Reversing the hidden risk of permission creep

Issue 6 2022 Information Security

Does the following scenario ring true? An employee starts at the bottom, working their way up through the organisation. As they are promoted, they require access to different applications and files. Within a couple of years, they have accrued an impressive number of permissions on their user account, even though they don't need many of those privileges.

Now, imagine someone gets their hands on that well-permissioned account – what could they do? If it's a criminal, they can unleash a very effective and widespread ransomware attack. If it's the employee, they might consider committing fraud, stealing competitive business information or causing damage in self-righteous rage. Whatever the scenario, user accounts are the preferred way to compromise business technologies.

"It's not even a claim that needs qualification anymore. Whether you look at reports from Gartner, Microsoft or other sources, compromised user accounts are almost always at the root of successful breaches. It has inspired a surge of identity-driven security, such as zero-trust and data-centric privilege management. But if we look at the source of the problem, it's usually because user accounts gain too many access rights," says Paul Green, head of Microsoft Identity and Access at cybersecurity company, Performanta.

The source of permission creep

Permission creep, also called access creep and privilege creep, is when a user account has permissions it doesn't require. This creep can occur in two ways: employees can attain permissions as their career evolves within the organisation, or they might gain temporary permissions for projects or events that are never withdrawn.

It's tempting to blame administrators for such oversights, but permission creep can often occur to meet business needs. For example, an entire team might gain specific permissions because a few members require those access levels. Whole departments could enjoy access to certain information to accommodate specific staff members.

Overlaps between different parts of the business also create elaborate permissions – legal and HR working on employment contracts might require both groups to access resources they'd typically not need. Then there is the matter of ego: people like the status of access privileges, and higher-ranking employees – especially executives – can expect or demand access just because they feel entitled to it.

"User permissions can look very simple, like a bouncer with a guest list – how complicated could it really be?" says Green. "But when you deal with numerous business systems, file storage, collaboration environments and overlapping projects, it's very easy to assign permissions and lose track of who can do what."

Newer developments such as cloud services and remote working have made permission creep more common and complicated. Most organisations still have to catch up on the issue.

Fixing permission creep

Companies pay close attention to user permissions, at least at the start. It's common practice to have rigid permission rules and policies when creating a new account. But such discipline grows lax as the employee's tenure grows. Overworked administrators are very likely to reflexively grant permissions when asked because they have competing priorities and don't wish to prevent other people from doing their jobs.

It's important to have appropriate access policies that include provisions for permission creep, such as matching roles with appropriate permissions, conducting regular audits on accounts, and stipulating the shelf lives of temporary access. Companies should have formal channels for permission requests, particularly to help protect the integrity of administrators who don’t want managers screaming at them over the phone, demanding access.

Likewise, policies must clarify that nobody is above the privilege line – even the CEO should justify why they need this or that access. Groups used to widespread access, such as IT super users or master administrators, must dampen their expectations – if they don't need the access, they can't have it.

"Look at access from the vantage point of a criminal," says Green. "If they get their hands on an executive or senior IT administrator's account, how much damage can they do and how hard will it be to track them down in your systems? Those are the accounts they target."

Notably, phishing (a fake correspondence attack that tries to steal user credentials) and spear-phishing (the same as phishing, but targeting specific groups or individuals) have risen sharply in recent years.

Yet policy, audits and awareness aren't sufficient. They take time and are prone to human error. Companies should link their user management and HR systems, using business rules to determine access. It's becoming best practice to integrate HR data with an access management system such as Active Directory and a robust identity management platform where rules automate permission choices.

"The best way to manage user accounts is to automate them through HR data. If someone is promoted, they automatically gain and lose certain permissions. If someone leaves the company, their access is automatically revoked. Temporary rules can cover certain project or user groups, with built-in expirations. If you combine automated identity management, access policies and privilege audits, you'll reduce and contain permission creep,” says Green.

There are many ways to break into business systems, but getting your hands on an account brimming with different access rights is the easiest and most common method. Criminals and insiders are much greater risks if your organisation doesn't address permission creep. Conversely, a robust access management environment will bolster security and productivity.




Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

Managed security solutions for organisations of all sizes
Information Security
Cyberattackers have become significantly more sophisticated and determined, targeting businesses of all sizes. PwC’s Global Digital Trust Insights Survey 2025 Africa and South Africa highlights the urgent need for organisations to implement robust cyber risk mitigation strategies.

Read more...
Multiple IoT devices targeted
Information Security Residential Estate (Industry)
Mirai remains one of the top threats to IoT in 2025 due to widespread exploitation of weak login credentials and unpatched vulnerabilities, enabling large-scale botnets for DDoS attacks, data theft and other malicious activities.

Read more...
Local-first data security is South Africa's new digital fortress
Infrastructure Information Security
With many global conversations taking place about data security and privacy, a distinct and powerful message is emerging from South Africa: the critical importance of a 'local first' approach to data security.

Read more...
Sophos launches advisory services to deliver proactive cybersecurity resilience
Information Security News & Events
Sophos has launched a suite of penetration testing and application security services, designed to identify gaps in organisations’ security programs, which is informed by Sophos X-Ops Threat Intelligence and delivered by world-class experts.

Read more...
Kaspersky highlights biometric and signature risks
Information Security News & Events
AI has elevated phishing into a highly personalised threat. Large language models enable attackers to craft convincing emails, messages and websites that mimic legitimate sources, eliminating grammatical errors that once exposed scams.

Read more...
Software security is a team sport
Information Security Infrastructure
Building and maintaining secure software is not a one-team effort; it requires the collective strength and collaboration of security, engineering, and operations teams.

Read more...
Stronger cloud protection
Kaspersky Information Security Products & Solutions
Kaspersky has announced the release of an enhanced version of its Kaspersky Cloud Workload Security, delivering advanced protection for hybrid and multi-cloud environments.

Read more...
AttackIQ enters South Africa with key appointment
Information Security News & Events
AttackIQ, a provider of continuous security validation and exposure management, has announced its entry into the South African market with the appointment of Luke Cifarelli as its country manager.

Read more...
Managed security solutions for organisations of all sizes
Information Security News & Events
Cyber attackers have become significantly more sophisticated and determined, targeting businesses of all sizes. PwC’s Global Digital Trust Insights Survey 2025 Africa and South Africa highlights the urgent need for organisations to implement robust cyber risk mitigation strategies.

Read more...
Data resilience at VeeamON
Technews Publishing SMART Security Solutions Infrastructure Information Security
SMART Security Solutions attended the VeeamON Tour in Johannesburg in August to learn more about data resilience and Veeam’s initiatives to enhance data protection, both on-site and in the cloud.

Read more...










While every effort has been made to ensure the accuracy of the information contained herein, the publisher and its agents cannot be held responsible for any errors contained, or any loss incurred as a result. Articles published do not necessarily reflect the views of the publishers. The editor reserves the right to alter or cut copy. Articles submitted are deemed to have been cleared for publication. Advertisements and company contact details are published as provided by the advertiser. Technews Publishing (Pty) Ltd cannot be held responsible for the accuracy or veracity of supplied material.




© Technews Publishing (Pty) Ltd. | All Rights Reserved.