Did you know that user accounts who hold complete access credentials to your network are your biggest liability? When a cyberattacker hacks into one of these accounts, they will have full control over your systems, one login away.
This is why we should all practice the principle of least privilege. In the following lines, I will tell you everything that you need to know about this vital concept and what it can do for your organization. So, if you want to find out not only what it is, but how you can implement it and why you should do it as soon as possible, then keep reading.
What is the Principle of Least Privilege?
The principle of least privilege (or PoLP for short) presupposes that a user that operates within a network should have only the minimal amount of access required for them to perform their duties. For example, a marketing specialist doesn’t need admin rights to finalize their daily tasks, while an IT expert that administers an organization’s systems does.
The concept of PoLP primarily pertains to the field of information security, where it is also known as the principle of minimal privilege or the principle of least authority. British computer scientist Roger Needham was the first to lay the foundation for the principle of least privilege in 1972 with his theory on dynamic assignments of privileges.
However, PoLP as we know it today was originally formulated by American computer scientist Jerome Saltzer in 1975, in an issue of the Communications of the Association for Computing Machinery monthly journal. Virtual memory pioneer Peter J. Denning further developed the concept in his 1976 paper entitled “Fault tolerant operating systems”, where he established it as one of four central principles of fault tolerance.
How to Practice PoLP Successfully
In order to better understand how you can apply PoLP in your organization, we should first have a look at the two main notions that relate to it: privilege creep and privilege bracketing.
I. Privilege Creep
Also referred to as access creep in the field of information security, the term privilege creep was coined to describe network users who amass redundant credentials over time. This commonly happens when employees change jobs within the same company, either by being promoted or switching departments entirely. In spite of their new function, they retain privileges from their former position as well as get new ones. When this happens repeatedly, it becomes a problem for your enterprise.
For example, let’s say a quality assurance technician leaves the testing team to become a product planner. They will be granted other access rights for their new position, while at the same time retaining a QA-level of access. Someone hacking their account can thus enter more of your product infrastructure than you’d like.
Privilege creep is the main reason why companies have improper privileged access management (PAM) practices into place. Even if you already limit access rights within your company, you should check for user accounts with unnecessary credentials. It can happen to anyone.
II. Privilege Bracketing
The concept of privilege bracketing is something that many businesses practice without even knowing what it’s called. The phrase refers to giving admin rights to the network managers that need them, or granting regular users admin rights for a short period of time only. For example, if someone on the design team needs Adobe Photoshop, they can be granted admin rights for the 15-minute duration of the installation process.
Obviously, doing so will take up a lot of your network admin’s work day. Reducing the time spent on privilege bracketing within your company is thus essential. This is where having a piece of PAM software comes into play.
Privileged access management software gives your IT department the possibility to either revise access requests faster and even automatize them for certain purposes. But before running and out and getting one, here’s what you need to consider for a complete PAM optimization strategy:
- Audit privileges among your users.
- Determine who needs access where.
- Ascertain where privilege creep has occurred.
- Improve your privilege bracketing strategy.
- Install a PAM software to handle requests.
- Reconsider your BYOD (bring your own device) policy.
Why Should You Implement PoLP?
There are many real-life examples of renowned companies who failed to implement the principle of least privilege among staff and fell victim to cyberattacks as a consequence. In fact, multiple studies and forecasts determine that between 74% and 80% of all data breaches that target organizations are caused by privileged credential abuse.
You’d never assume that large corporations by the likes of Vodafone, Marriot, or the Desjardins Group had to deal with serious information leaks as a result of poor PAM. We’d all like to think that the famous companies we entrust with our data are pretty well protected at such a basic level, right? Unfortunately, this is not always the case.
As a matter of fact, all three of the establishments mentioned in the previous paragraphs have had sensitive data stolen by either employees or contractors with one too many access rights on their hands. And these were just a few of the PoLP-related incidents that took place over the last decade alone.
So, to answer the question posed right there in this section’s header of why you should implement PoLP, the answer is simple: so that it doesn’t happen to you as well. Practicing it within your enterprise has clear benefits:
- Your data will be more accurately classified.
- Hackers will have fewer entry points into your network.
- Malware, ransomware, and Trojan attack risks will decrease.
- Infections will spread with increased difficulty.
- Your company will have improved regulatory compliance.
Wrapping Up…
Practicing PoLP should be a principal focus point in your cybersecurity strategy. This seemingly simple concept can help you stop cyberattacks from spreading like wildfire in your company network. In fact, it can even prevent them completely by securing your endpoints more than a simple antivirus can. And if time spent managing access rights is a concern for you, it’s time to consider installing a piece of PAM software.
Alina-Georgiana Petcu is a Communications and PR Officer at Heimdal Security. A content connoisseur with a knack for everything tech, she occupies her spare time by trying to untangle the intricate narratives behind the world’s most infamous cyberattacks.
