Least Privilege At Work: PEDM and Defense in Depth

Cyberthreats are many and varied, which means that cybersecurity measures need to be equally varied and agile in order to truly protect your organization. To provide such agility, the application of two main principles is required when designing and implementing cybersecurity: Least Privilege and Defense in Depth.

The Principle of Least Privilege, or POLP, is an easy concept to understand because it says up front what it’s all about: Making sure that anyone with access to privileged resources only has privileges to the least amount of resources required to accomplish their tasks. It also means implementing granular, precise rights rather than catch-all, access-to-everything overarching privileges. But although the concept itself is easy to understand, implementing it can be a challenge when it comes to admins and other users who potentially require access to a wide array of privileged resources.

Though the Principle of Least Privilege is easy to understand, implementing it can be a challenge.

Ensuring that everyone, even admins, can only access the resources to which they are privileged is what lies at the heart of Privileged Access Management (PAM). But again, the application of PAM to admins can be complex, owing both to the wide range of tasks that admins need to accomplish and the number of resources that they might legitimately need to access in order to do so – which is where Defense in Depth comes into play.

Defense in Depth, as a security principle, derives from the fact that applying a single line of defense is simply not enough to ensure security across the complicated structure of modern corporate resources and networks. Rather, what is needed are layers of security – an in-depth defense – that can match the complexity of corporate systems. Applying a granular approach to PAM can help do exactly that.

To be as precise as possible, PAM should apply to everyone with elevated rights. This especially includes admins who, by the nature of their work, often need extensive access to sensitive resources including servers, data, and critical IT systems. In order to provide this granularity, and thus the defense in depth that’s needed, certain key functionalities need to be in place:

Administrators, like all users, need to be granted only the least possible privileges required to do their work.
If privileged resources are potentially dangerous because they can access other privileged resources – they have the capability to change the system registry or system folders, for example – these actions and access should be restricted as a matter of course.
Any encryption that a resource carries out should be subject to a ruleset so that proper encryption – passwords or credit card numbers in a database, for example – is allowed to proceed, but illicit encryption like that attempted by ransomware is not.
Application-to-application resource management needs to be in place. That is, certain applications should never be allowed privileged access, even if the user is an admin with privileged rights of their own.

Employing a PAM solution that has this kind of functionality ensures both that the Principle of Least Privilege is followed, as well as provides the defensive layers needed to help ensure security. It does this by making sure that all privileged users, including super admins, can only access the least amount of resources needed for their work at any given time – and that the resources themselves cannot be used in turn to access other privileged resources.

On a final note, it’s also important that, while defense-in-depth and granular, minimum privileges can provide the complexity needed to counter complex threats, the application of these principles must be as simple and transparent as possible. In other words, even though the defense must be complex, the system itself must be easy to manage, or it won’t be used – and it must be as transparent to users as possible so that impacts to performance of their necessary tasks are negligible.

Cyberthreats are real, and it’s only through creating a cybersecurity system that employs the least privilege with a deep feature set and ease of use that companies can hope to head off these threats.

Related resources

December 15, 2023

Cookie	Duration	Description
IDE	1 year 24 days	Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
test_cookie	15 minutes	This cookie is set by doubleclick.net. The purpose of the cookie is to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.

Cookie	Duration	Description
__hstc	1 year 24 days	This cookie is set by Hubspot and is used for tracking visitors. It contains the domain, utk, initial timestamp (first visit), last timestamp (last visit), current timestamp (this visit), and session number (increments for each subsequent session).
_ga	2 years	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.
_gid	1 day	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the wbsite is doing. The data collected including the number visitors, the source where they have come from, and the pages viisted in an anonymous form.
hubspotutk	1 year 24 days	This cookie is used by HubSpot to keep track of the visitors to the website. This cookie is passed to Hubspot on form submission and used when deduplicating contacts.
trackalyzer	1 year	This cookie is used by Leadlander. The cookie is used to analyse the website visitors and monitor traffic patterns.

Cookie	Duration	Description
__hssc	30 minutes	This cookie is set by HubSpot. The purpose of the cookie is to keep track of sessions. This is used to determine if HubSpot should increment the session number and timestamps in the __hstc cookie. It contains the domain, viewCount (increments each pageView in a session), and session start timestamp.
bcookie	2 years	This cookie is set by linkedIn. The purpose of the cookie is to enable LinkedIn functionalities on the page.
lang	session	This cookie is used to store the language preferences of a user to serve up content in that stored language the next time user visit the website.
lidc	1 day	This cookie is set by LinkedIn and used for routing.
messagesUtk	1 year 24 days	This cookie is set by hubspot. This cookie is used to recognize the user who have chatted using the messages tool. This cookies is stored if the user leaves before they are added as a contact. If the returning user visits again with this cookie on the browser, the chat history with the user will be loaded.

Cookie	Duration	Description
__cfduid	1 month	The cookie is used by cdn services like CloudFare to identify individual clients behind a shared IP address and apply security settings on a per-client basis. It does not correspond to any user ID in the web application and does not store any personally identifiable information.
__hssrc	session	This cookie is set by Hubspot. According to their documentation, whenever HubSpot changes the session cookie, this cookie is also set to determine if the visitor has restarted their browser. If this cookie does not exist when HubSpot manages cookies, it is considered a new session.
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
JSESSIONID	session	Used by sites written in JSP. General purpose platform session cookies that are used to maintain users' state across page requests.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
_gat_UA-12183334-1	1 minute	No description
AnalyticsSyncHistory	1 month	No description
CONSENT	16 years 9 months 23 days 12 hours 13 minutes	No description
UserMatchHistory	1 month	Linkedin - Used to track visitors on multiple websites, in order to present relevant advertisement based on the visitor's preferences.
wp-wpml_current_language	1 day	No description

Least Privilege At Work: PEDM and Defense in Depth

Related content

The railway sector and the cybersecurity challenges

Modernize Identity and Access Governance (IAG) for NIS2 Compliance: Time to go?

International tensions: manage the implementation of cybersecurity measures in emergency situations

Securing financial institutions with the help of PAM solutions

The five top tips to reassess your IT security risk

Related resources

Guide to Threat Vectors

Key Considerations for SaaS Adoption and Top 10 Reasons Why PAM as a Service is Good for Your Business

The Benefits of IAM and PAM

Zero Trust Cybersecurity

PRODUCTS

RESOURCES

SUPPORT

ABOUT

FOLLOW US

Least Privilege At Work: PEDM and Defense in Depth

Share this entry

Related content

Related resources

PRODUCTS

RESOURCES

SUPPORT

ABOUT

FOLLOW US