Software Security Check: Permission Drift

When was the last time you reviewed the permissions granted to users in your software solutions?

Facilities management software, for many organisations, plays a critical role in operations management. As a tool, it helps teams to maintain compliance and create efficiencies in process, supporting teams to work smarter, and achieve better results.

However, like any other tool, software needs to be appropriately maintained. Just as you’d ensure HVAC filters are cleaned at appropriate intervals, you’ll need to do “maintenance” tasks to ensure your solution works as efficiently, and securely, as possible.

One of the challenges with using software solutions is “permission drift”, and this includes your facilities management solution.

What is permission drift? 

Permission drift is the slow, gradual process of users gaining permissions they don’t need, and shouldn’t have. Often, this drift is a natural consequence of ordinary operations, and projects.

How does permission drift happen?

As staff change roles or gain new responsibilities, their system access requirements may change. New permissions may be added, but permissions that are no longer required are not removed.

Some users might be given certain permissions for a specific project, but at the project’s conclusion, those permissions aren’t rescinded.

Users are unlikely to proactively realise that they have permissions beyond what they need. Rather, they’re likely to notice when their permissions are insufficient, and attempting to perform something they don’t have access to.

This allows permissions drift to go unnoticed, with users invisibly accumulating permissions over time, with no immediate consequence.

Why is permission drift a problem? 

Permissions give users the ability to do different things within the platform. When users have powers within the platform that they don’t fully understand, it is far more likely that they will unwittingly enter incorrect data or “break” critical configurations.

Permission drift can also create security concerns, such as when a user still has access to the system once they’ve moved on from their role with the organisation.

How to handle permission drift?

Managing permission drift is an ongoing maintenance task that needs to be built into your processes. Rather than being a problem with a one-time “fix”, effectively managing permissions drift requires constant vigilance in adhering to good policies.  

User permissions should be defined by role, and permissions within the platform periodically reviewed on a set schedule. The review process and schedule should be proportionate to the number of users within the platform. The more users you have, the larger the scope for permission drift, which typically will require more frequent permissions reviews.

Securing your software

To ensure you are reducing the chance of permission drift in your software solutions, ask yourself or your team these 5 quesitons: 

1) Do you have defined user roles?

2) Have you defined required permissions for each role?

3) Is there a process for reviewing role permissions?

4) Is there a process for reviewing user roles?

5) Have you determined a frequency for these reviews?  

‍