Implementing the Principle of Least Privilege is easier than you think

IT security resilience of an organization highly depends on how effectively privileged users work with its IT infrastructure. As the saying goes – with great power comes great responsibility. The question is – do you rely on the privileged users to be in control of your IT infrastructure security and stability or do you take matters in your own hands?

Forrester Research estimates at least 80% of security breaches involve privileged credentials. Such incidents as those which happened in Cisco, Uber, Microsoft etc., all of them are connected with privileged accounts. Least privilege is one of the well known information security practices that tells us that a user should only have the minimum necessary set of rights required to complete a job successfully and those rights should be in effect for the shortest duration necessary. Giving them more permissions and higher access level can allow that user to access information or affect critical IT components in unwanted ways and be a potential source of danger. When we say privileged access it naturally means that it allows users to bypass certain security measures. In that case, careful assignment of access rights can prevent attackers from damaging  corporate information systems.

It is very important to watch over what IT resources each privileged user can access and what rights they have. Whenever employees are promoted or moved to another position it is vital to make sure that the privileges they previously had have been revoked before providing them a set of new privileges. Otherwise the company may face the privilege creep which means that some users have accumulated unnecessary permissions. There may appear privileged users who are called super administrators . Such a situation often leads to significant security threats.

How is the Principle of Least Privilege (PoLP) important to your organization?

  • PoLP is the essential part of Zero Trust conception which dictates that we do not trust but control any users in the company full-time.
  • Full-time and direct access to privileged accounts – it’s too much unnecessary privileges, which should be limited. Administrators should not know passwords and own SSH-keys. They should only use them via special security services, without disclosure.
  • Due to the high rate of attacks that rely on the privileged credentials exploitation it is crucial to any organization to be in control of any privileges given to users. The more unnecessary rights are given the more complicated it is to stay in control. Through PoPL implementation your employees will only have access to necessary IT resources during a certain period.
  • Hackers often try to access important resources of your company through social engineering methods. That allows them to elevate their privileges and gain control over critical systems. If PoPL is implemented, the privileges are restricted which stops the attempt to elevate permissions.
  • Limiting privileged access helps to reduce the risk, at the same time if just-in-time privilege elevation is enabled, it helps users continue to be efficient. That way powerful privileged user accounts do not have always-on (24×7) privileged access instead they have it on only when it is needed to successfully complete tasks.
  • Regulations require organizations to implement the Principle of Least Privilege and Zero Trust on privileged accounts to protect sensitive data and critical systems. Least privilege enforcement helps organizations comply with the legal regulations.

The idea of least privilege is very clear, however it can be complex to implement.

In order to implement the Principle of Least Privilege, organizations typically have to follow several steps, as part of a broader IT security strategy:

  • Сonduct an audit to inventory all known and unknown privileged user accounts.
  • Revoke unnecessary rights and ensure that all users only have the privileges necessary to successfully perform their standard job tasks.
  • Fix job descriptions in order to exclude the existence of super administrators (for example the user who has rights to manage Active Directory and information security solutions at the same time) in IT infrastructure.
  • Create an Access Matrix for all privileged users and information security officers – it helps to balance all rights between all privileged users.
  • Take all privileged users under control and make sure you are able to monitor all their activities. With the right Privileged Access Management solution it is possible to do that effortlessly and efficiently.
  • Address the issue of undocumented privileged accounts through the use of Account Discovery functions. The Privileged Access Management functionality can help you promptly deal with this with minimum effort of IT and IS professionals.
  • Rotate administrative accounts’ passwords after each use to protect credentials. Use automatic password change to enhance the process of changing administrator passwords to random values generated in line with all security requirements through configuration of scheduled jobs settings. This prevents any direct privileged access and attempts to bypass the Privileged Access Management system that controls privileged user activity.
  • Monitor what your administrators and other privileged users do in real time. For each connection, learn the start and end time of a given session, the account used, the username, and the name of the target resource. Record all privileged user activity, including file transfering, execution of text commands and running applications.
  • Use strong authentication to protect privileged access to eliminate risks of theft of personal accounts of privileged users and to neutralize threat of repudiation, when insiders try to avoid responsibility.
  • Set up access policies to configure the rules of access to your target servers and applications: you can limit connection duration and enable scheduled access or access upon approval by a security officer. This will help you enable just-in-time access, allowing users to access privileged accounts on as needed basis.

Implementing a reliable and cost-effective Privileged Access Management solution that offers a wide range of functions to control privileged access will allow you to comply with Principle of Least Privilege which will help to build your path towards resilient IT security of your organization. Indeed PAM can help you to start this journey, download a presentation to learn more about the solution.