Stolen and weak passwords, especially privileged credentials, continue to be one of the most popular attack vectors for digital threat actors. According to the 2018 Verizon Data Breach Investigations Report, stolen credentials are involved in over 80% of all enterprise data breaches. Yet how much damage can one user’s credentials do on your enterprise’s network? What databases can each user access? And what databases should they be able to access?
These are not idle questions. Instead, they are fundamental to understanding the power each user wields on your network and the most common permissions power imbalance possible: access creep.
What is Access Creep?
Access creep, also known as privilege creep, refers to the slow accumulation of unnecessary permissions, access rights, and outright privileges by individual users. The most fitting, as well as the most properly disturbing, literary parallel, is the old fable of the frog in a pot of boiling water. The problem of access creep may not be apparent at first…until the water is boiling and it is far too late.
What is the Problem with Access Creep?
Access creep creates more than one kind of security issue or potential breach scenarios. First, allowing your employees to move about the corporate network without restraint can create workflow, compliance, communication, and/or productivity issues—which can be localized or widespread depending on the extent of the access creep.
Second, if credentials with unnecessary permissions fall into the wrong hands like those of digital threat actors, it could grant them unprecedented access into your network. Further, your IT security team may have trouble finding and remediating the threat since they may not understand the extent of it.
On the other side of the coin, access creep compounds the potential for access abuse or an inside threat attack hitting your enterprise’s most sensitive databases. Employees with unnecessary power will be more tempted to abuse it and likely to lash out if they suffer disappointment or frustration at work. Recent research indicates employees can feel the urge to sabotage their employer or former employer if they feel sufficiently wronged.
How Does Access Creep Occur?
Usually, access creep begins with the most innocuous of activities related to employees moving through and working in an enterprise.
For example, users are often assigned projects requiring access to databases or assets they otherwise could not. They are given permissions to those assets, but without proper oversight the privileges are never revoked even after the project is completed.
As another example, a user assumes a new position within the organization. This new position can be a promotion, demotion, or a lateral move to a new department. Regardless, the permissions from their previous roles are not removed after the transition, resulting in the user having permissions for multiple positions and departments.
How Do You Prevent Access Creep?
Again, it all comes down to oversight in your identity security via identity governance.
Your enterprise needs to deploy and utilize a strong identity governance and administration solution. By incorporating IGA into your cybersecurity platform, your IT security team will become capable of performing role management; in turn, this will grant you visibility into the permissions and digital roles of your employees.
As part of a comprehensive identity governance deployment, you need to honestly assess what access your employees actually need to perform their roles within your organization. Then you need to revoke any and all unnecessary privileges, even those of your privileged users. As part of any user’s role transition—onboarding, offboarding, or moving through your enterprise—make sure access provisioning and de-provisioning are properly implemented and overseen by your security team.
Furthermore, your IT security team needs to be actively involved in the granting of temporary permissions. They need to regulate how the provisioning and de-provisioning of those temporary access rights are conducted. The most common way to enact temporary permissions is to set them on firm timers. At the end of a set time, the permissions are automatically revoked.
Don’t let access creep to creep into your business processes. Start governing your identities.