Blog Layout

Permission Creep and the Over Privileged User - A Business Issue!

Simon Cuthbert • 4 August 2021
So, lets start at the beginning… What is Privilege creep? Simply put, it’s the gradual accumulation of access rights beyond what an individual needs to do his or her job. In general terms a privilege is an identified right that a particular end user has to a particular system resource, such as a file folder or database where data is stored.

Privilege creep often occurs when an employee changes job responsibilities within the organization and is granted new access rights to perform the role that they are moving into. While an employee may need to retain his or her former access rights during a period of transition, those privileges are rarely revoked and result in an unnecessary accumulation of access privileges. 

Privilege creep, is a common problem in all organisations, irrelevant of size and creates a two-fold security risk. First, an employee with excess privileges may be tempted to use those privileges inappropriately. Second, if an intruder gains access to an end user's account -- and that end user has excess privileges -- the intruder will also have excess privileges. Either scenario poses a risk that could result in data loss or theft.

The security risks caused by privilege misalignment is so great that in the United States the FBI and Department of Homeland Security have issued a public service announcement, warning that an increase in insider threats from disgruntled and/or former employees can be traced to privilege creep and authorized access to sensitive information and the networks. 

According to research by Intermedia and Osterman Research, 89% of employees leave their jobs with a valid login and password to at least one business application belonging to their former employers, and 49% admitted to logging in to an account after leaving the company. And add to that the research from Cybersecurity Insiders that tells us that between 2018 and 2020 incidents involving Insider Threats have increased by 47% and during this year alone, 57% of organisations felt that incidents have become more frequent, the problem around Business Users with too much access to critical and/or sensitive data is huge! 

We do have to make a few assumptions here. Mainly that the increase this year is partially due to Business Users working from home, nobody looking over their shoulder and merrily clicking their way their file servers to see what they can see! But remember, just because we are starting to go back to the office, the problem hasn’t gone away, it’s very much still there!

The challenge around Users with too much access to sensitive and critical data isn’t new of course, it’s been a challenge for a very long time. But why has it been so difficult to get a grip on what, when put into it’s most simplistic form, should be a simple problem to address?

A survey sent out by Tenfold Security suggests that there are 5 key reasons, firstly Visibility
Visibility
i. Who has access to what data?
ii. Environment is constantly changing and evolving
iii. Multiple systems - Multiple User Accounts & Roles
iv. Microsoft – Complex structure with no tools for the business

Traceability
i. Who granted access and when?
ii. 81% of Respondents – Want more efficient systems and controls
iii. Why do Users have access?
iv. Difficult to prove compliant User behavior  
Efficiency
i. Manual processes take time to action
ii. Traditional ticketing systems are not suitable for the tasks required
iii. IT do not want to manage this process
iv. Evermore complex environments
v. Joiner/Mover/Leaver process involves to many people and is time consuming
Data is at Risk
i. Users collect more & more access
ii. Users have access to critical data without a business need
iii. Data may be compromised, leaked, stolen/misused
iv. Organisations know about the risks but believe it to be too costly and time consuming to address
Regulatory & Compliance Requirements
i. Lots of differing rules & regulations
ii. Takes too much time
iii. Should be a business role not an IT role
v. Lack of compliance can lead to big fines!

A key part of minimising Privilege creep is by enforcing a Principle of Least Privilege (PoLP) and limiting permissions to the minimal level an employee needs to perform his or her job. PoLP is also a key requirement under a number of compliance and regulatory standards.

For me though, the best and only true way to ensure that Users Access to Data does not get out of control is by conducting periodic access rights reviews or Re-Certification. It’s also known as Entitlement Review or Account Attestation.

Controlling and regularly reviewing which employees have access to which systems and data isn't just security 101 -- it's a compliance necessity. PCI DSS, HIPAA and GDPR all have mandatory user access review requirements, which could land your company in hot water if not reviewed regularly.

A lot of companies rely on Native Windows Tools to assign User access. But, once these are in place, then what?
Think about the number of employees that have quit or been terminated at your company in the past year or two. Then, add in the number of current employees who have changed roles or departments. If you work for a large organization, this number could be in the hundreds or even the thousands.

So, What is a re-certification process and why is it important?
Re-certification is the process of periodically assessing the rights of anyone who has access to enterprise systems and data. Users can include employees, partners, third parties, service providers and vendors. Performing user account reviews, is critical to monitor, manage and audit the user account lifecycle from creation to termination -- and everywhere in between. These reviews should coincide with a well-defined user access review policy. Reviews should be done on a regular basis to prevent potential security problems.

So how do you conduct a user access review?
Define your access management policy. At minimum, a user access management policy should include the following:
You should then run a report to take an inventory of all data and it’s location. 

Next, identify the owner(s) within the business. This could be a department head, a manager or someone within each department that has been delegated with that responsibility. 

Alongside identifying the data owners, you should assign job roles and responsibilities and their access requirements down to a granular level. For example, some employees will need read-only access to data to perform their job functions, while some require editing capabilities, and others will need permission to delete data. This again, is a Business process not an IT issue.

User access reviews might be conducted per department, per employee or as a combination of the two. A per-department review will audit access controls based on who has access to data in the department, while a per-employee review examines access based on the data an employee can see.

Deciding how often to conduct reviews will vary by organization. Smaller companies may be able to review the entire policy more frequently than large corporations, which may only assess one system at a time or test a sampling and conduct a full review only when discrepancies occur. Depending on the system, reviews can be run monthly, quarterly, bi-annually or annually. Audit high-risk, sensitive and critical data more often, while lower-risk data can be assessed less frequently.

Conduct the review
Once a clearly defined policy is in place, create a report of all databases, applications and systems, and determine who currently has access to them. Include all employees and third parties, such as vendors, service providers and temp staff and consultants.

Send a copy of the report to each Data owner, who should then audit the list to verify who has access, at what level and whose access privileges should be changed or revoked. Sometimes, this is based on role, department or responsibility, while a more granular approach is needed at other times. For example, responsibilities and access requirements can vary for people in the same role. For example if someone is working on a specific project.

You should also have a process to make sure owners sign off on the report by deadline.

Deprovisioning processes
A user access review policy should also detail corporate provisioning and deprovisioning processes. Provisioning, the first step in the user account lifecycle, explains how access privileges are assigned to a new hire. Deprovisioning outlines how user access is revoked when an employee changes roles or is terminated. Removing access rights to enterprise assets is part of the deprovisioning and offboarding process, but it can be and is, often overlooked. Regular access reviews will notify managers and owners of issues in offboarding, enabling the company to update its processes and remediate any changes necessary.

Reporting
Once you receive all user account access reviews, execute changes based on the owners' reviews. Remove any revoked access, and update employees' privileges as needed. Generating a new user access report will verify changes have gone into effect.

Remember: This is a process in which Data Owners that sit within the Business, NOT I.T, confirm each employee's need to access specific roles and rights in an effort to discover and revoke excess privileges. After all, it is the Data Owners within the business that are the ones that know who needs access, not IT!

Native Windows Tools will not give you the granularity and flexibility that is required.

Technical solutions that are designed for technical Users will only go part of the way to addressing Privilege Creep. Permissions Management is a business issue and therefore it needs to be managed by Business Users. 


Share by: