Authorization Creep is the Biggest Threat in Information Security

Oren Harel
September 19, 2016

If your company discovers that sensitive data has been compromised, you would assume that hackers have found a vulnerability, gained access and plan to take advantage of the access they now have. Right? Some malicious person, external to your organization, sends you a virus, steals your username and password, and then uses it to loot the contents of your email. That’s a very common depiction of hacking—and yet it’s far from the most common way that data gets lost, stolen, or leaked to the public.

According to a new survey from the Ponemon Institute, data is more likely to be compromised by negligent insiders than by external hackers. The difference is stark—50% of respondents believe that insiders are the greatest threat, compared to just 22% who blame external threats for data risk.  Worst yet, the biggest enabler of negligent insiders is incorrect or inappropriate access.

Employee Theft Has Always Been the Largest Driver of Data Insecurity

As far back as 1984, researchers realized that most computer crime comes from employees who commit fraud, embezzle funds, and steal information. Similarly, an earlier Ponemon Report from 2009 suggests that almost 60 percent of fired or laid-off employees take data with them when they go. Based on these results, a few things should be simple: organizations need a data access policy that prevents employees from seeing data they shouldn’t, and which cuts off an employee’s access to data as soon as they’re terminated.

Unfortunately, the statistics on those kind of protections are relatively dismal. For example, over sixty percent of respondents to this year’s Ponemon Report say that they have access to data that sensible access restrictions would prevent them from seeing. Worse still, more than two thirds of respondents fail to employ the least-privilege model—which is one of the most important concepts in the entire field of ID and access management.

Least Privilege Equals Most Security

Here’s the idea behind least privilege: you get access to the smallest number of resources required for you to do your job. If you’re a salesperson, that means you might get access to two Excel files, a Skype account, and some (but not all) of the records in the CRM. Being in IT doesn’t mean that you can access every user’s computer—if you’re assigned to manage a particular system, you get access to that system, and the machines it’s installed on, without the ability to add or remove any additional software from those machines.

Maintaining least privilege is easier said than done. The problem with it is that roles change. It won’t be long before the employees need access to more than the  limited number of tools to get their job done. For example, what if the IT guy above needs to run a diagnostic on a particular machine? He might then get permission to install a diagnostic tool. If the access-granting authority is busy or overworked, the admin’s permission to access software might never be revoked. In short, this person, who never ordinarily needs to install or access software to do their job, might suddenly have the uncontested power to install or access whatever software they’d like. Can you see the problems that might arise?

The scenario above is called “access creep”. It occurs when individuals acquire and retain more than the bare minimum privilege required to do their job. Least privilege is the ideal, and access creep is its enemy. By making it easy for employees to view information and use tools they shouldn’t have access to, access creep opens the door for online fraud and abuse.

Solve Access Creep and Enforce Least Privilege with PlainID

PlainID offers a lightweight, easy to use authorization platform that crushes access creep in one fell swoop. It’s designed to make it easy to adjust individual privileges without allowing individuals more than what’s necessary to do their jobs. For example, If someone needs additional access, that’s fine, but administrators can adjust that access so that it automatically expires after a short amount of time.

If an individual changes positions or leaves the company, their access privileges will automatically adjust to reflect this change. Furthermore, PlainID can take into account additional factors for enhanced security. If it detects that an employee (who isn’t on vacation) is attempting to access files from an unusual location at an unusual time, it can suspect that the employee’s credentials have been stolen—cutting off access and notifying an administrator.

Don’t leave authorization decision up to chance. Keep a rein on your employees, and your critical data, and contact PlainID today! Talk to an IAM Expert

Most popular posts