Business Strategy
Channel Insights
Stay Connected
Acer America
Acer America Corp. is a computer manufacturer of business and consumer PCs, notebooks, ultrabooks, projectors, servers, and storage products.


333 West San Carlos Street
San Jose, California 95110
United States


ChannelPro Network Awards

hello 2
hello 3

News & Articles

Return to Cybersecurity Focus Month
July 7, 2022 | Pedro Pereira

Stopping Permissions Drift

Best practices for replacing sloppy access permissions management with with permissions hygiene.

NOBODY LIKES to give up their privileges. But in cybersecurity, having too many privileges is a liability.

To avoid the liability, businesses should ensure users, both internal and external, have only the system permissions they need for their jobs.

With internal users, organizations often allow employees to hang on to privileges long after they’re required, says Michael B. O’Hara, CISSP, principal consultant/owner of MEDSEC Privacy Consulting. And that couldn’t make hackers happier.

“One of the favorite conditions for a hacker is scope creep because it’s one-stop shopping. It’s the Costco for hackers,” O’Hara says.

Michael B. O’Hara

The more permissions you have, the bigger target you become. If a hacker steals your credentials, they gain access to more network assets than if your privileges were confined to your role in the company.

One major cause of so-called “permissions drift” is people getting promoted, says O’Hara. Along the way, the person receives more access rights but never forfeits those they no longer need for their current responsibilities.

The issue isn’t limited to internal users. In its January SaaS Application Security Insights report, security vendor SaaS Alerts warned that the guest accounts some organizations create for visitors, partners, contractors, and suppliers are also a problem.

“External users are frequently granted the same permissions as internal staff, including privileged access. Guest User Accounts set up for contractors and external parties often persist longer than intended and well beyond the completion of services by the contractor,” the report says.

Currently, 42% of the 129,000 SaaS accounts monitored by SaaS Alerts are guest accounts, the report says. “For many organizations, the unmonitored use of Guest User Accounts has resulted in data being exposed.”

Permissions Policies

Permissions drift can happen even when companies have policies on user privileges. “Most organizations don’t even realize they need these policies and procedures, and if they have them, they’re only paying lip service to them,” says O’Hara.

To address the problem, he recommends the following:

  1. Conduct a risk assessment. To determine what policies an organization should enforce, it needs to understand its security posture and address existing gaps.
  2. Define and implement policies and procedures. This should include a least-privileges policy to prevent drift.
  3. Follow through. Enforce the policies. Every time someone’s role changes, their privileges should be reassessed. O’Hara stresses: “It should be: This is our culture, this is how we live, eat, and breathe.”

MSPs, O’Hara says, should help clients develop these policies. And they need to lead by example—by ensuring they implement and enforce the same rules internally.

PEDRO PEREIRA is a freelance writer in New Hampshire who has covered the IT channel for two decades.

Image: iStock

Return to Cybersecurity Focus Month

Editor’s Choice

ChannelPro DEFEND Conference Heads to NJ, Promises to Lift Cybersecurity and Profitability of MSPs

July 8, 2024 |

Register now for ChannelPro DEFEND: East in Islen, NJ, on Aug 7 and 8 for unparalleled cybersecurity learning, networking, and collaboration opportunities.

Introducing ChannelPro’s Top 20 MSPs for 2024

June 18, 2024 |

These companies lead the way in building up the IT channel, as well as ensuring that their clients run thriving businesses.

Related News & Articles

Growing the MSP

Explore ChannelPro


Reach Our Audience