In this E-Guide from SearchSecurity.com, industry expert Peter H. Gregory talks about privilege creep and the concepts to solve this problem.
The accumulation of privileges is bad enough but, things turn really bad if privilege creep undermines the Separation-of-Duties (SoD) or Four-Eyes principle. In this case employees could grant themselves unwanted privileges which could result in serious compliance problems.
When employees leave their job or retire we face a similar Problem. In the best case HR promptly notifies the IT group to deactivate the employee account. But privileges are very often excluded for fall-back purposes because it takes a long time before a successor is fully able to work. In the worst case, if you are in a hurry, all those messy privileges are just copied without any review.
A regular review of privileges is the best measure to tackle these problems. Even manually reviews could be implemented with moderate effort. A IAM solution with direct link to the HR system is the definitely the best approach for a large company.
In addition, I recommend to expand job profiles by security profiles. When a new employee starts his work, the job related security profile could be easily implemented and thus privilege creep prevented.
Security profiles must be maintained to track changes in the job profile. A security profile comprises all roles and privileges to all applications, systems and information an employee needs to do his job.
In addition, the employee orientation plan must be expanded by information security related topics. Create awareness and train employees how to adequately respond to information security related incidents will raise the overall security Level.