Zero trust is currently getting a lot of hype in the world of cybersecurity. The concept of “trusting no one” is an easy idea to grasp and has the potential to mitigate the vast range of threats plaguing organizations. However, if the tools, processes and strategies around zero trust network architecture (ZTNA) are not implemented correctly, there can be cracks in cybersecurity defenses. One specific weakness that organizations continue to have to contend with is access creep.
Access Creep and ZTNA
Access creep, or the slow accumulation of access rights by a user over time, is an ongoing problem for organizations, especially when it comes to internal users. Access creep occurs because a user acquires legitimate additional access rights over time, often due to needing temporary access to an asset, but those rights are never removed.
In the physical world, access creep can mean an employee requiring access to a manufacturing plant while on a site visit. In the virtual world, it can mean getting access to a database for a project that lasts a few months. In either case, those access rights may not be removed when they are no longer needed, providing the user with unnecessary access to systems.
This access creep can occur even within a zero trust network because access is still granted and often not deprovisioned at the right time. Access creep naturally goes against the principle of least privilege because of the temporary nature of access needs, and it exposes an organization’s systems to risks.
Over time, if not properly managed and reviewed, access rights for one user can keep growing until their access suddenly becomes a significant risk. For example, if a hacker could get into a network through that user’s credentials, the field of attack is much broader – with many more open doors – thanks to those mounting access rights.
"Over time, if not properly managed and reviewed, access rights for one user can keep growing until suddenly their access turns into a major risk"
HR Systems and Access Rights
Human resource (HR) systems are one of the first lines of defense against access creep. Assigning rights and privileges by job role is a scalable way to govern access policy for employees – since a smaller subset of job functions can generally define even a company with hundreds of thousands of identities. HR systems are often automated as part of normal business processes, which allows for the automated implementation of the principle of least privilege and automated provisioning and deprovisioning of access rights. If the HR system and access rights are closely linked, the risk of access creep can be reduced.
Preventing Access Creep with Access Reviews
One strategy to mitigate ZTNA access creep is regular access reviews. Access reviews, the process of reviewing all identities' access rights and ensuring the principle of least privilege (meaning users only have access to the minimum needed) is being adhered to, is crucial in access creep prevention.
Depending on the organization's size, access reviews may need to be dispersed across departments, and at a bare minimum, closely tied to HR systems, which have an understanding of role-based accesses for users. All managers, especially those in larger organizations, should review and ensure the access rights of their employees and users and attest that they still require all access rights. If they don't still need those specific rights, managers need to reject or change them. This will ensure access rights meet employee and organizational updates.
However, access reviews can be time-consuming, which impacts their efficacy. While there are software programs that can assist with access reviews, such as SecureLink's Access Intelligence, it's important for any organization to, at a minimum, review access rights to critical systems.
Access creep is the quiet threat growing in organizations today, and it can lead to major cybersecurity issues if not properly checked and mitigated. By employing zero trust strategies and procedures and regular user access reviews, an organization can ensure that no access goes unchecked and no system remains exposed.