Privilege Creep: How to Deal With Excess Permissions

Privilege creep refers to the gradual build-up of unnecessary permissions in IT systems. Many companies struggle with privilege creep due to missing safeguards such as user access reviews. As a result, permissions stay active long past their intended use. Privilege creep often goes unnoticed at first. However, the build-up of permissions increases the risk and potential scope of cyber attacks, employee data theft and insider threats. Read on to learn what causes access rights to pile up and how organizations can stop privilege creep and protect their data!

What Is Privilege Creep?

The term privilege creep (also known as permission creep, access creep or privilege sprawl) refers to the process of users accumulating more and more permissions over time, giving them access to undue levels of private information or sensitive systems. Privilege creep is incredibly common. However, the businesses and organizations affected by this problem might not know what privilege creep is called or how dangerous it can be.

The source of privilege creep can be summarized in one sentence: New permissions are added, but old permission are never removed. This leads to users amassing more and more access over time, such as permissions in the local file server, shared files in Microsoft 365 or highly privileged accounts in third-party services.

Eventually, you are left with a mountain of privileges that acts as a ticking timebomb: If your company becomes the target of a cyberattack, unnecessary permissions allow attackers to steal as much data as possible or infect every corner of your network. To make matters worse, the build-up of inactive or orphaned accounts associated with privilege creep provides a convenient attack vector for hackers and cybercriminals. Not to mention the threat posed by disgruntled employees, as highlighted by this FBI PSA.

What Causes Privilege Creep?

The easiest way to explain how privilege creep works in practice is through an example: Let’s say that a member of your company, Tom, switches from the support team to the sales department. For this new role, Tom needs access to all sorts of new resources, such as talking points or price tables. So, to help Tom get to work as soon as possible, his new boss calls up IT and makes sure Tom gets access.

However: Switching departments also means that many of Tom’s old permissions, such as access to unresolved complaints or an official account in the support forum, are now no longer needed. But while new privileges are granted quickly so as to not slow down daily business, outdated permissions are often ignored, forgotten or quietly tolerated.

The result are over-privileged users, who receive more and more permissions every time they are given new tasks or assigned to new projects.

Reasons for Privilege Creep:

  • Switching Role/Department
  • Temporary Access for Projects
  • Covering for Coworkers
  • Reliance on Reference Users
  • Abandoned Accounts in Third-Party Apps

Dangers of Privilege Creep

While many organizations suffer from privilege creep, the build-up of permissions often goes unnoticed for a long time. Unlike missing permissions, excess privileges don’t interrupt you while you’re working. Even when people become aware of privilege creep, they tend to downplay the issue: So a colleague has access to files from his old department. What’s the worst that could happen? Well, let me tell you…

First, there’s the threat to cybersecurity that over-privileged accounts pose. When employees have access to mountains of enterprise data, it vastly increases the risk of employee data theft. Even without malicious intent, your users can become insider threats against their will if a hacker manages to steal their credentials or they accidentally download an infected attachment, spreading ransomware in your system.

In the event of a network breach, intruders will use your permissions against you, moving freely through your network and stealing or encrypting as many files as possible.

Second, if access rights are incorrectly configured or organizations fail to adequately restrict access, it can violate privacy regulations such as HIPAA or the GDPR. For example, HIPAA not only mandates adequate security measures against cyberattacks, but the privacy rule also establishes a standard for access to protected health information (PHI) known as minimum necessary. Put simply, the minimum necessary standard requires access to PHI to be limited to those who absolutely need it in order to do their job.

This means that apart from outside attacks, healthcare organizations also need to protect data against unauthorized access from within to avoid privacy violations and hefty fines. A prominent example of this rule in action would be the 2011 case against a California hospital where members of staff accessed the health records of various celebrities, despite not being involved in their treatment, resulting in a fine of $865,000.

Stop sign sticking out of the water.
Follow these steps to stop the flood of privileges! Adobe Stock, (c) jro grafik

How to Stop Privilege Creep

Because of the risks associated with unnecessary privileges, keeping access to an absolute minimum has become a best practice in cybersecurity. This approach is also known as the principle of least privilege or POLP.

