Least privilege is a goal that many organizations aim to achieve but rarely do. For example, Microsoft estimates that almost 98% of their tenants have at least one overprivileged identity in their tenants.

At a fundamental level, the presence of unused permissions leads to a key problem for an organization: once an identity is compromised, it becomes much easier for an attacker to move laterally or escalate privileges in an environment.

However removing unused permissions is far from easy, so at SlashID we’ve worked hard to automate the process and help companies achieve a safer posture.

The issues with achieving least privilege

Depending on the organization, several factors get in the way of removing unused entitlements but three are by far the most common:

1. Concerns over uptime: What if removing an entitlement causes a critical cron job to stop functioning or a key employee can’t do their job when it is most needed?
2. Complex authorization systems: Authorization systems are increasingly harder to comprehend, especially for CSPs. Creating least privilege policies at provisioning is all but impossible
3. Birthright creep: Permissions are commonly assigned to users based on their job function. This often means that everyone in a given department gets the same permissions irrespective of whether they need them or not

The SlashID approach to the problem

At SlashID we have combined the power of an identity access graph with real-time streaming of audit logs. This combination allows us to identify unused permissions for each identity and automatically generate a new policy to remove them.

We do this for all supported environments, not just CSPs.

Here’s an example showing how to generate a policy that removes unused permissions for an AWS identity:

What about built-in permission analyzers?

GCP and AWS provide built-in permissions analyzers that can help identify unused permissions and build least privilege policies; however, they suffer from several shortcomings:

1. The lookback window is limited to 90 days: if you want to preserve permissions used by an identity sporadically, you can’t leverage the built-in access analyzers
2. They are not automated: if you want automated remediation, you need to build a workflow pipeline yourself
3. They don’t take into account all events leading to potentially incorrect remediations
4. They don’t take into account impersonation: Often roles and service accounts are used by multiple identities so the role itself might require all permissions assigned to it but the identities that can impersonate that role don’t need to. The built-in analyzers don’t see that
5. Often the cost of generating new policies skyrockets, making this an exercise that can only be done rarely rather than continuously

With SlashID, those problems are automatically addressed for you so you can safely remove unused permissions without manual effort or downtime.

Results you can expect

1. 50‑90 % reduction in standing privileges within the first month
2. Zero unplanned downtime
3. 10-30% Saving from unused seats or licenses

Conclusion

Removing unused permissions is one of the best hygiene measures companies can take to prevent an incident from turning into a breach. Please get in touch to learn more.