What is the Principle of Least Privilege and How Do You Implement It?
In the military, they have a well-known phrase that happens to succinctly describe the definition of the least privilege principle: ‘Need-To-Know Basis’. For the military, this means that sensitive information is only given to those who need that information to perform their duty. In cybersecurity, it’s much the same idea. The ‘least privilege’ principle involves the restriction of individual user access rights within a company to only those which are necessary in order for them to do their job. By the same token, each system process, device, and application should be granted the least authority necessary, to avoid compromising privileged information.
The idea is that, with bare minimum access across the board, the ‘attack surface’ is reduced, lowering the company’s risk.
The concept of Least Privilege is a practical component of most cybersecurity regulations. Section 5.6 of the NIST Standard, for example, discusses the need for “Defense in Depth,” recommending that OT security managers understand and defend against “attacks on privileged and/or shared accounts.” The standard includes a recommendation for “Restricting ICS user privileges to only those that are required to perform each person’s job (i.e., establishing role-based access control and configuring each role based on the principle of least privilege)”, in effect, emphasizing the need for controlled privilege access. By facilitating least privilege, PAM is a critical component of compliance.
By facilitating the Least Privilege Principle, PAM is a critical component of compliance with regulations like the NIST Standard
Why implement least privilege?
The least privilege principle benefits system stability. When the scope of changes that a user is able to make is limited, it actually facilitates the monitoring and dependability of resources, data, and servers across the network. Limiting system-wide access also means that a potential vulnerability in one application is unable to impact other devices or applications, as even those with privileged access to the first system may not have access to any others, limiting vulnerability exposure.
Another benefit of least privilege is that it quickly minimizes Insider Threat posed by privileged user accounts. When users are only given access rights to the bare minimum of systems or time frames necessary to do their jobs or complete a one-off task, system vulnerability is drastically reduced. Without visibility on other, unauthorized resources, lateral moves are impossible and unauthorized or after-hours actions are immediately suspect.
So how should you implement least privilege?
An Access Management platform provides a single point of access and administration for all privileged users. ‘Super-administrators’ can quickly add or delete users as needed and modify access and permissions to any system based on changes in job responsibilities. This is crucial in the practical ability of administrators to maintain the principle of least privilege (i.e. that users are only given the minimum amount of privileges needed to perform their jobs—and these privileges are promptly revoked when no longer needed).
Firstly, you should conduct a privilege audit, to ascertain all privileged accounts and credentials currently in operation, comprising all user and local accounts. This is where a Discovery tool comes into its own, digging deep to detect privileged accounts and potential related security failures across your entire infrastructure, so nothing is missed.
Once you are fully aware of all privileged accounts and users on the network, you can begin to determine who truly needs access to which resources, data and systems, and who does not. This allows you to redefine access rights. A PAM solution enables the granting of privileges to a granular level. Users only see the resources they have rights to, and thus may not even be aware that other resources (for which they do not have access) exist. Where necessary, access can be granted for specific time periods: For example, if a third-party provider needs access to MRI machines for 3 days for maintenance, but not before or after that period.
With all this information duly noted, super-administrators can re-attribute privileges based on a ‘need-to-know’ basis. A granular PAM policy can streamline this process. At this point, you will have dramatically reduced the potential attack surface.
Thereafter, if any additional permissions are required by individual users, a request can be raised and assessed by the ‘superuser’. Just-in-time granting and revocation of privileges can also be implemented, being bound either by completion of a specific task or after a certain period has expired.
Another benefit of a PAM-based Least Privilege policy is one-time use passwords, which are ‘checked out’ by a user for a given session, expiring when they are checked back in. Such privilege management can be mostly automated, while keeping a permanent record of who has accessed the system and when. This keeps workload for the IT ‘super-admins’ under control. With WALLIX’s Bastion solution, it’s even simpler, with access being requested, granted, monitored and revoked directly through the platform.
Least Privilege and PAM
The least privilege principle is a powerful form of data and system protection, and an integral part of a PAM-based solution. It’s worth bearing in mind that least privilege cannot be relied upon as a standalone solution. The key is that it must be a built-in part of a PAM (Privileged Access Management) system, which allows super-admins to grant and revoke access privileges to users on an as-needed basis. The WALLIX solution offers a single point of administration for all systems, users, and so on – optimizing the process.
The WALLIX PAM solution goes a step further, acting as a preventive measure. Even users with administrative privileges work from behind an ‘airlock’, never actually accessing the back end directly, nor accessing the root password. This approach means super-admins are not required to be at the beck and call of users requesting access every day, while the inherent risk posed by privileged users (from former employees to impersonating hackers) is considerably reduced.
In the current climate, with high volumes of cyber threats hitting businesses on a daily basis, it is vital that organizations of all sizes have extensive controls in place to ensure their system and network security. This is, of course, of key importance to the safety, productivity and profitability of the organization, but it is also a matter of compliance, with traceability and accountability high on the agenda.
Whilst the least privilege principle has a range of benefits, as we’ve discussed, enforcing it can be challenging without a streamlined solution to manage all privileged accounts and users. Incorporating the theory into a more comprehensive PAM policy and platform offers a better strategy for optimizing security against the potential risks posed by privileged users.