Zero trust is currently getting a lot of hype in the world of cybersecurity. The concept of “trusting no one” is an easy idea to grasp and has the potential to mitigate the vast range of threats plaguing organizations. However, if the tools, processes and strategies around zero trust network architecture (ZTNA) are not implemented correctly, there can be cracks in cybersecurity defenses. One specific weakness that organizations continue to have to contend with is access creep.

Access Creep and ZTNA
Access creep, or the slow accumulation of access rights by a user over time, is an ongoing problem for organizations, especially when it comes to internal users. Access creep occurs because a user acquires legitimate additional access rights over time, often due to needing temporary access to an asset, but those rights are never removed.

In the physical world, access creep can mean an employee requiring access to a manufacturing plant while on a site visit. In the virtual world, it can mean getting access to a database for a project that lasts a few months. In either case, those access rights may not be removed when they are no longer needed, providing the user with unnecessary access to systems.

This access creep can occur even within a zero trust network because access is still granted and often not deprovisioned at the right time. Access creep naturally goes against the principle of least privilege because of the temporary nature of access needs, and it exposes an organization’s systems to risks.

Over time, if not properly managed and reviewed, access rights for one user can keep growing until their access suddenly becomes a significant risk. For example, if a hacker could get into a network through that user’s credentials, the field of attack is much broader – with many more open doors – thanks to those mounting access rights.

Continue Reading

By: Daniel Fabbri