Why the Least Privilege Model isn't working – and how you can do better.

A couple of months ago, I came across this article about ‘privilege creep’ putting data security in jeopardy over on ITProPortal.com. If you’re unfamiliar with the term, ‘privilege creep’ refers to the growth in access permissions which often unwittingly occurs as employees move or progress within an organisation and old permissions aren’t revoked. An example – your HR administrator moves off to work in the Marketing team, taking with them full access to a whole host of potentially sensitive personal data that’s totally unnecessary in their new role, and leaving their replacement in HR operating blind with no way to get hold of historical data.

Fear of data access – it’s not unreasonable

Why is this such a problem? Your own employees aren’t malicious cybercriminals! As the article I read rightly points out, inappropriate access to sensitive information can in itself be a breach of compliance regulations – and there’s always the risk of someone inadvertently sharing the data they have access to, exposing what should be highly privileged information to other employees or even malicious third parties.

So the only way to protect your organisation’s data against the threat of breach and exposure is to revoke access privileges to a bare minimum, right?

Wrong, kind of. A ‘least privilege’ model does what it says on the tin – by limiting the access your employees have, you’re mitigating the risk of any sensitive information being breached. Control equals damage control. Much like the idea of ‘security by design’, and the GDPR-led principle of only allowing your people to see the information they need to do their jobs, a least privilege model strips away all but the bare minimum access to necessary systems and information. But this minimalistic approach relies on information being stored in the right locations, and these locations being permissioned correctly. Plus, users still need to be able to discover information more widely, even if they don’t have permission to actually use it, so that they can request full access at the moment it’s needed.

There’s a lot to lose in the battle for information security

We often hear about security by obscurity, where information is ‘safe’ purely because users can’t actively find it. It’s buried folders-deep within obscure network drive locations, but technically all employees have permission to access, open, and use it. As Enterprise Search & Discovery capabilities grow and information is migrated to new Cloud repositories, obscurity is becoming a thing of the past and I think we can all agree this is one approach to avoid.

But more and more at Aiimi we’re finding that an opposite (and just as problematic) scenario is true for many organisations. Instead of information being accessible to everyone but virtually undiscoverable, now, information is being systematically locked away in secure personal network drives, OneDrives and email folders, or team-specific libraries. It’s a kind of least privilege approach to information management – what lives in Joe in HR’s personal drive can only be accessed by Joe in HR. What belongs to the Design team can only be accessed by the Design team, via their shared library. Even though the intentions for improved collaboration with organised team libraries might be there, using these team-specific spaces inadvertently blocks others in the business from accessing the information.

“Instead of information being accessible to everyone but virtually undiscoverable, now, information is being systematically locked away”

It creates a massive problem. Valuable information is siloed – it cannot be found and reused. The cost of determining access based on job role or team is that cross-team collaboration is almost entirely stifled.

Even with official records, often the final step of publishing in a widely accessible, searchable location is missed. Or information is stored somewhere publicly, but its name is too generic to be found by conventional search tools, or too specific and technical to divulge it’s meaning to more than a handful of specialists. This information might not be obscured to the point of being inaccessible, but it’s hardly offering itself up to the business. Organisations need to be able to spot these missed opportunities, classify the records, and either re-permission them to grant wider access, or move them to a place where the correct permissions already exist.

“Information might not be obscured to the point of being inaccessible, but it’s hardly offering itself up to the business”

By denying people access to corporate knowledge, inadvertently or otherwise, you’re systematically forcing them to spend time and money recreating data that already exists.

Let’s get privileged access right, every time

Thankfully, there is a better way to safely unlock information that’s hidden away (so the business can reuse and exploit its value) and keep sensitive or personally identifiable information locked down with the right permissions.

Powerful AI-technology can index all data and information across your organisation, label it, add metadata, and classify each record. You can identify exactly what every file is, what it contains, and how risky it is – based on the entities within the file and how visible it is to users. This can inform your information governance policies and enable automatic enforcement of the rules you put in place, so compliance is taken care of, and employees are granted or restricted access to information based on its sensitivity level, not because of what team they work in.

“Insightful technology makes it possible to automate problematic processes”

Data owners and administrators can easily clean up the information, move it to the right repository in-bulk, and properly permission it to keep it safe. Now, insightful technology makes it possible to automate these problematic processes of detection, alerting, and fixing permissions.

Meanwhile, everything else in your organisation – the millions of files that don’t contain secret, commercially sensitive, or personally identifiable information – can be opened up, able to be discovered by your employees in seconds, and even pushed to them at the moment they need it, based on their habits and knowledge networks.

You can definitely have your cake and eat it when it comes to keeping information safe.

Start automating your data governance today. Book your free no-obligation Data Risk Assessment.