Understanding and Preventing Privilege Creep

Businesses are in the midst of a transition. Many are trying to determine what the right path forward is for them after the pandemic, as far as remote work or hybrid work. Some companies are bringing employees back to the office full-time, while others are going to implement more flexible policies.

There’s a lot to think about and potentially reconfigure for businesses right now after they were thrown into having employees work remotely because of COVID-19.

IT teams, in particular, are taking on a lot of that work. The IT teams in many workplaces are trying to figure out how to balance changing needs with cybersecurity risks that can come with long-term remote or hybrid work.

They also have to think about what it might look like to manage day-to-day IT concerns when teams are dispersed some or all of the time.

One big issue that can become more pervasive with remote work is privilege creep. It can go under the radar more if workers are on a hybrid or fully remote schedule, and it creates a significant cybersecurity threat.

With that in mind, the following are some of the main things to know about privilege creep and preventing it from occurring in an organization.

What is Privilege Creep?

Privilege creep is also known as access creep. This occurs when an employee, often gradually over time, gets more access rights than are needed to do their job.

Privilege or access creep can be the result of not revoking access that was granted for temporary or special projects or not making the necessary changes to reflect different job duties or requirements. When someone gets a promotion or takes on a different role in a company and they get new access privileges, but their previous roles aren’t revoked, it also contributes to this issue.

Basically, the overarching idea with privilege creep is that employees have access to data, resources, and applications not needed for their duties, which then puts the system at risk.

The biggest risk with privilege creep is often the potential for insider threats to occur. Also, a hacker may be able to get into higher levels of a company network if they have just one set of stolen credentials.

There are problems with compliance that can stem from privilege creep too. If your organization is one that’s in an industry handling sensitive data, such as health records, and there is privilege creep happening, you may not be in compliance with laws and regulations.

Along with cybersecurity issues that can come from privilege or access creep, there’s also an impact on productivity. You want your employees to only use what’s absolutely necessary for their job. The more access they have, the more time they might waste on things like recovering passwords.

Preventing privilege creep can have the added benefit of streamlining workflows.

Conduct Regular Access Reviews

One of the most important things you can do on a regular basis is conducting access reviews.

An access review should be part of your overall cybersecurity plan. Access reviews allow you to get a view of who has access to what. Set a timetable when you’ll regularly conduct access reviews to audit existing permissions.

You can analyze all the user accounts that are part of your organization. Make sure that everyone within the organization has access to only what they need.

If you’re part of a larger organization, you might rotate audits across departments.

Each employee should have access privileges reviewed at least biannually. Their current permissions need to be both assessed and justified during an audit.

You also want to take away permissions they don’t need and delve into why they have those permissions and why they weren’t removed.

Formalize Your Employee Change Process

A good way to avoid privilege creep and other cybersecurity risks is to formalize the steps in the process when an employee goes through a change. This might mean a demotion or promotion or any kind of change in role.

The IT department should be in the loop on these changes in addition to human resources.

Always Follow the Principle of Least Privilege

The Principle of Least Privilege or POLP is a reference to best practices to reduce cybersecurity risks associated with privilege creep.

The idea is that any user, process, or program has the bare minimum privileges required.

By adhering to this principle, you’re reducing the likelihood of an attacker getting access to sensitive data or critical systems.

If there is a compromise in the system, it can stay confined to its origin area, or at least that’s more likely what’s going to happen with POLP.

To provide an example, Edward Snowden leaked millions of files from the NSA because he had admin privileges. His highest-level role was creating backups of the database. Now, in the time since that happened, the NSA uses the principle of least privilege, and around 90% of employees have had higher-level access privileges revoked.

Another example is Target. Hackers got access to tens of millions of Target customer accounts because an HVAC contractor had certain permissions. Target allowed itself to have a broad attack surface because it didn’t implement the principle of least privilege.

A few best practice tips to implement POLP include:

  • As was touched on above, you’ll need to do a privilege audit. You should check all the accounts that currently exist and programs to make sure they have only the permissions needed to do their job.
  • All accounts should, as a rule, start with least privilege. Any new account privileges should, as a default, be as low as possible.
  • All admin accounts should be separated from standard accounts.
  • If someone needs elevated privileges, restrict them only to the time periods when they’re needed.
  • Set it up so that you can track individual actions.

Limiting privileges and maintaining principles of least privilege is an important component of modern cybersecurity. It should be one of the biggest priorities for an organization because not doing so creates an enormous attack surface and opportunities for lateral movement at a minimum.

Understanding and Preventing Privilege Creep was last updated November 23rd, 2022 by Susan Melony