Privilege Creep: How to Deal With Excess Permissions
Privilege creep refers to theย gradual build-up of unnecessary permissionsย in IT systems. Many companies struggle with privilege creep due toย missing safeguardsย such asย user access reviews. As a result, permissions stay active long past their intended use. Privilege creep often goes unnoticed at first. However, the build-up of permissions increases the risk and potential scope ofย cyber attacks,ย employee data theftย andย insider threats. Read on to learn whatย causesย access rights to pile up and how organizations canย stop privilege creepย and protect their data!
What Is Privilege Creep?
The term privilege creep (also known as permission creep, access creep or privilege sprawl) refers to the process of users accumulating more and more permissions over time, giving them access to undue levels of private information or sensitive systems. Privilege creep is incredibly common. However, the businesses and organizations affected by this problem might not know what privilege creep is called or how dangerous it can be.
The source of privilege creep can be summarized in one sentence: New permissions are added, but old permission are never removed. This leads to users amassing more and more access over time, such as permissions in the local file server, shared files in Microsoft 365 or highly privileged accounts in third-party services.
Eventually, you are left with a mountain of privileges that acts as a ticking timebomb: If your company becomes the target of a cyberattack, unnecessary permissions allow attackers to steal as much data as possible or infect every corner of your network. To make matters worse, the build-up of inactive or orphaned accounts associated with privilege creep provides a convenient attack vector for hackers and cybercriminals. Not to mention the threat posed by disgruntled employees, as highlighted by this FBI PSA.
What Causes Privilege Creep?
The easiest way to explain how privilege creep works in practice is through an example: Letโs say that a member of your company, Tom, switches from the support team to the sales department. For this new role, Tom needs access to all sorts of new resources, such as talking points or price tables. So, to help Tom get to work as soon as possible, his new boss calls up IT and makes sure Tom gets access.
However: Switching departments also means that many of Tomโs old permissions, such as access to unresolved complaints or an official account in the support forum, are now no longer needed. But while new privileges are granted quickly so as to not slow down daily business, outdated permissions are often ignored, forgotten or quietly tolerated.
The result are over-privileged users, who receive more and more permissions every time they are given new tasks or assigned to new projects.
Reasons for Privilege Creep:
- Switching Role/Department
- Temporary Access for Projects
- Covering for Coworkers
- Reliance on Reference Users
- Abandoned Accounts in Third-Party Apps
Dangers of Privilege Creep
While many organizations suffer from privilege creep, the build-up of permissions often goes unnoticed for a long time. Unlike missing permissions, excess privileges donโt interrupt you while youโre working. Even when people become aware of privilege creep, they tend to downplay the issue: So a colleague has access to files from his old department. Whatโs the worst that could happen? Well, let me tell youโฆ
First, thereโs the threat to cybersecurity that over-privileged accounts pose. When employees have access to mountains of enterprise data, it vastly increases the risk of employee data theft. Even without malicious intent, your users can become insider threats against their will if a hacker manages to steal their credentials or they accidentally download an infected attachment, spreading ransomware in your system.
In the event of a network breach, intruders will use your permissions against you, moving freely through your network and stealing or encrypting as many files as possible.
Second, if access rights are incorrectly configured or organizations fail to adequately restrict access, it can violate privacy regulations such as HIPAA or the GDPR. For example, HIPAA not only mandates adequate security measures against cyberattacks, but the privacy rule also establishes a standard for access to protected health information (PHI) known as minimum necessary. Put simply, the minimum necessary standard requires access to PHI to be limited to those who absolutely need it in order to do their job.
This means that apart from outside attacks, healthcare organizations also need to protect data against unauthorized access from within to avoid privacy violations and hefty fines. A prominent example of this rule in action would be the 2011 case against a California hospital where members of staff accessed the health records of various celebrities, despite not being involved in their treatment, resulting in a fine of $865,000.
How to Stop Privilege Creep
Because of the risks associated with unnecessary privileges, keeping access to an absolute minimum has become a best practice in cybersecurity. This approach is also known as the principle of least privilege or POLP.
Least privilege access means that members of an organization should only be given permissions that are strictly necessary for their job. In other words, no outdated permissions and no access rights granted โjust in caseโ. You can think of least privilege as the opposite of privilege creep.
Define Appropriate Access
So, how do you implement least privilege access in practice? The first step to prevent privilege creep is to define who in your organization needs access to which files and systems. The only way to figure out which permissions are necessary and which you can safely remove is to look at the apps and data your team uses in day-to-day operations.
Grant Access Based on Roles
The easiest way to establish reasonable access levels is to group members of your staff into roles based on factors such as office, department or level of seniority. You can then assign permissions to each role depending on the specific responsibilities it involves. For example, members of the HR department obviously need access to your HR software. Implementing role-based access control or RBAC even allows you to automate the process of granting and revoking these default permissions.
Access Governance Best Practices for Microsoft Environments
Everything you need to know about implementing access control best practices in Active Directory, from implementation tips to common mistakes.
Review Permissions Regularly
In any workplace, employees occasionally need additional, short-term permissions to deal with special cases such as covering for a co-worker during their vacation or collaborating on a multi-department project. This is completely normal and thereโs nothing wrong with granting extra privileges when thereโs a good reason. However, make sure you have a process in place for admins to review these special permissions later on to make sure they donโt become permanent. This is commonly known as a user access review.
Bonus: 5 Tips Against Privilege Creep
Communication between HR and IT:ย It is crucial for HR to inform IT of every personnel change as soon as it happens so your admins can delete or deactivate accounts. Make sure to keep IT in the loop!
Donโt stockpile permissions:ย Access rights should serve a specific purpose instead of being assigned for hypothetical scenarios or as a shortcut to avoid proper workflows. Rather than granting an entire department access to sensitive data, name one person who is in charge of the system and one person who acts as their substitute. If both people are unavailable for whatever reason, you can still ask IT to adjust the settings.
Educate your staff:ย The best safety measures canโt protect you if your employees ignore them. Educate your team on basic cybersecurity, train them in how to handle enterprise data and, above all, explain to them why access control is so important.
Take responsibility:ย On an individual level, if you notice that you can still access files from your previous role or that a colleagueโs accounts remained active after they left the company, donโt ignore the issue. Let the IT department know about the problem.
Secure all accounts:ย Computer networks donโt just include human users, but applications and device accounts as well. To learn how to secure all parts of your network, read our guide toย zero trust architecture.
Preventing Privilege Creep with IAM
The question of how to enforce appropriate access depends heavily on the size of your organization. While smaller businesses can keep privilege creep at bay with a bit of effort and discipline, companies with hundreds of employees depend on automated tools to keep up with the flood of new permissions.
With hundreds of different accounts spread across various systems and applications, there is simply no way to keep track of every permission without an identity & access management solution that can automate privilege changes, documentation and reviews.
tenfold Access Management is the leading IAM provider for midmarket organizations. Thanks to our import feature and out-of-the-box plugins for common apps, you can deploy tenfold quickly & easily. Once itโs up and running, youโll benefit from automated user management, detailed permission reporting and streamlined access reviews. Thereโs even an option to grant temporary permissions that expire on their own, no follow-up required.
tenfold acts as the central hub for all your access management needs, with support for Microsoft on-prem services as well as Microsoft 365 and third-party applications. Watch our video demo or sign up for free trial and see for yourself how easy IAM can be with the right tool!
What makes tenfold the leading IAM solution for mid-market organizations?