What is privilege creep? It’s the gradual accumulation of access privileges beyond what an employee needs to do his or her job—thus facilitating potential abuse of privileges. If a hacker gains access to a user account that has excessive privileges, more damage can potentially be done. Also, an employee with excess privileges could potentially use them to access data and applications in an unauthorized or malicious way.
Privilege creep is a silent menace that exposes your organization to elevated information security risk from insider threats and malware, as well as regulatory noncompliance and increased operational costs.
Most organizations fall victim to some level of privilege creep among their longer-term employees. Often when knowledge workers change jobs within the company, they are granted new privileges but their old privileges are never revoked.
This can happen for any number of reasons. For example, as an employee transitions from one role to another, there is often a need to continue in the old role for some time. Perhaps his or her old job is unfilled for a while, or there’s a need to train a new hire. If there’s no process in place for revoking privileges in such situations, it’s unlikely to happen.
What’s to be done? The best way to curtail privilege creep is with user entitlement reviews (UERs), also called user rights auditing. Besides addressing privilege creep, UERs:
- Help to identify users who have garnered unauthorized access for some other reason, such as configuration errors
- Provide demonstrable/auditable evidence of compliance with access control policies
- Reduce operating costs by cutting down on unauthorized use of applications
More and more Pivot Point Security clients, especially financial services firms and healthcare organizations, are telling us that UERs have become a “best practice” in their organizations because their customers and partners demand it for their own compliance reasons.
Ideally these reviews will take place quarterly. The challenge with UERs, however, is that data about entitlements often exists only within individual applications and databases, and not in any central location. Answering the question, “What entitlements does Suzy have?” could be a real treasure hunt…
Fortunately, both open-source and commercial auto-discovery tools are available to help organizations identify what users have access to what systems, data and functionality; and whether these entitlements are appropriate given the person’s current job role and “need to know.”
With the help of such tools, organizations can time- and cost-effectively automate many aspects of entitlement reviews. Expert, third-party assistance can be valuable in setting up and accelerating the process, producing a formal report and/or gap analysis, and establishing best practices.
To talk with an information security expert about how your organization could benefit from a user entitlement review, contact Pivot Point Security.