In most companies, too many employees have too many privileges. After all, they are quick to speak up when they need access to data or applications, but they tend not to be as quick to speak up when they no longer need that access. As a result, most companies see privilege creep. Employees are collecting access credentials and hoarding them, just in case they need them later.
This can have serious consequences for a company. For example, employees who move to different jobs within the company may retain access rights associated with their previous role. This may allow them to bypass the company’s checks-and-balances system.
Or an employee might leave the company altogether. It’s hard to turn off all access if you do not have an up-to-date list of things that the employee could access. This is particularly important when it comes to outside applications that do not require access to the company network, such as Dropbox or Salesforce.com.
Then there’s the case where an employee’s account is compromised. In the best-case scenario, when the problem is discovered, the company acts quickly to shut off access and review sensitive systems for unauthorized activity. In the worst-case scenario, the company doesn’t know which systems the employee can access, and appropriate security responses are delayed. Then the hacker can abscond with data to which the employee had access, including data the employee no longer needed and should have lost access to long before.
Finally, overprivileged employees may pose compliance problems for companies in regulated industries such as healthcare and financial services.
In a recent survey of more than 5,000 IT operations and security managers by the Ponemon Institute, 52 percent said that they were “likely” to be provided access to restricted, confidential information beyond the requirements of their position, and more than 60 percent said privileged users access sensitive or confidential data because of their curiosity, not because of their job function.
The Ponemon Institute also released a report outlining security best-practices, in which technology that focuses on privileged users was listed as a top critical factor in the success of a data protection program.
A CIO at a defense company told me that “least privilege” is one of the fundamental building blocks of information security.
I recently talked with Jim Zierick, executive vice president at the security systems vendor BeyondTrust. He also suggested that companies embrace a “least privileges” policy. For example, instead of giving IT administrators blanket access to servers for maintenance or software installation, companies could give them policy-based access that allows them to make changes under specific circumstances, with all access logged in detail.
The key is to restrict privileges without taking away critical rights, Zierick said. Your company might not want to give employees administrator rights to their computers, but this policy would prevent them from, say, adding a printer driver. A policy-based solution like those BeyondTrust offers would give employees just the rights they need while allowing rapid, across-the-board changes when employees leave or change jobs or responsibilities, he said.