Do Access Reviews Mitigate the Risk of Privilege Creep?

Date

05.02.22

Garret Grajek
Access Review, Access Reviews, Attack, Audit, Azure, Do Access Reviews Mitigate the Risk of Privilege Creep?, Governance, HIPAA, HIPPA, HITRUST, Identity Governance, IGA, SOX, SSO

Organizations face many cybersecurity threats, both internal and external. When it comes to maintaining the integrity of sensitive information, organizations must take every possible precaution to reduce the possibility of a cyber-attack compromising this data. But, do access reviews mitigate the risk of privilege creep? Yes. One way of doing this is by mitigating the inherent risks posed by privilege creep with regular access to reviews.

Do Access Reviews Mitigate the Risk of Privilege Creep – What is Privilege Creep?

Privilege creep is when user accounts gradually accumulate access permissions greater than what is needed for the individual to do their job. The most commonly occurring cause of this is when a user within an organization transitions to a new role, being granted new access privileges in the process. However, old and unnecessary access permissions are still applied to the account, making it possible for the user to access the information they no longer need.

This creates a significant vulnerability that the organization should work to eliminate before it can be exploited. If a hacker was able to gain access to an over-permissioned account, they could easily use it to steal sensitive information from the organization. Additionally, the user themselves could potentially access the information they no longer need with malicious intent, causing a data breach from a different angle.

Access Reviews can Eliminate The Threat

However, there are security measures that organizations can establish to reduce the threats posed by privilege creep. Access reviews should play an essential role in cybersecurity best practices.

During an access review, all user accounts within an organization are analyzed to ensure that no user has access to resources and data that they shouldn’t. To best prevent this from happening organizations should follow the recommendations outlined in the NIST Special Publication 800-53, which details best practice security and privacy controls to combat diverse security threats.

In the publication’s section PR.AC-6, the NIST defines the Principle of Least Privilege (PoLP). PoLP refers to assigning users the minimum access privileges required to carry out their duties. By doing this, organizations can ensure that any user is unable to access sensitive information they should not be able to view. If hackers can gain access to a user account, they are also limited to the data that they can steal.

Image #1: “The Hungry Caterpiller” a great kids book and a great metaphor for privilege creep. Let’s encouage employees to become butterflies – but we can’t overfeed the malicious/suspicious accounts! (do access reviews mitigate the risk of privilege creep)

Additionally, organizations can implement role-based access controls so that users are only granted access to information that aligns with their role in the company. Rather than individually managing the access capabilities of individual users, the process can be made more efficient by ensuring that each role type is granted the specific access they need. This also establishes criteria for assigning access permissions, so that PoLP can easily be employed. Through RBAC, hackers are also more limited to what they can access if they can infiltrate a system, preventing them from doing the maximum amount of damage.

Implementing access review procedures only serve to strengthen the integrity of sensitive data. When information is better protected from the prying eyes of hackers or malicious employees, the severity of security breaches, if they occur, are greatly reduced.

Do Access Reviews Mitigate the Risk of Privilege Creep? YouAttest Mitigates Privilege Creep by Triggering on Changes on Users and Groups

A best practice for enterprises is to insure that users are not over-privileged and thus prevent “privilege creep”.

But how?

YouAttest has a unique way of combining security and audit via it’s event triggering system – that triggers changes in key user/groups – and FORCES an attestation of the change.

Image #2: In this case “Mark Millar” has to attest to the movement of a user in the Admin group. This campaign was automatically created by the YouAttest admin group trigger. (do access reviews mitigate the risk of privilege creep)

In this way YouAttest prevents privilege creep by alerting key members on your team to review, approve or revoke the privilege escalation.

—

YouAttest is the only cloud-based IGA platform that deploys in minutes via application SSO to platforms like Okta. YouAttest demonstrated how YouAttest can address privilege creep with it’s webinar: YouAttest Cloud Governance w/ Triggers – w/ Okta’s David Barrish.

European Fiancials

Identity Access Management (IAM) for European Financial Institutions – The IGA Gaps

Introduction Identity Access Management (IAM) has become increasingly important in the financial sector, particularly with the growing number of digital financial services. IAM refers to

March 18, 2023 No Comments

Access Review

Identity Controls and the
US National Cybersecurity Strategy 2023

U.S. President Joe Biden laid out his plans to secure the future of America’s digital ecosystem in the latest US National Cybersecurity Strategy, released March

March 11, 2023 No Comments

Access Reviews

Attestation Is the Solution to the Solution

Great message by US Cybersecurity and Infrastructure Security Agency Director Jen Easterly. In an address to Carnegie Mellon University, she warned that Chinese hackers are

March 3, 2023 No Comments