We have buzz words, but I have decided to coin the phrase buzz burdens. A buzz burden, by my humble definition, is a problem that has always been present in the world of IT, but suddenly gains a lot of airtime, resulting in general stress and IT teams scrambling to put things right.
The buzz burden of the month looks to be what is known as ‘privilege creep’, I mean I know a lot of people use their privilege to be creepy in general life, but what does this mean in the IT sense?
Privilege creep is a phenomenon whereby employees gradually bank up excessive access privileges as they move through a business, even when they no longer necessarily need said access to do their jobs.
Forrester has reported that lost, stolen or compromised privileged credentials are involved in over 80% of all enterprise data breaches. And to be fair, it’s usually human error that causes cyber breaches on the whole – gotta be keeping a closer eye on your staff people.
To back this up, the 2021 Identity and Access Management Report from Cybersecurity Insiders also indicates that 77% of organisations have one too many users with more access privileges than required and fifty-four per cent, were at best, only somewhat confident in their ability to verify who should have access to what.
But as simple as it is to say, keep a better eye on your digital enterprise, maintaining oversight of everyone who needs privileged access to perform their roles is an understandably and increasingly complex challenge, with IT teams already stretched to the limit.
And as mentioned above, this task is only made more difficult by staff members accumulating way more access rights to applications, systems and resources than is actually necessary.
Flying under the radar, these privileges cause security blind spots that can potentially lead to devastating breaches, according to HelpSystem’s data classification specialist Adam Strange.
Needless to say, privilege creep is proving to be a real thorn in the side of data security.The good news, however, is that there are practices that can be put in place to work around the security blind spots that these privileges can create.
One such practice is having a solid identity and access management (IAM) program in place that leverages a least privilege approach, helping to close the gap on identity-related access risks.
An IAM program encompasses defining and enforcing strong access policies, conducting periodic access reviews, and prioritising role-based access control. At the data level, privilege creep can be combatted if data and documents are classified in the right way, and as a result, their usage controlled.
Privilege in the general sense of the word equals power, and when people get a little bit of power, they tend to get a little bit nefarious along with it, you only have to look at the Stanford Prison experiment to see how that one plays out.
Give people an inch, they are likely to take a mile. I’m not saying don’t trust your staff, or that they’re going to take down your business, but inadvertently or not, people having an over prevision of access privilege does nothing for productivity and everything to increase the financial and reputational risk associated with data loss.
In today’s digital economy, combining data discovery and data classification technologies with IAM technology and identity solutions can provide organisations with the right tools, not all the tools, for the job at hand.
This editorial originally appeared in the Data Centre Review Newsletter July 30, 2021. To ensure you receive these editorials direct to your inbox, you can subscribe to our weekly newsletter here.