Reversing the hidden risk of permission creep

Issue 6 2022 Information Security

Does the following scenario ring true? An employee starts at the bottom, working their way up through the organisation. As they are promoted, they require access to different applications and files. Within a couple of years, they have accrued an impressive number of permissions on their user account, even though they don't need many of those privileges.

Now, imagine someone gets their hands on that well-permissioned account – what could they do? If it's a criminal, they can unleash a very effective and widespread ransomware attack. If it's the employee, they might consider committing fraud, stealing competitive business information or causing damage in self-righteous rage. Whatever the scenario, user accounts are the preferred way to compromise business technologies.

"It's not even a claim that needs qualification anymore. Whether you look at reports from Gartner, Microsoft or other sources, compromised user accounts are almost always at the root of successful breaches. It has inspired a surge of identity-driven security, such as zero-trust and data-centric privilege management. But if we look at the source of the problem, it's usually because user accounts gain too many access rights," says Paul Green, head of Microsoft Identity and Access at cybersecurity company, Performanta.

The source of permission creep

Permission creep, also called access creep and privilege creep, is when a user account has permissions it doesn't require. This creep can occur in two ways: employees can attain permissions as their career evolves within the organisation, or they might gain temporary permissions for projects or events that are never withdrawn.

It's tempting to blame administrators for such oversights, but permission creep can often occur to meet business needs. For example, an entire team might gain specific permissions because a few members require those access levels. Whole departments could enjoy access to certain information to accommodate specific staff members.

Overlaps between different parts of the business also create elaborate permissions – legal and HR working on employment contracts might require both groups to access resources they'd typically not need. Then there is the matter of ego: people like the status of access privileges, and higher-ranking employees – especially executives – can expect or demand access just because they feel entitled to it.

"User permissions can look very simple, like a bouncer with a guest list – how complicated could it really be?" says Green. "But when you deal with numerous business systems, file storage, collaboration environments and overlapping projects, it's very easy to assign permissions and lose track of who can do what."

Newer developments such as cloud services and remote working have made permission creep more common and complicated. Most organisations still have to catch up on the issue.

Fixing permission creep

Companies pay close attention to user permissions, at least at the start. It's common practice to have rigid permission rules and policies when creating a new account. But such discipline grows lax as the employee's tenure grows. Overworked administrators are very likely to reflexively grant permissions when asked because they have competing priorities and don't wish to prevent other people from doing their jobs.

It's important to have appropriate access policies that include provisions for permission creep, such as matching roles with appropriate permissions, conducting regular audits on accounts, and stipulating the shelf lives of temporary access. Companies should have formal channels for permission requests, particularly to help protect the integrity of administrators who don’t want managers screaming at them over the phone, demanding access.

Likewise, policies must clarify that nobody is above the privilege line – even the CEO should justify why they need this or that access. Groups used to widespread access, such as IT super users or master administrators, must dampen their expectations – if they don't need the access, they can't have it.

"Look at access from the vantage point of a criminal," says Green. "If they get their hands on an executive or senior IT administrator's account, how much damage can they do and how hard will it be to track them down in your systems? Those are the accounts they target."

Notably, phishing (a fake correspondence attack that tries to steal user credentials) and spear-phishing (the same as phishing, but targeting specific groups or individuals) have risen sharply in recent years.

Yet policy, audits and awareness aren't sufficient. They take time and are prone to human error. Companies should link their user management and HR systems, using business rules to determine access. It's becoming best practice to integrate HR data with an access management system such as Active Directory and a robust identity management platform where rules automate permission choices.

"The best way to manage user accounts is to automate them through HR data. If someone is promoted, they automatically gain and lose certain permissions. If someone leaves the company, their access is automatically revoked. Temporary rules can cover certain project or user groups, with built-in expirations. If you combine automated identity management, access policies and privilege audits, you'll reduce and contain permission creep,” says Green.

There are many ways to break into business systems, but getting your hands on an account brimming with different access rights is the easiest and most common method. Criminals and insiders are much greater risks if your organisation doesn't address permission creep. Conversely, a robust access management environment will bolster security and productivity.

Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

The song remains the same
Sophos Information Security
Sophos report found that telemetry logs were missing in nearly 42% of the attack cases studied. In 82% of these cases, cybercriminals disabled or wiped out the telemetry to hide their tracks.

How hackers exploit our vulnerabilities
Information Security Risk Management & Resilience
Distractions, multi-tasking, and emotional responses increase individuals’ vulnerability to social engineering, manipulation, and various forms of digital attacks; 74% of all data breaches included a human element.

Projections for 2024’s Advanced Threats Landscape
News & Events Information Security
Kaspersky Global Research and Analysis Team (GReAT) experts offer insights and projections for 2024 in the Kaspersky Security Bulletin, with a focus on the evolution of Advanced Persistent Threats (APT).

Veeam and Sophos in strategic partnership
Information Security
Veeam and Sophos unite with a strategic partnership to advance the security of business-critical backups with managed detection and response for cyber resiliency, and to quickly recover impacted data by exchanging critical information.

When technology is not enough
Information Security
[Sponsored] Garith Peck, Executive Head of Department for Security at Vodacom Business, writes about the importance of creating a cybersecurity strategy in a world where threats never sleep.

Reinforcing cyber defences in a world of evolving threats
Sophos Information Security
[Sponsored Content] In South Africa, the urgency to amplify cybersecurity measures is underscored by alarming statistics revealing the continued vulnerability of organisations to ransomware and other sophisticated cyberattacks.

Trellix detects collaboration by cybercriminals and nation states
News & Events Information Security
Trellix has released The CyberThreat Report: November 2023 from its Advanced Research Centre, highlighting new programming languages in malware development, adoption of malicious GenAI, and acceleration of geopolitical threat activity.

SA enterprises can benefit from AI-driven cybersecurity
AI & Data Analytics Information Security
Cybercrime is big business, and threat actors deploy cutting-edge tools to carry out attacks. Fortunately, cybersecurity is constantly evolving to meet and counter the threats they face.

Cyber threat anticipation
NEC XON Information Security Risk Management & Resilience
The ever-increasing number of sophisticated attacks on the horizon means organisations must evolve and adapt their cybersecurity strategies to protect their data, systems, and reputation.

Africa Online Safety Fund announces grant winners
News & Events Information Security
The Africa Online Safety Fund (AOSF) has announced the winners of this year’s grants; among them are five organisations operating in South Africa to educate people about online risks.