Beginners Guide to Preventing Permission Bloat: Overlooked and Hidden Access

When it comes to your organizational security, there should be no stone left unturned. Unfortunately, many organizations fail to do this, as they aren’t even aware that there are unturned stones. Overlooked access rights are one of the most unnoticed security threats your organization can face—less of a stone and more of a somehow-overlooked, but ever-looming mountain. As an employee tends to shift roles within the organization (whether it is through promotions, role-changes, or temporary projects), they slowly accumulate more access than they actually need. This is commonly referred to as “permission bloat” or “privilege creep” and it’s pretty unavoidable. Your employees need access to certain resources to do their job, but if they acquire “too much” access, then they actually become a security risk. So how can we identify when an employee has too many access privileges? Often times, taking a preemptive course of action is more effective than taking a reactive one. That remains true here. Rather than trying to identify when an employee poses a risk to your organization, you can take preventive actions to make sure that they never end up with more access than they should have. By ensuring that employee accounts are provisioned with the correct entitlements and putting procedures in place (to fill in any gaps that are created) with approval-based delegation, organizations can truly tighten up their security efforts and minimize the risk they are exposed to. Now that we have established the legitimacy of acting before being forced to react, the question shifts to: “What preemptive measures can I take prevent an employee from acquiring too much access?” Below I have detailed four possible courses of preventive action that you can take to avoid permission bloat. Pre-emptive Action #1: Access Governance (AG) is a process that allows organizations to govern who has access to what, and is primarily aimed at reducing the risks presented by employees with too many permissions. It does so by enforcing access rights according to users’ designated role/job function. AG also is geared towards assisting organizations in following the correct business, technical, legal, and regulatory issues they may face. By using access governance, organizations can create a level of transparency that prevents employees from accumulating so much access as to become a security risk. Access governance Pre-emptive Action #2: Service Automation Service automation (often a part of an ) can make sure that all of your organization’s access requests pass through approval and are compliant with policies and regulations. In a large enough organization, the IT department often doesn’t know a majority of the employees, and are unsure who is the correct decision-maker to forward an access request to. This confusion could inadvertently result in an employee being granted access that shouldn’t have been approved. identity and access management solution By using a service automation solution, IT can now directly send the access request (for whatever resource or application needed) to the correct decision maker/manager for quick approval. That individual approves or denies the request, and access is granted/denied accordingly. This process removes the uncertainty, risk of human error, and potential compliance violations out of the equation. By implementing service automation, you should never get to the place where you have to try and identify employees with too much access within your organization. Pre-emptive Action #3: Principle of Least Privilege Another preventive effort to combat an employee having “too much” access is to follow the . The principle states that an employee should have the exact access rights needed to perform their job responsibilities—no more, no less. By doing this you prevent the inevitable slow build-up of accumulated access within employees. Principle of Least Privilege When your organization fails to follow the Principle of Least Privilege, you are not only creating a major security risk within the organization, you are also exposing yourself to regulatory compliance violations, and causing an unnecessary tangled and cluttered IT environment. AG is a solution that helps your organization enforce the Principle of Least Privilege, but it’s still a security discipline with enforcement that must extend far beyond just IT basics. Pre-emptive Action #4: Extensive Logging and Auditing Implementing an identity and access management solution that provides logged reports of any changes made to an employee’s permissions over time is another prime example of being pre-emptive and not reactive. By doing this, you can easily audit and view where an employee may be granted too much access. With one fellow swoop, you can easily discover the issue and revoke access back down to a level that doesn’t hinder your organization’s security. Leave Reaction To the Unprepared When it comes to organizational security, it’s better to act before you need to react. Too often, organizations do not realize they have employees with bloated access rights that represent a very serious threat to the organization. Don’t wait until it is too late, be proactive and start identifying areas for your organization’s security to improve. Also published on: https://www.helpnetsecurity.com/2020/05/05/prevent-permission-bloat/