I'm studying for the CISSP and am getting hung up on some terminology. Specifically, I'm confused on the difference between access aggregation and authorization creep.
In both cases, it seems to me that an individual users are gaining more access to more systems. Is access aggregation considered acceptable but authorization creep isn't?
Not sure if this is correct specifically for CISSP, but where I work the terms mean the following:
Access Aggregation Users gaining more access across more systems, this might be intentional as a result of something like the implementation of single sign on capabilities or unintentional where they are granted new access rights without considering the rights they already have.
Authorisation Creep This is where theres a bit of overlap with access aggregation, its when users are given new, or more expansive, rights without having their old rights revoked.
Aggregation is a condition of many systems and security designs and isn't an inherent problem. But it's something that the admins have to be aware of to prevent creep.
Creep happens unintentionally and can result in violations in authorised access as a result of aggregation.
