• Least Privilege

What is least privilege?

Back to Resources

Time to read: 4 mins

What is least privilege?

Privilege misuse and credential theft continue to be a top cause of data breaches, according to the 2022 Verizon Data Breach Investigations Report. Since 2017, credential theft has risen by 30%, while another study found that more than half of all organizations have experienced the theft of privileged credentials.

The more identities with access to your network and data, the greater the risk of privilege misuse that leads to credential theft. The solution is to adopt a principle of least privilege to your organization’s access control.

Defining Least Privilege

Least privilege limits the number of identities with access to networks, applications, data, programs and processes to only those who require access. The principle of least privilege focuses on access control and setting up minimal access privileges for every user and identity. Privilege is attached to human users and non-human identities and is most often assigned based on the user’s job duties or the non-human identity’s role within an application.

However, too often privileges aren’t revoked after they are no longer needed (i.e., a user changes jobs or the function of the non-human identity is completed) or access privileges are assigned to too many users. This opens up more opportunities for non-privileged users to gain access to critical systems or data through human error, vulnerabilities, or misuse.

Authentication, Authorization and Accounting

Authentication, authorization and accounting (AAA) security is an access control framework. Authentication identifies each user or identity, authorization determines access permissions, while accounting measures the resources accessed. Overall, AAA security is an important component for managing access control, but when looking at principles of least privilege, authorization is the most vital factor. To get to least privileged access, organizations must authenticate the user and their specific needs for access to accounts and applications within the network infrastructure, and then determine how much access is needed (full control or limited activity). An organization could legitimately have hundreds of users who can be authenticated for full network access, but that doesn’t mean they should be authorized to access everything. That’s where the principle of least privilege comes in. Authenticated users are limited to authorization based on their job functions.

How to Determine Least Privilege

No two authenticated identities will have the same privilege needs. Some employees in the IT or security department will require a “superuser” status—someone who needs access to all or most accounts, applications, and processes across the organization. Many non-human identities will require authorization for a one-time function in DevOps. How do you determine the level of privilege a user can have?

Start with an audit. You can’t assign privilege without intimate knowledge of every account, application, program, or process within the organization and the exact permissions needed for each one to operate. Audits should be done regularly to ensure privileged access is kept current.

Once the audit of the infrastructure is completed, a similar audit of human users is also necessary. Every user with access to anything within the organization’s network should have a well-defined list of what accesses are required to conduct their job duties efficiently and effectively. Any new users should be assigned lowest levels of privilege needed and access permissions increased (or decreased) as their duties require.

Admin accounts should also adhere to least privilege principles.

Many of the cyber incidents that involve credential theft occur because of privilege creep. “Privilege creep often occurs when an employee changes job responsibilities within the organization and is granted new privileges,” Crystal Bedell wrote for TechTarget. “While an employee may need to retain his or her former privileges during a period of transition, those privileges are rarely revoked and result in an unnecessary accumulation of access privileges.”

Non-human Identities and Least Privilege

With the push to adopt the digital transformation, organizations want the DevOps team to create new applications and get them into market use as quickly as possible. That’s led to the rise of non-human, or machine, identities, that play a role in the DevOps process. These identities, like human identities, need access permissions to perform their function. Like human users, non-human identities fall victim to privilege creep, leaving open vulnerabilities. These machine identities should be held to the same privilege standards and access controls of human users, the primary difference being least privilege access for non-human identities must be monitored by a human to guard against suspicious and unusual behaviors.

Benefits of Least Privilege

Using principles of least privilege lowers your organization’s risk level in the following ways:

  • Decreases the threat of data breaches and credential theft.
  • Helps the organization to show compliance to federal and industry regulation requirements.
  • Reduces the attack surface, decreasing the risk of cyber attacks or malware spread.
  • Allows the organization to track user behavior.
  • Decreases the risks of human error
  • Overall better cybersecurity