Include:
Tech
Cybersecurity
Business Strategy
Channel Insights
Stay Connected
Acer America
Acer America Corp. is a computer manufacturer of business and consumer PCs, notebooks, ultrabooks, projectors, servers, and storage products.

Location

333 West San Carlos Street
San Jose, California 95110
United States

WWW: acer.com

ChannelPro Network Awards

hello 2
hello 3

News

July 7, 2022 | Pedro Pereira

Stopping Permissions Drift

Best practices for replacing sloppy access permissions management with with permissions hygiene.

NOBODY LIKES to give up their privileges. But in cybersecurity, having too many privileges is a liability.

To avoid the liability, businesses should ensure users, both internal and external, have only the system permissions they need for their jobs.

With internal users, organizations often allow employees to hang on to privileges long after they’re required, says Michael B. O’Hara, CISSP, principal consultant/owner of MEDSEC Privacy Consulting. And that couldn’t make hackers happier.

“One of the favorite conditions for a hacker is scope creep because it’s one-stop shopping. It’s the Costco for hackers,” O’Hara says.

Michael B. O’Hara

The more permissions you have, the bigger target you become. If a hacker steals your credentials, they gain access to more network assets than if your privileges were confined to your role in the company.

One major cause of so-called “permissions drift” is people getting promoted, says O’Hara. Along the way, the person receives more access rights but never forfeits those they no longer need for their current responsibilities.

The issue isn’t limited to internal users. In its January SaaS Application Security Insights report, security vendor SaaS Alerts warned that the guest accounts some organizations create for visitors, partners, contractors, and suppliers are also a problem.

“External users are frequently granted the same permissions as internal staff, including privileged access. Guest User Accounts set up for contractors and external parties often persist longer than intended and well beyond the completion of services by the contractor,” the report says.

Currently, 42% of the 129,000 SaaS accounts monitored by SaaS Alerts are guest accounts, the report says. “For many organizations, the unmonitored use of Guest User Accounts has resulted in data being exposed.”

Permissions Policies

Permissions drift can happen even when companies have policies on user privileges. “Most organizations don’t even realize they need these policies and procedures, and if they have them, they’re only paying lip service to them,” says O’Hara.

To address the problem, he recommends the following:

  1. Conduct a risk assessment. To determine what policies an organization should enforce, it needs to understand its security posture and address existing gaps.
  2. Define and implement policies and procedures. This should include a least-privileges policy to prevent drift.
  3. Follow through. Enforce the policies. Every time someone’s role changes, their privileges should be reassessed. O’Hara stresses: “It should be: This is our culture, this is how we live, eat, and breathe.”

MSPs, O’Hara says, should help clients develop these policies. And they need to lead by example—by ensuring they implement and enforce the same rules internally.

PEDRO PEREIRA is a freelance writer in New Hampshire who has covered the IT channel for two decades.

Image: iStock


Editor’s Choice

MSP360 Bolsters Managed Backup Solution With Full Sharepoint Backup and Restore, Object Lock, and More

March 25, 2024 |

MSP360 CEO Brian Helwig details the latest improvements in its managed backup solutions and teases some new opportunities down the road for its partners in an exclusive ChannelPro interview.

Peer to Peer: Aurora’s Philip de Souza shares his secrets to creating a successful MSSP

March 19, 2024 | Philip de Souza

“It’s important that we understand when it comes to this whole MSP world that it’s all about the customer.”

Evolving State AI Regulations: Best Practices for Mitigating Risk

March 14, 2024 | Anurag Lal

While AI technologies can unlock tremendous business value, they also have potential risks.


Related News

Growing the MSP

Explore ChannelPro

Events

Reach Our Audience