How to prevent permission bloat: Overlooked and hidden access

When it comes to your organizational security, you should leave no stone unturned. Overlooked access rights are one of the most unnoticed security threats your organization can face – and it’s less of a stone and more of a somehow-overlooked, but ever-looming mountain.

As employees change roles within the organization (whether through promotions, role-changes, or due to temporary projects), they accumulate more access rights than they actually need. This is commonly referred to as “permission bloat” or “privilege creep”.

Your employees need access to certain resources to do their job, but if they acquire “too much” access, then they actually become a security risk. So how can we identify when an employee has too many access privileges?

Often times, taking a preemptive course of action is more effective than taking a reactive one, and that is true here. Rather than trying to identify when an employee poses a risk to your organization, you can take preventive actions to make sure that they never end up with more access than they should have.

By ensuring that employee accounts are provisioned with the correct entitlements and putting procedures in place (to fill in any gaps that are created) with approval-based delegation, organizations can truly tighten up their security efforts and minimize the risk they are exposed to.

Now that we have established the legitimacy of acting before being forced to react, the question shifts to: “What preemptive measures can I take prevent an employee from acquiring too much access?”

Below I have detailed four possible actions that you can take to prevent permission bloat.

1. Access governance

Access governance (AG) is a process that allows organizations to govern who has access to what and is primarily aimed at reducing the risks presented by employees with too many permissions. It does so by enforcing access rights according to users’ designated role/job function.

AG also is geared towards assisting organizations in following the correct business, technical, legal, and regulatory issues they may face. By using access governance, organizations can create a level of transparency that prevents employees from accumulating so much access as to become a security risk.

2. Service automation

Service automation (often a part of an identity and access management solution) can make sure that all of your organization’s access requests pass through approval and are compliant with policies and regulations. In a large enough organization, the IT department often doesn’t know the majority of the employees and are unsure who is the correct decision-maker to forward an access request to. This confusion could inadvertently result in an employee being granted access that shouldn’t have been approved.

By using a service automation solution, IT can now directly send the access request (for whatever resource or application needed) to the correct decision maker/manager for quick approval. That individual approves or denies the request, and access is granted/denied accordingly. This process removes the uncertainty, risk of human error, and potential compliance violations out of the equation.

By implementing service automation, you are unlikely to ever end up in a situation where you have to try and identify employees with too much access within your organization.

3. Principle of least privilege

Another preventive effort to combat an employee having “too much” access is to follow the principle of least privilege. The principle states that an employee should have the exact access rights needed to perform their job responsibilities—no more, no less. By doing this you prevent the inevitable slow build-up of accumulated access within employees.

When your organization fails to follow the principle of least privilege, you are not only creating a major security risk within the organization, you are also exposing yourself to regulatory compliance violations and causing an unnecessary tangled and cluttered IT environment.

AG is a solution that helps your organization enforce the principle of least privilege, but it’s still a security discipline with enforcement that must extend far beyond just IT basics.

4. Extensive logging and auditing

Implementing an identity and access management solution that provides logged reports of any changes made to an employee’s permissions over time is another prime example of being preemptive and not reactive. By doing this, you can easily audit and view where an employee may be granted too much access. With one fell swoop, you can easily discover the issue and revoke access rights down to a level that doesn’t hinder your organization’s security.

Permission bloat: Leave reaction to the unprepared

When it comes to organizational security, it’s better to act before you need to react. Too often, organizations do not realize they have employees with bloated access rights that represent a very serious threat to the organization. Don’t wait until it is too late, be proactive and start identifying areas for your organization’s security to improve.