Business Strategy
Channel Insights
Stay Connected
Acer America
Acer America Corp. is a computer manufacturer of business and consumer PCs, notebooks, ultrabooks, projectors, servers, and storage products.


333 West San Carlos Street
San Jose, California 95110
United States


ChannelPro Network Awards

hello 2
hello 3


July 7, 2022 | Pedro Pereira

Stopping Permissions Drift

Best practices for replacing sloppy access permissions management with with permissions hygiene.

NOBODY LIKES to give up their privileges. But in cybersecurity, having too many privileges is a liability.

To avoid the liability, businesses should ensure users, both internal and external, have only the system permissions they need for their jobs.

With internal users, organizations often allow employees to hang on to privileges long after they’re required, says Michael B. O’Hara, CISSP, principal consultant/owner of MEDSEC Privacy Consulting. And that couldn’t make hackers happier.

“One of the favorite conditions for a hacker is scope creep because it’s one-stop shopping. It’s the Costco for hackers,” O’Hara says.

Michael B. O’Hara

The more permissions you have, the bigger target you become. If a hacker steals your credentials, they gain access to more network assets than if your privileges were confined to your role in the company.

One major cause of so-called “permissions drift” is people getting promoted, says O’Hara. Along the way, the person receives more access rights but never forfeits those they no longer need for their current responsibilities.

The issue isn’t limited to internal users. In its January SaaS Application Security Insights report, security vendor SaaS Alerts warned that the guest accounts some organizations create for visitors, partners, contractors, and suppliers are also a problem.

“External users are frequently granted the same permissions as internal staff, including privileged access. Guest User Accounts set up for contractors and external parties often persist longer than intended and well beyond the completion of services by the contractor,” the report says.

Currently, 42% of the 129,000 SaaS accounts monitored by SaaS Alerts are guest accounts, the report says. “For many organizations, the unmonitored use of Guest User Accounts has resulted in data being exposed.”

Permissions Policies

Permissions drift can happen even when companies have policies on user privileges. “Most organizations don’t even realize they need these policies and procedures, and if they have them, they’re only paying lip service to them,” says O’Hara.

To address the problem, he recommends the following:

  1. Conduct a risk assessment. To determine what policies an organization should enforce, it needs to understand its security posture and address existing gaps.
  2. Define and implement policies and procedures. This should include a least-privileges policy to prevent drift.
  3. Follow through. Enforce the policies. Every time someone’s role changes, their privileges should be reassessed. O’Hara stresses: “It should be: This is our culture, this is how we live, eat, and breathe.”

MSPs, O’Hara says, should help clients develop these policies. And they need to lead by example—by ensuring they implement and enforce the same rules internally.

PEDRO PEREIRA is a freelance writer in New Hampshire who has covered the IT channel for two decades.

Image: iStock

Editor’s Choice

Deepfakes + Generative AI = Major Problems for Business

May 14, 2024 |

Deepfakes that can’t be distinguished from reality threaten to shatter the fundamental hierarchy of human trust and impact businesses.

Deep Dives and Round Ups: Why MSPs are Lining up for Online Events Again

May 9, 2024 |

Discover how MSPs can leverage ChannelPro’s online events to enhance industry knowledge, participate in engaging tech discussions, and drive business success.

Built for the Channel: How AI and Deep Learning are Transforming the SOC for Partner Ecosystems

April 30, 2024 | Tony Pietrocola

The rise of AI-driven attacks has increased the need for an AI-driven response to allow MSPs and SMBs to move at the speed of an attack – not just in response to one.

Related News

Growing the MSP

Explore ChannelPro


Reach Our Audience