Quick question: Do you know which employees have access to systems, services, files, folders, subnets, or the various platforms you use? That’s a tough question, especially for large enterprise businesses.
It is, however, a very important question to ask and answer.
You should have absolute control over what staff members have access to. If not, you risk opening everything in your company to security issues.
When access rights gradually accumulate beyond what individual staff members actually need to do their jobs, it’s called privilege creep. It happens more than you think.
How this occurs is simple. You have an employee who already has certain permissions within your company to access various servers, software, networks, directories, and accounts. At some point, you or one of your admins will have to extend their security privileges. This is often done by simply adding to their accumulated permissions. If your admins don’t first vet that employee’s current list/state of permissions before adding on, that staff member could wind up with too much access.
If you’re interested in keeping your company data safe, contact us to learn more about cybersecurity considerations for enterprise software.
For example, that employee might have, at one point, needed access to a specific database on a server. When the access to that database was no longer needed, if the admin didn’t revoke their privileges (while giving them new privileges), it’s privilege creep.
Privilege creep is a direct threat to the security of your company and it must be avoided at all costs.
Why Is It a Security Risk?
Privilege creep can cause a security risk on a number of levels, but primarily it’s all about too many people having access to too many assets without the need for such access.
Consider this: Olivia works in your PR department and needs temporary access to a database that contains all of your client information (which might include bank account information, Social Security numbers, or credit card information). When Olivia no longer needs access to that database, the logical thing to do would be to revoke her access to it. Unfortunately, the admin’s job consists of putting out daily fires, so revoking that access might get bumped down (or off) their to-do list.
At this point, Olivia still has access to that crucial database.
What happens if a hacker breaks into your network and gains access to Olivia’s account? That hacker could also gain access to the database containing all of that sensitive information.
That very scenario happens more than you think.
To avoid such an outcome, all that would have had to happen is revoking Olivia’s database access.
But, as we said, revoking such access might be low on the DEFCON chart for the day, so it winds up getting overlooked. Or, an admin might look at the situation and think, “Olivia will probably need access again, so why bother?”
The problem with the “why bother?” scenario is that it adds up. If your admins continue to “why bother?” with every employee’s access, privilege creep will not only be an issue, it’ll slowly become your biggest issue.
Are you ready to implement data security solutions? Contact us for a free consultation.
How to Avoid Privilege Creep?
There are a few things you can do to ensure privilege creep doesn’t come back to haunt you.
Create a Strict Access Policy
According to Satoricyber, the average organization uses approximately 315 SaaS apps and most of those apps have multiple accounts with access to sensitive company data. When you fail to employ data access policies, that can quickly lead to privilege creep.
The first thing you should do is create an access policy that clearly defines which employees have access to which assets. This should be an easy-to-read chart that makes it obvious which departments and employees should have access to specific systems/accounts/assets. This policy should be well thought out and viable.
Follow the Policy to the Letter
Next, you need to make certain your admin teams are following the new policy. Yes, it might make extra work for them, but it’s crucial that they regularly check privileges (referring to the chart you’ve painstakingly created) and revoke any privilege that is not needed.
Employ Role-Based Access
Instead of thinking about this on a per-user basis, it’s best to look at it from a role standpoint. For example, you could create access policies based on roles, such as developers, HR, management, staff, and upper management. Each role (or group, if you’re looking at it via a computer system) will have specific privileges for specific assets. Once you have role-based policies, all you have to do is plug users into roles.
For example, Olivia was in management and enjoyed management privileges. She was then promoted to upper management. Instead of having to comb through her privileges one by one, you would simply have to remove her from the management group and add her to the upper management group. Her permissions will automatically change and she’s set to work. If you want to learn more about a role based-access control, watch this short video and get familiar with its benefits.
Work with Identity Governance and Administration
If you’re an enterprise business, you need to consider implementing Identity Governance and Administration (IGA), which serves to regularly check on access and privileges held by each employee. This team should be separate from your regular admins or security teams, so it can function independently and only has one very important job.
If you’re not an enterprise business (but are still of the larger size), you might get away with a single employee taking care of IGA. If that’s the case, do not burden that employee with other tasks, because IGA will be enough to keep them busy. On top of that, having centralized management of user privileges will greatly reduce complications and mistakes. Your IGA team will be far less likely to overlook a change in privileges than an already overworked admin or security team.
The Principle of Least Privilege
There are two ways of looking at privilege:
- Giving an employee more privileges than they need to do their job.
- Giving an employee the bare minimum of privileges they require to do their job.
It is always safest to go with the latter. Never grant an employee more access than they require to function in their role. This doesn’t just mean assigning them the bare minimum and being done with it. You need to be vigilant about out-of-date privileges that can be revoked without compromising the employee’s ability to work. This also means no privileges are granted unless an employee needs them.
Give each employee the least amount of privileges they require and your security teams will thank you.
Make Use of a Specialized Tool
If your company employs thousands of people, managing privileges manually can be next to impossible. In such a case, consider using an Identity and Access Management (IAM) tool such as SPHEREboard, CyberFOX, Auth0, or SpectralOps. Such tools can function faster and more reliably to keep your business safe from privilege creep.
Privilege creep can happen in any business
It happens to the best of businesses at some point. The key is to start early to prevent it from getting out of hand. Should you allow privilege creep to go too quickly and too far, the task can get seriously challenging to solve.
