Modern IT infrastructure is typically no longer contained within a conventional network perimeter. Instead, companies often have hundreds of diffusely distributed cloud-based SaaS (Software-as-Service) apps. Each of thes apps adds admin overhead, with user permissions assigned on a per app basis. Assigning permissions across a modern company — including partners, freelancers, and other external collaborators — can be complex and time-consuming. The result is that these permissions may become bloated and out-of-control, leading to “permission sprawl.”

Why does Permission Sprawl happen?

Permissions are the differing rights assigned to various users to access an app and handle its data and other resources. An individual’s permissions should align with their security profile — including their role, department, and the sensitivity of the resources they need to access. The assignment of permissions should always follow the principle of least privilege. That is, rights to access and use an app should be authorized on a need-to-know basis — enough to allow a person to do their job, but no more Least privileged access management is an essential security control recognized by standards-setting organizations and reflected in many security regulations, such as NIST’s Cyber Security Framework (CSF) and ISO 27001.

Permission sprawl, also called privilege creep or privilege sprawl, is an important concept to understand, as it increases security risks. Permission sprawl is exacerbated by the need to balance user access controls with security. But it’s also a consequence of many other routine organizational developments, including people changing  roles or departments within — or leaving — an organization, which all require changes in permissions. If, for example, departing staff do not automatically have their permissions revoked, data is placed at risk. To recap, the following scenarios often give rise to permission sprawl:

• Default credentials: New employees may be given copied/pasted (instead of customized) permissions for faster onboarding.

• Changing roles: Employees may need different types of permissions and app access controls if they move departments or change roles.

• Ex-employees: It’s essential to revoke access permissions swiftly whenever a staff member leaves the organization. 

• Not performing regular reviews: Access needs change over time. For example, a department may need temporary access to a specific app. But if an organization fails to regularly check required access permissions, access rights can quickly become out-of-date and uncontrolled.

• Permission conflicts: If each department manages access rights, overlapping privileges can cause permission conflicts and cybersecurity risks. For example, if a user can both review and approve the same process, it creates a toxic combination and dangerous conflicts of interest. For example, if a single user can both create and approve purchase orders, that clearly creates opportunities for fraud.

Risks of permission sprawl

If permission sprawl is left unchecked, it places an organization at high risk of the following:

Data breaches: Unauthorized access and inappropriate access rights can lead to accidental or malicious data breaches. Permissions must be continuously monitored to ensure that least privilege is maintained as employees move into new roles or leave the company.

Insider threats: Uncontrolled access rights that provide excess privileges can lead to sensitive data leaks. Employees with access to sensitive data must be trained in maintaining the security and privacy of this data. Employees who are given access without such training can  leave data exposed.

Non-compliance: Many data protection and privacy regulations and standards require adherence to the principle of least privilege. Permission sprawl can easily result in a company going into non-compliance without realizing it — potentially resulting in hefty fines.

How does permission sprawl enter the enterprise?

Permission sprawl risks proliferate when any — or any combination — of the following occur:

No or poor visibility of SaaS apps

SaaS apps can be challenging to make visible, especially if installed outside the normal purchasing protocol. Shadow IT, or unknown app usage, makes it difficult — and often impossible — to know who is using what apps to create and share data. This can make it challenging to maintain an accurate log of user access and permissions.

Overprovisioning

When the principle of least privilege is not followed, employees can gain permissions they don’t need. Such “overprovisioning” can lead to unauthorized access to sensitive data. So an enterprise should look for solutions that prevent overprovisioning.

Inconsistent access

When permissions vary across applications, employees can become confused — and overburden help desks as they seek assistance. Some of these frustrated employees may turn to colleagues to share credentials or log in on their behalf, creating additional security risks.

Privilege creep

Unmanaged privileges can persist beyond their needed duration. when employees change positions or leave an organization. These employees’ privileges must be reviewed and changed — or removed. If not, they’ll retain unneeded access to applications and data, leading to increased risk of data exposure.

