What is Permissions Creep?
Permissions Creep, also known as privilege creep, is what happens when we move between roles in an organisation and keep the access or permissions of the previous role.
Permissions Creep example:
Let’s imagine you have been hired by a company to maintain one of their buildings, building A. So on your first day they give you the keys to building A. You work there for 6 months and because you have done such a great job they promote you to maintain an even larger building, building B. You get your keys to building B on your first day and you stop doing the maintenance for building A. Now, a year later you get promoted again. This time to maintain the company HQ, building C. They hand you the keys to building C.
At this stage all you actually need to do your job are the keys to building C however because they never collected the other keys back in you are now one of the rare people with access to all 3 company buildings. You have “accumulated privileges”.
Now let’s say someone breaks into your car and steals the keys. That attacker now also has access to all 3 buildings.
Why does it matter?
A key component in keeping a company’s data secure is to ensure that employees are only able to view and edit the systems they need access to in order to perform their role.
Accumulated privileges matter in a company because having all the “eggs in one basket” weakens company security and creates vulnerabilities within an organisation.
For example, a successful social engineering attack on a CEO with an admin account and access to the segmented finance network could give an attacker a highly privileged position in an organisation just by compromising one account. This frequently happens as senior staff members often demand special privileges and are the targets of targeted cyber-attacks.
In the case of an insider threat, an attacker will be looking to build up permissions they do not need in order to commit fraud or exfiltrate information.
Why is it hard to stop?
Permissions creep is difficult to work against because people feel naturally entitled to the access and permissions that they have used in the past. They feel they “own” the access, in the same way employees often feel they “own” the information and reports they have written. They feel a sense of status at having access that others do not, even though they have no need for it. This is particularly true of senior members of staff who see access as a badge of honour. Unfortunately, it takes a brave IT administrator to tell his boss that his access has been curtailed.
Similarly, when staff move roles in an organisation the emphasis is on setting up their access they need for the new role and the importance of subsequently removing permissions is often overlooked.
6 ways to reduce the risk of permissions creep and privilege accumulation.
- Make sure there are relevant policies in place to address the risks of permission creep.
- Don’t give out unnecessary access! It may seem like a shortcut to give all member of a team or department the same access, but ensure that they need it first.
- Ensure there is good communication between IT and HR when it comes to staff who change roles internally or leave. Make sure that the accounts are appropriately modified or closed in a timely manner.
- Conduct regular permissions audits – There are numerous open source and commercial tools to assist with doing permissions audits.
- As a user, if you find you have unexpected access or still have access to files you no longer need, inform your IT team so they can update the accounts.
- Educate users, especially those in senior positions of the importance of minimising permissions. Explain the risk/reward balance; they don’t need or use the access, yet by having it they are putting their company at unnecessary risk.