from the inside.
Internal risks can take many forms. Unscrupulous employees might be looking for a way to make some quick money by selling confidential data to competitors. Data breaches might also happen accidentally. For instance, employees might be ignorant of security policies or they might simply have too much access to data and other resources.
Some of the main causes of insider attacks are excessive access privileges, the increasing number of devices with access to confidential data, and the overall growing complexity of information systems. Giving users limited access to file shares, Active Directory and other resources within an organization based on actual need is one of the best ways to reduce the possibility of both malicious and accidental attacks and data breaches and losses.
This is, however, easier said than done. Today’s networks often spread wide geographical areas and they are comprised of thousands of devices. Managing access rights can quickly turn into a huge task, full of risks and pitfalls of all sorts. This is where access rights management tools can come in handy.
Permissions In A Nutshell
Permissions refer to what a given user is allowed to do with a specific file, directory or other resources. Several basic permissions such as read, write, modify, execute, and list folder content exist. Full control is another basic permission that grants a user every other permission to a resource. There are also advanced permissions for very specific actions such as reading attributes, reading permissions, changing permissions or taking ownership, just to name a few.
Access Controls Lists (ACLs) are used to assign permission to objects in a file system where each object has an ACL that defines what permission any user or group of users has on it. In most hierarchical file systems, objects inherit the permission of their parent. For instance, a file will inherit the permissions of the folder containing it.
The Best Varonis Alternatives
There are many products out there that deal with access rights management and permission analysis. They share a common goal, helping administrators ensure that no one has access to resources they don’t need to access while also ensuring everyone has access to what they need. Some of the products on our lists are broad access rights management tools while others are simpler permission analysis tools. We’ve tried to include various tools to give you a better idea of what’s available.
1- SolarWinds Access Rights Manager (FREE Trial)
The SolarWinds Access Rights Manager (ARM) was created to help network administrators stay on top of user authorizations and access permissions. It is aimed at making user provisioning and unprovisioning, tracking, and monitoring easy. It helps minimize the chances for insider attacks by offering an easy way of managing and monitoring user permission and ensuring that no unnecessary permissions are granted.
The SolarWinds Access Rights Manager features an intuitive user management dashboard where you can create, modify, delete, activate and deactivate user accesses to different files and folders. It also offers role-specific templates to easily give users access to specific resources on your network. You can use this tool to easily create and delete users with just a few clicks. This is just a small sample of the tool’s capabilities. Here’s a more detailed look at some of the tool’s most interesting features.
You can use this tool to monitor and audit changes to Active Directory objects and Group Policies. It also lets one see who has made what changes as well as their date and time stamp. This makes it easy to spot unauthorized users and malicious or ignorant acts, one of the first steps to maintain control over access rights and to be are kept aware of any potential issues before they have an adverse effect.
- FREE TRIAL: SolarWinds Access Rights Manager
- Download Link: https://www.solarwinds.com/access-rights-manager/registration
Monitoring AD, GPO, files, and folders is one thing—and an important one—but the SolarWinds Access Rights Manager goes way further than that. Not only can you use it to manage users, but you can also analyze which users have accessed which services and resources. The product gives you unprecedented visibility into the group memberships within the Active Directory and file servers as well. It puts you, the administrator, in one of the best position to prevent insider attacks.
No tool is complete if it can’t report on what it does and what it finds. If you need a tool which can generate evidence that can be used in case of future disputes or eventual litigation, this tool is for you. And if you need detailed reports for auditing purposes and to comply with the specifications set by regulatory standards that apply to your business, you’ll find them as well.
The SolarWinds Access Rights Manager will easily let you generate great reports that directly address auditors’ concerns and regulatory standard compliance. They can be quickly and easily created with just a few clicks. The reports can include any information you can think of. For example, log activities in Active Directory and file server accesses can be included in a report. It is up to you to make them as summarized or as detailed as you need.
The SolarWinds Active Rights Manager gives network administrators the possibility to leave the access rights management for a given object in the hands of the person who created it. For instance, a user could determine who can access a file he created. This kind of self-permission system is instrumental in preventing unauthorized access to information. It makes sense: who knows who should access a resource better than the one who created it? This is done through a web-based self-permission portal that makes it easy for resource owners to handle access requests and set permissions.
The SolarWinds Access Rights Manager can also be used to estimate, in real-time and at any point in time, your organization’s level of risk. It computes a percentage of risk figure for each user based on their level of access and resource permissions. This feature makes it convenient for network administrators and/or security team members to have complete visibility over user activity and the level of risk posed by each user. Knowing which users have the highest risk levels will allow you to keep a closer watch on them.
