How ‘Privilege Creep’ Spells ‘Game Over’ for Data Security

In the past, keeping track of users and their entitlements was a relatively straightforward task

But in today’s extended and highly digitalised enterprise, maintaining oversight of everyone who needs privileged access to systems to do their jobs is an increasingly complex proposition.

Over time, users accumulate more access rights to applications, systems and resources than are required to perform tasks associated with their current role. Often flying under the security radar, these privileges create security blind spots that can potentially lead to devastating breaches.

Let’s take a look at how, unless appropriately managed, privileged access can spell ‘game over’ where enterprise data security is concerned.

The problem with privilege creep

When it comes to securing today’s extended enterprise, privilege or access creep can seriously undermine an organisation’s overall security programme. As people switch roles or take on more responsibilities, they acquire login or admin privileges to new systems and information – while still retaining access to old ones.

If organisations fail to limit who has access to what systems and information or revoke permissions once people move on or projects end, then the risk of users having unfettered access to systems they shouldn’t have grows.

This sets the stage for a raft of potential scenarios, including non-compliant access to highly sensitive data such as bank details or health records and the external exfiltration of data should credentials fall into the wrong hands.

For example, unless sensitive information is appropriately protected, a hardworking employee looking to complete a project could end up downloading a document they weren’t supposed to and distributing it, in all innocence, via email to other team members, or customers, partners and third parties. All of which creates a potential serious security loophole that is difficult to oversee or manage.

The problem with excess access

Employees accumulating more access rights than are necessary to perform tasks associated with their current role is one aspect of the challenge. Some users may seek to elevate their access by logging into a privileged user’s account so they can get tasks done faster or for more sinister purposes. Indeed, Forrester estimates that 80 percent of security breaches now involve default, lost, stolen or compromised privileged credentials. With over 2.5 million users still using ‘123456’ as a password, it doesn’t take much to guess a password and most employees know more than enough about personal information about colleagues to make more than an inspired stab at cracking a privileged user’s credentials.

In the case of a disgruntled or furloughed or former employee, organisations that fail to monitor or cut off users’ entitlements could later find their commercially sensitive data has been siphoned off to a competitor or adversary.

The problem with privilege abuse

External threat actors are well versed in finding ways to access confidential systems and manipulate vulnerable employees and will combine a variety of approaches, including phishing campaigns, social engineering techniques, digital scanners, and password sniffers, to gain access to an individual’s login information.

Using these credentials to circumvent security perimeters, they will look for ways to elevate the employee’s access privileges so they can go on to extract data or unleash a ransomware attack. Back in 2019, a former Amazon employee stole the personal and financial data of more than 100 million Capital One customers using compromised credentials to hack into the bank’s cloud server.

Prevention is better than cure: applying the principle of least privilege

To protect themselves from being victims of unnecessary or improper privilege elevation, organisations should adopt a least privilege model that balances operational/user needs with cybersecurity/compliance best practices.

If you assume that every employee could fall victim to a threat actor or become a hacker themselves, it makes sense to only give users the minimum level of permissions they’ll need to perform their job function, closing their privileged access once a task is complete.

Organisations should also consider enforcing segregation of duties, especially for sensitive processes and tasks, using identity access zones that tie a user’s rights to the resources they need day-to-day, based on their role.

Finally, organisations will need a streamlined way to manage or elevate user access on a temporary or as needed basis that has governance built in from the ground up. Implementing a self-service access request process, complete with multi-level approval workflows, should deliver full visibility into who approved access and the context associated with each request.

Without an appropriate Privilege Access Management (PAM) strategy in place, organisations risk exposing their networks to a potential internal or external breach if privileged credentials are misused or compromised. Establishing the concept of role-based access and least privilege best practices will enable organisations to safeguard their most sensitive networks and ensure that access, and data, are appropriately protected.


About the Author

Kamel Heus is VP EMEA at ThycoticCentrify. Thycotic prevents cyberattacks by securing passwords, protecting endpoints, and controlling application access. Thycotic is one of the world’s fastest-growing IT security companies because we provide customers with the freedom to choose cloud or on-premise software solutions that are the easiest to implement and use in the industry. Thycotic has grown to serve more than 12,500 customers.

Featured image: ©Your123