It’s no secret that the modern workplace is digital. Except for a few industries, we’ve all migrated online and taken all of our data assets with us in the process. And while this made our jobs undoubtedly easier, it also started posing new risks.
One such risk is that of account breaches. Malicious third parties seek out vulnerable users and either exploit network vulnerabilities to get to them or use clever social engineering tactics such as phishing campaigns. Whatever their plan might be, you never know which of your employees will fall prey to it.
How can you keep your enterprise safe against all of these threats? The principle of least privilege is the answer to that, at least at a user-facing level.
In the following lines, I will explain what it is, as well as why it matters. Finally, I will get into how you can implement it for your business, so keep reading if you want to find out more.
Defining The Principle Of Least Privilege
The principle of least privilege, or PoLP for short, is a cybersecurity concept that pertains to the sphere of access governance. Also known as the principle of least authority, it entails that the user accounts operating within a network be granted the minimum access rights needed for the fulfilment of daily responsibilities only.
However, the principle of least privilege deals with more than just user accounts. It also handles:
- And more.
Nevertheless, from an enterprise point of view, the application of PoLP at the level of user accounts is the most important. Research conducted by Centrify in 2019 and quoted by Help Net Security concluded that 74% of data breaches are caused by the abuse of privileged credentials.
For this reason, your company’s management of access rights should be focused first and foremost on your staff and the accounts that they use. What would that look like, you might ask?
Simply put, a practical application of PoLP means that your employees won’t be granted admin rights unless they have admin responsibilities. In addition to this, they won’t be able to enter segments of the network that aren’t useful to or required for their job.
Why Is Practicing Polp Important?
As I’ve mentioned in the previous section, the misuse of user accounts within an organization’s network is one of the most widespread causes of security breaches. Therefore, human error is your company’s largest liability when it comes to cybersecurity.
This type of behaviour is known as insider threat, and it can be either accidental or malicious in nature. While the former is a completely unintentional event, the latter has an ulterior motive behind it and something to gain from breaching your enterprise network.
What is more, things haven’t gotten better since 2019 when Centrify published its statistics. In fact, insider threat is on the rise. According to the Ponemon Institute’s Cost of Insider Threats Global Report published in 2020, a 47% surge in this type of incident has been registered between 2018 and 2020.
Implementing and practising PoLP throughout your corporate infrastructure is a safe way to prevent that. The reason why this approach is essential to your business’ stability and reputation is the fact that suffering a security breach of this kind will severely damage your image, among other financial and human consequences.
One practice example of how this can happen to even the best of us is what went down with the multinational hotel company Marriot. Two years after buying the Starwood hotel chain is 2016, the enterprise discovered that its subsidiary was dealing with a case of unauthorized access for the last four years.
To add insult to injury, the incident had started two years before the acquisition. This grave security oversight on Marriott’s part resulted in the data of approximately 500 million clients being leaked. Out of them, 327 million had most of their personal and private information unlawfully released.
This information included their names, phone numbers, mailing addresses, email addresses, passport numbers, dates of birth, genders, arrival and departure information, reservation dates, communication preferences, and information from their Starwood Preferred Guest account. Some guests even had their encrypted banking information revealed.
In Marriott’s case, unauthorized access refers to the hotel company failing to properly implement PoLP within the organization. This led to the misuse of privileged access credentials, which were further exploited to steal the personally identifiable information of clients.
How To Implement Polp In Your Company?
What happened with Marriott is just one case of credential misuse of many. The improper management of privileged access rights does not harm your company alone, but your clients and collaborators as well. This is all the more reason for you to implement the principle of least privilege.
Doing so is fairly simple as long as you understanding the two main concepts behind it, namely:
- Practising privilege bracketing;
- And preventing privilege creep.
In the final two sections of this article, I will define both privilege bracketing and privilege creep. I will also discuss how you can implement them successfully to complete your PoLP approach and what the risks are if you don’t.
So, without further ado, let’s get into the actionable advice part of this piece that we’ve all been waiting for.
#1 Practice Privilege Bracketing:
When it comes to preserving your company’s digital security, the best course of action in terms of admin rights is to only grant them to users that need them for as short of a time as possible. This practice is known as privilege bracketing and it is the cornerstone of PoLP.
But how can this be done efficiently? Well, you need to first of all set up a privilege audit. This consists of verifying all of the user accounts on your network and establishing what level of access rights pertain to each of the roles they fulfil. In addition to this, you must also ascertain what privileges these accounts have already been granted and if the decision-making process was correct from case to case.
After identifying what access rights are already granted and deciding what to change or keep, you can successfully practice privilege bracketing. Just remember, don’t grant admin rights to users that are not admins. This is the baseline for preventing cyberattacks on your business.
However, I strongly advise against stopping at the initial inspection. My recommendation is to plan out regular audits to ensure that the rules, guidelines, and policies you put into place are enforced continuously. Constant verification is essential to proper privileged access management, commonly abbreviated as PAM.
Identified as the number one priority in enterprise security three years in a row by Gartner, PAM is a cybersecurity approach based on the practice of PoLP.
#2 Prevent Privilege Creep:
Another central concept to both PoLP and PAM is that of privilege creep, or access creep. The term refers to accounts that have racked up obsolete permissions over the years. It usually happens as employees are promoted or change departments, but the IT department does not remove privileges associated with their previous positions.
This results in superuser accounts that hold access or even admin rights to several essential segments of the company network. While this might not seem like such a big deal as long as the employee has good intentions, it can turn into a disaster scenario very quickly.
The first way in which privilege creep can affect your business is if the said employee turns into a malicious insider. You never know when and how someone can become disgruntled with their job or manipulated by an external third party.
And speaking of external third parties, hackers and other malicious individuals can also exploit weaknesses in these superuser accounts without any inside help. This will give them access to most of your network, which means trouble because they can use it to deliver malicious packages such as ransomware attacks or Trojans.
Therefore, preventing privilege creep is crucial to a successful PoLP strategy. Together with privilege bracketing, they are what your company needs to stay safe against cyber attackers trying to abuse it from the inside.