In an IT organisation, each employee has their own set of privileges which they need to perform their duty. One such privilege may be the right to access a particular system resource like file folders or documents, reports or other data within the company. When an employee moves around or changes job roles and responsibilities within the company, he or she is granted new privileges. This employee may need to retain his or her old privileges while transitioning to the new job role. After completing the move, the old privileges may not be revoked and can lead to unnecessary accrual of privileges, called privilege creep. As time passes by, this employee can have privileges that he or she does not really need.
Privilege creep is a common occurrence among IT companies. Access to sensitive data, Separation of Duties (SOD) and Account Management SOD is uncontrolled and not enforced. Access Control Policy and enforcement needs to be established, documented and reviewed based on business and security requirements for access including separation of access authorisation, access administration and audit functions.
Privilege creep happens because of a couple of simple reasons:
- Forgetting to remove old user privileges.
- Managers and employees wanting to be generous with logins and passwords so that they don’t need to run to IT to get simple tasks done.
Ways to prevent privilege creep:
- Regular access rights review or audits: By having regular audits – perhaps twice a year – the company can ensure that their employees only get the access and privilege that they need for their current job role. They can also determine which privileges need to be revoked.
- Fewer departments managing user privileges: If fewer departments manage the user accounts, the easier it will be for the company to control and monitor the privileges being granted to users.
- Implement a Privileged Access Management (PAM) system: By implementing a PAM, the company can easily trace which privilege each employee has. They can have permissions which allow denial of access to other accounts and permissions in systems which are governed by external compliance requirements.
At the end of the day, understanding how the IT organisation is distributing privileges within its environment and how they can control and manage these privileges can be challenging, but it is a must that a company tries to mitigate or even eliminate privilege creep. Regular audits and automated PAM systems can be a big help in achieving this task. The bottom line is that privilege creep can pose a threat to security and should be dealt with immediately.
Companies like BeyondTrust and SailPoint are dedicated to helping organisations reduce risk with privileged access management and identity and access management. For further information, click here.