Difficulty revoking access

An organization must use a robust SaaS access management strategy to ensure permissions are effectively revoked in all appropriate situations.

How can an organization avoid permission sprawl?

Identity and access management (IAM) solutions provide the tools to prevent permission sprawl. IAM tools provide the capability needed to continuously monitor, evaluate, and modify user access rights and permissions. Some advanced IAM tools provide automated permission management, improving the efficiency and effectiveness of permission sprawl control at scale.

IAM strategies that help prevent permission sprawl include:

Enforcement of least privilege

Ensure that users have the right level of access to do their job — and no more. Employ a "who can access what" approach to defining users, roles, and permissions. Enforce least privileged access using identity management and authentication and authorization options, including multi-factor authentication (MFA).

Role-based access control (RBAC)

Use an RBAC approach to assign access permissions based on employee roles. Each employee performing a certain role should have the same and consistent access rights to network resources.

Attribute-based access control (ABAC)

ABAC uses user attributes to set appropriate access controls. For example, a user’s email address or geographic location could be an attribute that’s used to set permissions to resources.

Automation of onboarding and onboarding

Automated provisioning and deprovisioning prevents permission sprawl when employees enter, move within, or leave an organization. Automation of this task reduces human error and speeds up the process. Some automation tools allow department managers to securely onboard new people without having to rely on IT.

Single-sign-on IAM strategy

Single-sign-on (SSO) allows sign-on across all applications using a single set of login credentials. SSO can help ensure access consistency and prevent permission sprawl.

Other types of sprawl in IT

Sprawl is a common problem across IT. Other types of sprawl include the following:

Identity sprawl: As identity-based systems proliferate, an enterprise and its employees are increasingly generating identity accounts. These accounts can often go unmanaged and lead to security risks.

Policy sprawl: Large numbers of unmanaged identity accounts can result in policy sprawl, where security policies become disjointed and overly complex.

Account sprawl: As user accounts across an enterprise proliferate, consistent management of access and permissions becomes ever more challenging.

SaaS sprawl: The number of SaaS apps has massively increased in recent years. The easy installation and affordability of SaaS apps have often led to situations where apps are uncontrolled and exist as part of shadow IT. This has led to SaaS app sprawl, where an enterprise struggles to manage permissions across these apps.

Examples of breaches that occurred because of permission sprawl

Capital One 2019: This mega breach at Capital One affected over 100 million individuals in the United States and approximately 6 million in Canada. The breach analysis identified a misconfigured web application firewall (WAF) that allowed excessive permissions to be exploited. The misconfigured WAF and uncontrolled permissions resulted in the unauthorized accessibility of data within 700 Amazon Web Services (AWS) buckets. Paige Thompson, a former AWS employee, used a tool to scan AWS accounts and look for misconfigured accounts. She then used these to gain unauthorized access to Capital One.

Sage, UK 2016: A data breach at accountancy software firm Sage impacted 280 UK businesses. The unauthorized access occurred when a disgruntled Sage employee used an internal login that gave her unrestricted access to customer-privileged accounts. Sage shares fell by over 4% after the incident.

Permission sprawl and compliance

Regulations and standards, including SOC2, HIPAA, NIS2, and ISO 270001, require data protection using appropriate measures. SOC2 and ISO 27001, for example, require the revocation of permissions during user offboarding within a specific time frame.

Permission automation is an effective way to manage permission sprawl and meet such regulatory requirements.

How can startups balance the need for employee autonomy with the need to control access and prevent sprawl?

Smaller organizations and startups want employees to have autonomy. Employees also like autonomy, and — when well-managed — it helps reduce IT overhead. However, allowing employees to have free reign over their work environment and app usage can also increase security risks. Finding the right balance between employee autonomy and security requires IAM strategies that are designed to deliver consistent, role-based access. Employees can be given the freedom to make decisions within the bounds of secure, least privileged access. Automation of access control and managed SSO can also alleviate the IT support burden.