Time to read: 5 mins
What is least privilege?
Privilege misuse and credential theft continue to be the leading causes of data breaches, according to the 2022 Verizon Data Breach Investigations Report. Since 2017, credential theft has risen by 30%. Another study found that more than half of all organizations have experienced the theft of privileged credentials.
The more identities with access to your network and data, the greater the risk of privilege misuse that leads to credential theft. The solution is to adopt a principle of least privilege to your organization’s access control.
Defining Least Privilege
Least privilege is a security principle that states that a user or program should have the least amount of access necessary to perform their intended function. In other words, a user or program should only have access to the resources and permissions that are required to complete the task at hand, and no more. This principle is used to minimize the potential damage that can be caused by a security breach or by a user or program with malicious intent.
Least privilege limits the number of identities with access to networks, applications, data, programs and processes to only those who require access. Privilege is attached to human users and non-human identities, such as industrial control systems, Internet of Things (IoT) devices, and autonomous vehicles, and it is most often assigned based on the user’s job duties or the non-human identity’s role within an application.
However, far too often privileges aren’t revoked after they are no longer needed (i.e., a user changes jobs or the function of the non-human identity is completed) or access privileges are assigned to too many users. This opens up more opportunities for non-privileged, outside users to gain access to critical systems or data through human error, vulnerabilities, or misuse.
Non-human Identities and Least Privilege
Non-human identities refer to entities that are not living beings, such as software programs, robots, and autonomous systems. These entities can be assigned unique identities and are often given the ability to interact with the physical world and with other systems or entities. These identities typically have access to specific resources and permissions, and are granted access to these resources based on their identity and the principle of least privilege.
With the push to adopt the digital transformation, organizations want the DevOps team to create new applications and get them into market use as quickly as possible. This has led to the rise of non-human identities that play a role in the DevOps process. Like human users, non-human identities fall victim to privilege creep, leaving open vulnerabilities. These machine identities should be held to the same privilege standards and access controls of human users, the primary difference being least privilege access for non-human identities must be monitored by a human to guard against suspicious and unusual behaviors.
Authentication, Authorization and Accounting
Authentication, Authorization and Accounting (AAA) security is an access control framework. Authentication identifies each user or identity, authorization determines their access permissions, and accounting measures the resources accessed by the individual. Overall, AAA security is an important component for managing access control, but when looking at the principles of least privilege, authorization is the most vital factor. To achieve least privileged access, organizations must authenticate the user and their specific needs for access to accounts and applications within the network infrastructure, and then determine how much access is needed, either full control or limited activity. An organization could legitimately have hundreds of users who can be authenticated for full network access, but that doesn’t mean they should be authorized to access everything. That’s where the principle of least privilege comes in. Authenticated users are limited to authorization based on their job functions.
How to Determine Least Privilege
No two authenticated identities will have the same privilege needs. Some employees in the IT or security department will require a “superuser” status, i.e. someone who needs access to all or most accounts, applications, and processes across the organization. But, how do you determine the level of privilege a user can have?
Start with an audit of the system infrastructure. You cannot assign privilege without intimate knowledge of every account, application, program, or process within the organization and the exact permissions needed for each one to operate. Audits should be done regularly to ensure privileged access is kept current.
Once the audit of the system is completed, a similar audit of human users is also necessary. Every user with access to anything within the organization’s network should have a well-defined list of what type of access is required to conduct their job duties efficiently and effectively. Any new users should be assigned the least amount of privilege needed and access permissions increased (or decreased) as their duties require.
Admin accounts should also adhere to least privilege principles.
Many of the cyber incidents that involve credential theft occur because of privilege creep. “Privilege creep often occurs when an employee changes job responsibilities within the organization and is granted new privileges,” Crystal Bedell wrote for TechTarget. “While an employee may need to retain his or her former privileges during a period of transition, those privileges are rarely revoked and result in an unnecessary accumulation of access privileges.”
Benefits of Least Privilege
Using principles of least privilege lowers your organization’s risk level in the following ways:
- Decreases the threat of data breaches and credential theft.
- Helps the organization to show compliance to federal and industry regulation requirements.
- Reduces the attack surface, decreasing the risk of cyber attacks or malware spread.
- Allows the organization to track user behavior.
- Decreases the risks of human error
- Overall better cybersecurity