Least privilege access means that members of an organization should only be given permissions that are strictly necessary for their job. In other words, no outdated permissions and no access rights granted “just in case”. You can think of least privilege as the opposite of privilege creep.

Define Appropriate Access

So, how do you implement least privilege access in practice? The first step to prevent privilege creep is to define who in your organization needs access to which files and systems. The only way to figure out which permissions are necessary and which you can safely remove is to look at the apps and data your team uses in day-to-day operations.

Grant Access Based on Roles

The easiest way to establish reasonable access levels is to group members of your staff into roles based on factors such as office, department or level of seniority. You can then assign permissions to each role depending on the specific responsibilities it involves. For example, members of the HR department obviously need access to your HR software. Implementing role-based access control or RBAC even allows you to automate the process of granting and revoking these default permissions.


Best Practices for Access Management In Microsoft® Environments

Our in-depth guide explains how to manage access securely and efficiently from a technical and organizational standpoint, including tips for implementation, reporting and auditing.

Review Permissions Regularly

In any workplace, employees occasionally need additional, short-term permissions to deal with special cases such as covering for a co-worker during their vacation or collaborating on a multi-department project. This is completely normal and there’s nothing wrong with granting extra privileges when there’s a good reason. However, make sure you have a process in place for admins to review these special permissions later on to make sure they don’t become permanent. This is commonly known as a user access review.

Bonus: 5 Tips Against Privilege Creep

  • Communication between HR and IT: It is crucial for HR to inform IT of every personnel change as soon as it happens so your admins can delete or deactivate accounts. Make sure to keep IT in the loop!

  • Don’t stockpile permissions: Access rights should serve a specific purpose instead of being assigned for hypothetical scenarios or as a shortcut to avoid proper workflows. Rather than granting an entire department access to sensitive data, name one person who is in charge of the system and one person who acts as their substitute. If both people are unavailable for whatever reason, you can still ask IT to adjust the settings.

  • Educate your staff: The best safety measures can’t protect you if your employees ignore them. Educate your team on basic cybersecurity, train them in how to handle enterprise data and, above all, explain to them why access control is so important.

  • Take responsibility: On an individual level, if you notice that you can still access files from your previous role or that a colleague’s accounts remained active after they left the company, don’t ignore the issue. Let the IT department know about the problem.

  • Secure all accounts: Computer networks don’t just include human users, but applications and device accounts as well. To learn how to secure all parts of your network, read our guide to zero trust architecture.

Preventing Privilege Creep with IAM

The question of how to enforce appropriate access depends heavily on the size of your organization. While smaller businesses can keep privilege creep at bay with a bit of effort and discipline, companies with hundreds of employees depend on automated tools to keep up with the flood of new permissions.

With hundreds of different accounts spread across various systems and applications, there is simply no way to keep track of every permission without an identity & access management solution that can automate privilege changes, documentation and reviews.

tenfold Access Management is the leading IAM provider for midmarket organizations. Thanks to our import feature and out-of-the-box plugins for common apps, you can deploy tenfold quickly & easily. Once it’s up and running, you’ll benefit from automated user management, detailed permission reporting and streamlined access reviews. There’s even an option to grant temporary permissions that expire on their own, no follow-up required.

tenfold acts as the central hub for all your access management needs, with support for Microsoft on-prem services as well as Microsoft 365 and third-party applications. Watch our video demo or sign up for free trial and see for yourself how easy IAM can be with the right tool!

Why tenfold?

What makes tenfold the leading IAM solution for mid-market organizations?

About the Author: Joe Köller

Joe Köller is tenfold’s Content Manager and responsible for the IAM Blog, where he dives deep into topics like compliance, cybersecurity and digital identities. From security regulations to IT best practices, his goal is to make challenging subjects approachable for the average reader. Before joining tenfold, Joe covered games and digital media for many years.