By sheer definition, privilege creep is the gradual accumulation of access rights beyond what an individual needs to do their job. When someone needs rights to a specific resource, and that need is justified, the rights are (and should be) granted. However when that same person no longer requires those rights, they remain in place. As time progresses, an individual can accumulate unnecessary rights. Scenarios like these are common in businesses where individuals have multiple roles or change jobs frequently.
How Privilege Creep Happens
Employee promotions, demotions, and department transfers are the typical culprits when access privileges creep up. Let’s say you have a manager who has access to approve/modify the time sheets of his subordinates. The manager rightfully needs this access privilege but after a few months in the position, he decides he doesn’t like being a manager. As a result, he takes a voluntary demotion and a new manager is brought in to replace him. The new manager gets the rights he needs to his employee time sheets, but the old manager still retains them as well.
Similar scenarios play out in department transfers or employees who quit and are rehired later to different positions. Permissions granted on a temporary basis to cover vacations or extended absences that don’t get revoked once the need passes offer another path for privilege creep.
How Privilege Creep Affects & Endangers Your Environment
Even in some of the most secure environments that I’ve worked in, I’ve experienced privilege creep. The dangers are twofold.
An employee who has unnecessary access can use those rights for malicious purposes. Many security breaches occur due to disgruntled employees trying to cause damage. If these employees have accumulated excess privileges over time, they may be able to cause damage to areas outside their immediate area making it take longer to discover the culprit.
If an employee’s account becomes compromised, limiting the damage done by the attacker is paramount. Any time an account has excess rights, those become property of whomever has taken control of the account. Even in the absence of an account compromise, privilege creep makes it more likely that an employee could mistakenly cause problems in an area they never should have had the rights to in the first place.
Fixing Excess Privileges & Preventing Recurrences
The key to correcting privilege creep is conducting periodic access reviews. Perform audits of existing permissions. Access reviews are the only way to ensure that someone has only what they need and that the principle of least privilege is being adhered to.
Access review audits should be ongoing, with a rotation through each of your company’s departments. Every employee from top to bottom should have their account permissions reviewed at least twice each year. Existing permissions must be scrutinized and justified during these review audits. You should revoke excessive permissions, document how they were granted & investigate why they were never taken away.
Employee Change Processes
If your company doesn’t have a formal employee change process that includes communication of employee changes to the IT Department, then you need to change that. All too often I’ve worked at places where IT doesn’t get notified of an employee change. While it’s convenient to blame the Human Resources department for such lapses, I’ve never seen a major security breach blamed on HR in the media. It always comes back to the IT Department.
Implement Role Based Security
By implementing role-based security, it becomes easier to affect an employee status change. Permissions should be granted via group memberships or security profiles. Explicit permissions to a single employee account on a resource are almost never necessary. Every position in the company should have an associated ‘canned’ set of permissions that get mapped to employees with that position. This will also help incorporate separation of duties – another important aspect of controlling access to resources.
Challenges with Preventing Privilege Creep
I know what you’re thinking. And you’re correct – many companies, especially small ones, simply can’t prevent privilege creep because employees wear so many different hats. In those situations, system audits are even more important. Access reviews can still be done. When possible, provide an employee with separate accounts to perform tasks that must be segregated from their primary duties.
Wrapping it Up
While privilege creep occurs in every environment to some extent, with the right processes in place it can be managed. As with all cyber security initiatives the cost of implementation and management pales compared to the cost of a potential breach of information. Just ask Equifax and Home Depot.