As you go about the work of managing your IT environment, it’s likely that you already apply the Principle of Least Privilege (POLP, also known as “least privilege access”) — probably without giving this important concept a second thought.
After all, not every employee in your company has admin rights on your website, or access to your financial accounts. And while you may have a super-user or two in your proprietary software platform, it’s common sense that most employees are not assigned an administrator account.
In one form or another all of those practices touch on POLP.
What ‘least privilege access’ means to your employees
In the cybersecurity world, a highly privileged user has the ability to perform specific tasks — say, creating new user accounts, or changing another user’s password — that someone with “ordinary” user access cannot do.
The Principle of Least Privilege operates along those lines. It’s the idea that your IT system provides each user the necessary access rights to do what he or she needs, and nothing else.
POLO is an increasingly important concept for cybersecurity. Least privilege access helps you maintain strict access management and high cybersecurity standards because it limits the risk of malware intrusions from the outside, and it can help you limit damage done by insider threats or accidental mismanagement.
Why applying POLO makes cybersecurity sense
Forrester Research estimates that at least 80 percent of data breaches involve some abuse of privileged access. Either an intruder logs into your system using stolen credentials from a highly privileged administrative account; or an employee successfully levels up to gain more access inside your critical systems with the intent to do harm.
Least privilege access and IT systems
The least privilege model should also be applied to your computer systems and software platforms as well. Different applications should only have as much access to interconnect with other applications as they need to complete necessary automatic processes. Or consider systems performing data-heavy computer processes (say, using artificial intelligence). They’re often scheduled to happen during off-hours for human employees, where people might not notice someone else abusing the system. That makes it even more important that those systems follow privileged access management.
The different types of POLO user accounts
POLO classifies user accounts into four types:
- Least privileged user accounts, or standard user accounts. These are user accounts with limited access. They only grant a user the access he or she needs to perform normal job functions.
- Privileged user accounts. These accounts have elevated privileges. For example, while software engineers need access to GitHub for coding and development tasks, members of the sales team don’t. So someone using a sales employee account could have GitHub blocked on his or her devices.
- Shared user accounts. In some situations, user accounts can be shared among a group of users. These could be guest user accounts that offer bare minimum privileges for contractors so they can perform basic tasks. Typically, shared user accounts are very limited in nature and serve a distinct function. They can be limited in many ways, including also by “privilege bracketing” which means access is only granted for a certain amount of time.
- Service accounts. These accounts aren’t used by people, but do require privileged access.
No matter the type of POLP user account, organizations should still enforce security standards on passwords and monitor for leaked credentials.
The benefits of applying POLO
There are many benefits of implementing the principle of least privilege, including:
- Data security. Many data breaches happen because criminals gain access to privileged credentials and then use that access to move through your IT environment while trying to level up to administrator accounts. This type of data breach is also known as privilege escalation. Privilege bracketing (time restriction on access) is one way to prevent this from happening.
- System security. If applications have limited access to system-wide actions, criminals can’t exploit vulnerabilities in one application to gain access to other parts of the system, install malware, install malicious code, or launch a ransomware attack.
- Reduced attack surface. By restricting the privileges of employees only to the access they need to perform their job functions, organizations can mitigate the cybersecurity risks posed by insider threats and other attack vectors.
- Improved information security. Data classification is a key part of information security. Applying POLP can help companies analyze where sensitive data resides and also define levels of access; that helps to set up principle of least privilege accounts. Data classification will also help digital forensics after a data breach, and it may help protect sensitive data if a criminal gets into your IT environment.
- Better regulatory compliance. Organizations can create more audit-friendly environments by restricting the activities that users can perform to just what they need to perform their job functions. Many regulations, such as the Health Insurance Portability and Accountability Act and the Payment Card Industry Data Security Standard, require that organizations apply POLO policies to improve data security.
- Reduced third-party risk. The principle of least privilege should also apply to an organization’s third-party vendors, as they can introduce significant cybersecurity risks. Companies should ask to see vendors’ SOC 2 reports and information security policies.
- Better incident response planning. The principle of least privilege helps organizations understand who has access to what information and when they last accessed it. That can help with incident response.
- Simplified change and configuration management. Whenever a user with admin privileges uses a computer, there’s potential that the user could change the system’s configuration, either intentionally or accidentally. The principle of least privilege minimizes this risk by controlling who can change settings or configurations.
POLO and NIST compliance may be important for some businesses
Many regulations and standards require the principle of least privilege as part of their objectives. The NIST 800-171 cybersecurity standard, a requirement for businesses handling sensitive information in U.S. government contracts, is an example. Specifically, one section in NIST 800-171 requires organizations to limit system access to only those who need it to perform their job functions and to ensure they adhere to the principle of least privilege.
Zero trust model for cybersecurity
Once you have a good understanding and application of POLP, the next natural step is to introduce the zero trust model for cybersecurity.
Zero trust means exactly that: don’t trust anyone, human or robot, trying to gain access to your IT environment. Assume that every attempted access is a cyber attack until it is otherwise proven to be appropriate.
As you move ahead with POLO across your networks and computer systems, remember to establish regular privilege audits so you can be certain no one has leveled up and gained more access to your systems. Security measures are only as good as the auditing to which they are subjected.
Cybersecurity and compliance management tools
As you forge a path for your business in our highly regulated, highly interdependent world, many tools can help keep your business stay competitive while keeping cybersecurity and compliance top priorities.
ZenGRC’s compliance, risk, and workflow management software is an intuitive, easy-to-understand platform that not only keeps track of your workflow, but also lets you find areas of high risk before those risks manifest as real threats.
Worry-free compliance management is the Zen way. For more information on how ZenGRC can enable your CMS, contact us for a demo.