Panzura has added Access Control List (ACL) hunting tools to its Panzura Symphony solution. The tools will analyse and, importantly, remediate excess permissions across enterprises. It claims it is the first vendor to deliver a tool that finds bloated permissions, an issue that affects over 58% of enterprises, according to Varonis
This is not just about finding permissions that are unnecessary. As the use of AI agents increases, many of those agents inherit permissions from the person who uses them. That means that permission bloat is passed to the AI. A further challenge that this seeks to address, is the security risk from lost credentials.
Sundar Kanthadai, Chief Technology Officer, Panzura, said, “Manual permission audits are a nightmare – teams are constantly chasing inheritance chains, investigating anomalies, and trying to resolve violations.
“Automated remediation is the difference between organizational chaos and strategic control. It delivers the precision that separates leaders from the 80% that will fail.”
Permission sprawl is a decades old problem
Permission sprawl has been a problem for decades. Users join a business and are assigned permissions for their initial role. After that, they get additional permissions for projects they are on, when they get promoted, when they change department and many other reasons.
The problems start when it comes to revoking those unnecessary permissions. Take the example of someone changing role in a business. When they move to a new department they are given access to new data and new apps. They retain their old access to help with a structured handover. Very few businesses then check to ensure that rights are revoked after the handover period.
Compounding this problem is something that IT and HR have suffered with forever. HR has little idea what systems a user needs access to because there are no controls. IT awards initial access based on department and the accesses that other employees have. They grant additional access based on requests from line and project managers, but don’t track it. Instead, it is left to the individual or those they report to, to decide what they no longer need access to.
One major fear of revoking permissions and access is the impact on the business. IT help desks know that it only takes one mistake when trying to clean up sprawl to have users complain and to create an incident.
How is Panzura fixing this?
Panzura’s approach is to use the automation within Symphony that already tracks permissions across all data inside the enterprise. How it extends that to application permission is less clear. This cannot simply be a limitation on data access. Any ACL solution has to address everything a user touches including phone, tablet, laptop, computer, printer, application (local and cloud), and data.
According to Panzura, it will identify and remediate anomalous permissions across the entire file system. The question here, is what counts as anomalous? Will it be an ACL for something the user hasn’t accessed in a given period of time? If so, what will that period be? How will it engage with users before removing the permissions to reduce errors? Will there be an integration with HR to create a better initial permission set for new users?
These questions are not new. They are questions that have been asked again and again when this issue comes up. While they seem obvious, getting a working solution is not easy. If it were, Panzura would not be doing this.
Mapping ACLs and remediating problems
One start point will be mapping permissions, not just for the individual, but also group permissions and access. That will show where overlapping permissions still allow access even when they have been revoked through a different route. That correlation will be essential to ensuring that this meets the requirements of security teams.
And that seems to be exactly where Symphony is starting. There are four things that the Interactive ACL Analysis in Symphony will enable:
- Clear, drill-down views of complex permission inheritance
- Human-readable DACLs and SACLs with adjustable detail levels
- Change tracking from previous scans to spot potential suspicious activity
- Export to database, CSV, or JSON for further analysis
Having identified ACL anomalies, the next step is remediation. According to Panzura, “Symphony has introduced the capability to automatically remediate ACL anomalies with the Repair ACLs Policy. The system analyzes and repairs broken ACL inheritance for both DACLs and SACLs automatically using administrator-defined policies.
“This saves hundreds of hours of manual remediation while eliminating human error and is vital for maintaining permission symmetry where granted access rights precisely match actual business needs.”
But this takes us back to the questions above. How will it know which ACLs are anomalies and, therefore, are broken. It is possible that a user has had access revoked, only to still have it through another group. How would the Repair ACLs Policy treat that? Would it just see a mismatch and correct it to give access or would it err on the side of caution and revoke access? How would the policy learn what is the right or wrong approach?
Audit trail to deliver on compliance and security
The answer to that last question may lay in the audit trail that Symphony will create. It will be used to create a record or permission states over time. That, as a data administrator and auditor, is very interesting. It will give an insight into historical access that will provide compliance teams with detail they have never had. It will also show how permissions are abused during an attack.
Another benefit of this will be to refine the permissions users need. If you can track an individual user over time, you can see what they need access to for their job. You can also use that to detect unusual access patterns when compared to peers in the same department. The benefit is you can see what permissions to remove and what requires investigation.
From a security perspective, this is something that will be important as users make greater use of AI agents. While most vendors see agents as inheriting all the rights of a user, will the agent need them? If not, they are just another security breach waiting to happen. Continuous refinement will pay dividends here in removing access for both users and AI agents.
It will also ensure that a credential breach is more readily contained. For example, today, a user who has been at an organisation for a decade will have access to many systems that they don’t need. When credentials are stolen, the attacker has that same access. If you refine that access without impacting productivity, you reduce the potential impact of an attack. It’s a win-win.
The rising role of metadata
Symphony will also allow administrators to add custom metadata to files. This might be to identify highly sensitive files or to create additional controls to limit how access is granted. All of this plays to the goal of policy automation when it comes to managing access.
For compliance teams, it means that they can apply granular security controls based on each piece of compliance. This is particularly important as data sovereignty and compliance conflicts grow. The automated policies will read this extended metadata and make decisions on how it is to be treated. This is a significant boost for data security and compliance teams.
Where Panzura sees additional benefits is in the management of unstructured data. By applying fine-grained controls through custom metadata and policies, Symphony delivers structure that isn’t currently available. Importantly, it goes further than that because it can also determine which files and data are accessible to AI and how that data is used.
Kanthadai commented, “Security through obscurity is no longer an option. The latest capabilities of Symphony specifically address the daily challenges sysadmins face in maintaining secure and compliant data storage and preparing data for AI workloads including agentic AI.”
Enterprise Times: What does this mean?
There are many other features that Panzura has added to Symphony as part of this announcement. However, it has not announced this as a major or even minor version change for Symphony. That is a surprise, because the features here are significant for security, compliance, AI, and data management teams.
The big hope is that this will deliver a solution to a problem that has defeated many security and data companies for decades. Permission bloat is so pervasive that most companies don’t know how to resolve it. Instead, they rely on Privileged Access Management (PAM) and other tools to try and, at least, contain the risk.
Panzura is going far beyond those solutions and it is interesting that this approach is coming from a data management vendor, not a security vendor. It will be interesting to see if this pushes Panzura into a different market or even leads to more compliance and security solutions.
