It was not too long ago that data security teams could track users and their associated access privileges throughout a business environment with relative ease.
However, fast forward to today and things have become a lot more complicated. Large, extended networks spread across geographically diverse areas are making it increasingly difficult to maintain oversight of exactly who needs privileged access to specific apps and systems at any given time. Consequently, users can end up with access to numerous systems they should not really have, creating security blind spots and vulnerabilities that can be exploited in an attempted data breach.
This article will look at the dangers of so-called ‘privilege creep’, why it poses such a major threat to data security, and how adopting a model of least privilege can help mitigate the dangers without impacting on operational efficiency.
What makes privilege creep so dangerous?
For any team trying to secure an extended and/or disparate enterprise network, privilege creep can make it very difficult to maintain overall control which, over time, can seriously undermine security posture. As employees move positions or take on new responsibilities, they start to gain access to more and more systems, all while maintaining access to old ones (unless it is proactively revoked).
Before too long, dozens, hundreds, or even thousands of employees can have access to systems that are no longer relevant to their roles, but which likely contain large amounts of sensitive business and customer data, which can often include personally identifiable information. Not only is this a breach of compliance regulations in many sectors, but it also leaves the data unnecessarily exposed to both insider and outsider threats. In many instances, employees may not even realize they are accessing or exposing data they shouldn’t even have access to.
For example, without the right data protection in place, a well-intentioned employee trying to finish up a time-sensitive task may inadvertently access a piece of privileged information and email it round to numerous partners or third parties without realising the implications of their actions. Doing so would instantly cause a security incident that could easily have been avoided by simply revoking the employee's access to said information in the first place.
The issue doesn’t end there either, because employees accumulating more access rights than they should have in this way is only one aspect. Some also try to elevate their access rights by logging into a privileged user’s accounts that they don’t have authorized access to themselves. Most employees know more than enough personal information about their colleagues to take an educated guess at their personal passwords, plus with over 2.5 million people still using ‘123456’, they often do not even need to do that. While most employees engage in this kind of behavior for honest reasons, for example trying to get work done more quickly, a small minority do so with more malicious intentions in mind.
In the case of a disgruntled or former employee, organizations that fail to monitor this kind of behavior effectively may quickly find themselves on the wrong end of a major security breach and/or news headline, neither of which is desirable in any way. According to Forrester, 80 percent of security breaches today involve default, lost, stolen or compromised privileged credentials, making this an increasingly major issue across the entire business landscape.
External threat actors know how to capitalize on privilege creep
Unfortunately, cybercriminals and external threat actors know only too well how to capitalize on privilege creep if they are lucky enough to discover it. Such adversaries are well versed in finding ways to access confidential systems and manipulate vulnerable employees. In these cases, they will often combine a variety of approaches, including phishing campaigns, social engineering techniques and password sniffers, to gain access to an individual’s login information.
They can then use these legitimate credentials to bypass security defenses before looking for ways to elevate access privileges themselves in order to get deeper into the network. Once inside, they can steal sensitive data and/or detonate a cyberattack for maximum damage.
The principle of least privilege helps mitigate threats posed
In order to avoid becoming a victim of privilege creep, businesses everywhere need to prevent it from happening in the first place. One of the most effective ways to do this is through the adoption of the least privilege model that balances the business needs of employees with the cybersecurity and compliance best practices needed to keep sensitive data safe.
If businesses work off the assumption that every employee has the potential to fall victim to threat actors, or even become one themselves, it suddenly makes sense to only provide them with the minimum level of access they need to carry out the task they are working on at any given time. Once that task is completed, this access should then be removed to avoid creating vulnerabilities, leaving zero standing privileges.
Businesses should also seriously contemplate enforcing segregation of duties, particularly for any sensitive activities, using identity access zones that tie an employee’s rights to the resources they need day-to-day, based on their specific role.
Finally, businesses need to adopt a streamlined solution for managing and elevating employee access on a just enough, just-in-time basis, with robust governance built-in at every level. Implementing a self-service access request process, complete with multi-level approval workflows will provide 360-degree visibility into exactly who approved access and the specific context relating to each individual request.
Whether they like it or not, businesses around the world are being bombarded by a growing number of cyber threats every day and a huge majority of these are caused by compromised credentials. Those without an effective Privileged Access Management strategy in place are running a major (and unnecessary) risk of exposing their networks to potential internal or external breaches if privileged credentials are misused or compromised. Embracing role-based access and the principle of least privilege, will go a long way in helping them to properly safeguard their most sensitive data, ensuring it always remains protected.
Kamel Heus, VP EMEA, ThycoticCentrify