Privilege creep: do you really need access? A message from your IT team

To whom it may concern,

Hi. It’s your IT team. First off, we’d like to congratulate you on your new job, promotion or role within this company.

As with any new role, you’ll no doubt be looking for new access rights in order to get your job done. We’re here to help. But this can put the company at risk due to a phenomenon known as ‘privilege creep’.

With that in mind, we are writing to you to explain privilege creep, how we tackle it, and what it means for you.

What is privilege creep?

A privilege is an identified right to a resource, system or database. The right to access any account, file, or any other company resource is a privilege.

Privilege creep, then, is a term that describes a gradual accumulation of these access rights, obtained by a given employee.

But, it’s more than just having a high number of resources that you’re authorised to access. Accounts with privilege creep give users access rights to resources beyond those they need to do their job effectively.

It causes IT headaches

The problem is, privilege creep causes major cybersecurity risks to the business. This, in turn, causes major headaches for us here in the IT department.

Most commonly, privilege creep makes your account more valuable to attackers. If a third-party gains access to a privilege creep-afflicted account, they get access to more functions and resources. So, privilege creep increases the damage that a single breach can do.

Unfortunately, sometimes team members need to leave us. And, sometimes, that ex-team member retains their account — with their access privileges. In these few cases, privilege creep could create a back door into the company’s systems.

As such, it’s imperative that we here in the IT team manage access permissions carefully.

It creeps through the company

So, how does privilege creep spread through the company?

When you earn a promotion, swap job roles or gain new tasks, you’ll need new access rights to fulfil your new responsibilities. During the transition period, you’ll likely also need your old privileges too. At least, that is, until everyone has settled into their new daily workflows.

As a result, your old access rights are never revoked. So, even though you don’t need those privileges, they stay attached to your account — almost like a badge of honour. Besides, we trusted you with that access before, taking that trust away seems pointless.

Time constraints feed it

Another cause of privilege creep is time constraints. This means that some departments are more prone to it than others.

For instance, software development is often plagued by privilege creep. Developer privileges are often over assigned. This is because developers work on many access-restricted areas. After all, they’re creating, updating and fixing integral software solutions.

To meet the time pressure, access authorisation gets side-stepped, to prevent security from becoming a hurdle. And again, once the job is complete, those privileges are never revoked.

On avoiding privilege creep

The common thread here is that privileges are not revoked when they should be. So, to combat privilege creep, it’s important that we regularly review access permissions and revoke excess privileges.

So, one way we propose to tackle privilege creep in by following the ‘principle of least privilege’ (PoLP). This is the practice of limiting access rights for each team member to the bare minimum needed.

Another way we aim to tackle privilege creep is by auditing the access permissions of every account from time to time. This allows us to revoke any excess privileges from accounts. So, we will eradicate any ongoing privilege creep.

So, you will only have access to the resources, files and data you need to complete your tasks and responsibilities. Neither of these actions are likely to restrict or impede your daily work. 

Thank you

In short, we want to make it clear that when we revoke privileges, it’s not because we don’t trust you. It’s because excess privileges present an unnecessary security risk to the company.

Thank you for your understanding.

Kind regards,

Your IT team.

Useful links

Is shadow IT as shady as it sounds?

The security risks of outdated software

Software project estimation: handling the dreaded ‘how long will it take?’