This tool doesn’t only handle Active Directory rights management, it will also take care of Microsoft Exchange rights. The product can greatly help you simplify your Exchange rights monitoring and auditing as well as help you prevent data breaches. It can track changes to mailboxes, mailbox folders, calendars, and public folders. You can also use the SolarWinds Access Rights Manager with SharePoint. The tool’s user management system will display SharePoint permissions in a tree structure and let administrators quickly see who is authorized to access a given SharePoint resource.
- FREE TRIAL: SolarWinds Access Rights Manager
- Download Link: https://www.solarwinds.com/access-rights-manager/registration
It is one thing to have an automated system in place that monitors your environment but unless you’re notified whenever something odd is detected, you’re missing the point. For that purpose, the SolarWinds Access Rights Manager’s alerting system is second to none. It will keep support staff informed of what is happening on the network by issuing alerts for predefined events. Among the types of events that can trigger alerts are file changes and permission changes. These alerts can help to mitigate and prevent data leaks.
The SolarWinds Access Rights Manager is licensed based on the number of activated users within Active Directory. An activated user is either an active user account or a service account. Prices for the product start at $2 995 for up to 100 active users. For more users (up to 10 000), detailed pricing can be obtained by contacting SolarWinds sales. If you want to give the tool a test ride before purchasing it, a free, user-unlimited 30-day trial version can be obtained.
2- Netwrix Effective Permissions Reporting Tool
The Netwrix Effective Permissions Reporting is a freeware tool from Netwrix, a direct competitor of Varonis, that provides insight into who has permissions to what resource among Active Directory and file shares. The tool will help you make sure that employee permissions match their actual roles in the organization. Through the system’s reports, administrators are able to see users AD group membership and file share permissions at a glance, along with details on whether these permissions were explicitly assigned or inherited.
The Netwrix Effective Permissions Reporting Tool provides actionable information that you can directly use to withdraw unneeded access rights. This can help ensure users have only the permissions they need to get their jobs done. It can also help reduce overall security risks by virtue of making your valuable data accessible only by eligible users. Although it is a simple-to-use tool, it enables you to quickly track down any user’s permissions across Active Directory and file servers and provides you with ready-to-use reports in just a few clicks.
This tool can also help you ensure compliance by assisting you with the collection of proof that all permissions are aligned with job descriptions and employee roles in the organization. This is often mandated by regulatory frameworks such as SOX or PCI-DSS, for instance.
There’s only one drawback to the Netwrix Effective Permissions Reporting Tool. It is a unidirectional tool and as such, it will show the effective permissions held by a specific user or group but it can’t show you the effective permissions on a specific file or directory.
STEALTHbits offers a suite of Active Directory management and security solutions which enable organizations to audit and clean-up Active Directory, validate permissions and manage access rights, rollback and recover from unwanted changes and monitor and detect threats in real-time. The tool offers broad protection for your important data. By cleaning up and tightly governing access, one can effectively protect Active Directory against attacks, both from the inside and from the outside.
One of the tool’s main function is AD auditing. It will inventory, analyze, and report on Active Directory with a goal of securing and optimizing it. STEALTHbits also performs Active Directory change auditing, allowing you to achieve security and compliance through real-time reporting, alerting, and blocking of changes. The product’s Active Directory cleanup function which you can use to clean up stale AD objects, toxic conditions, and group owners is another of its most useful feature.
STEALTHbits’ Active Directory permissions auditing and reporting can be used to report on the AD domain, organizational unit, and object permissions. The tool also offers Active Directory rollback and recovery to easily undo unwanted Active Directory changes and domain consolidation to let you take control of Active Directory through an easy workflow.
4- ManageEngine ADManager Plus
ManageEngine is another well-known name among network and system administrators. Its ADManager Plus toolset includes the NTFS permissions reporter, a tool that lets you manage permissions on the fly right from the ADManager Plus‘ reporting utility.
ADManager Plus generates and also exports reports on access permissions of all NTFS folders as well as files and their properties for Windows file servers in an easily understandable format. This can help administrators quickly view and analyze file-level security settings in their environments. The generated reports can be exported to excel, CSV, HTML, PDF, and CSVDE formats for further processing by external tools.
Some of the reports generated by this tool include the Shares in Servers report which displays all the Shares available in the specified servers, along with important details such as their location, the list of accounts with permissions on the shares as well as their associated permissions, and the scope of the permissions. The Folders accessible by accounts report lists the folders and files over which the specified accounts have permissions. You can check for folders in a specified path and further define the level of access to generate the results. These are just a few of the available reports to give you an idea of what the tool can do for you.
The ManageEngine ADManager Plus is available in a Free Edition and a Professional Edition. The Free Edition allows you to manage and report on up to 100 objects in a single Domain. The Professional Edition is installed for free and can be evaluated for 30 days, after which it automatically reverts to the Free Edition’s limitations unless a Professional Edition license is purchased. For details on the various editions available and their prices, you should contact ManageEngine.