Employees can collect a range of access rights to business systems throughout their tenure. It’s a phenomenon called ‘permission creep’: one of the biggest cybersecurity risks for organisations today.

Does the following scenario ring true? An employee starts at the bottom, working their way up through the organisation. As they are promoted, they require access to different applications and files. Within a couple of years, they have accrued an impressive number of permissions on their user account, even though they don’t need many of those privileges.

Now, imagine someone gets their hands on that well-permissioned account – what could they do? If it’s a criminal, they can unleash a very effective and widespread ransomware attack. If it’s the employee, they might consider committing fraud, stealing competitive business information, or causing damage in self-righteous rage. Whatever the scenario, user accounts are the preferred way to compromise business technologies.

“It’s not even a claim that needs qualification anymore. Whether you look at reports from Gartner, Microsoft or other sources, compromised user accounts are almost always at the root of successful breaches. It’s inspired a surge of identity-driven security, such as zero-trust and data-centric privilege management. But if we look at the source of the problem, it’s usually because user accounts gain too many access rights,” says Paul Green, Head of Microsoft Identity and Access at cyber security company, Performanta.

 

The source of permission creep

Permission creep, also called access creep and privilege creep, is when a user account has permissions it doesn’t require. This creep can occur in two ways. Employees can attain permissions when their career evolves within the organisation, or they might gain temporary permissions for projects or events that are never withdrawn.

It’s tempting to blame administrators for such oversights. But permission creep can often occur to meet business needs. For example, an entire team might gain specific permissions because a few members require those access levels. Whole departments could enjoy access to certain information to accommodate specific staff members.

Overlaps between different parts of the business also create elaborate permissions – legal and HR working on employment contracts might require both groups to access resources they’d typically not need. Then there is the matter of ego: people like the status of access privileges, and higher-ranking employees – especially executives – can expect or demand access just because they feel entitled to it.

“User permissions can look very simple, like a bouncer with a guest list – how complicated could it really be?” says Green. “But when you deal with numerous business systems, file storage, collaboration environments and overlapping projects, it’s very easy to assign permissions and lose track of who can do what.”

Newer developments such as cloud services and remote working have made permission creep more common and complicated. Most organisations still have to catch up to the issue.

 

Fixing permission creep

Companies pay close attention to user permissions, at least at the start. It’s common practice to have rigid permission rules and policies when creating a new account. But such discipline grows lax as the employee’s tenure grows. Overworked administrators are very likely to reflexively grant permissions when asked because they have competing priorities and don’t wish to prevent other people from doing their jobs.

It’s important to have appropriate access policies that include provisions for permission creep, such as matching roles with appropriate permissions, conducting regular audits on accounts, and stipulating the shelf lives of temporary access. Companies should have formal channels for permission requests, particularly to help protect the integrity of administrators – don’t tolerate managers screaming on the phone at them, demanding access.

Likewise, policies must clarify that nobody is above the privilege line – even the CEO should justify why they need this or that access. Groups used to widespread access, such as IT super users or master administrators, must dampen their expectations – if they don’t need the access, they can’t have it.

“Look at access from the vantage of a criminal,” says Green. “If they get their hands on an executive or senior IT administrator’s account, how much damage can they do and how hard will it be to track them down in your systems? Those are the accounts they target.”

Notably, phishing (a fake correspondence attack that tries to steal user credentials) and spear-phishing (the same as phishing, but targeting specific groups or individuals) have risen sharply in recent years.

Yet policy, audits and awareness aren’t sufficient. They take time and are prone to human error. Companies should link their user management and HR systems, using business rules to determine access. It’s becoming best practice to integrate HR data with an access management system such as ActiveDirectory and a robust identity management platform where rules automate permission choices.

“The best way to manage user accounts is to automate them through HR data. If someone is promoted, they automatically gain and lose certain permissions. If someone leaves the company, their access is automatically revoked. Temporary rules can cover certain project or user groups, with built-in expirations. If you combine automated identity management, access policies and privilege audits, you’ll reduce and contain permission creep,” says Green.

There are many ways to break into business systems. But getting your hands on an account brimming with different access rights is the easiest and most common method. Criminals and insiders are much greater risks if your organisation doesn’t address permission creep. Conversely, a robust access management environment will bolster security and productivity.