User access is a thorn in the side of most organizations. In an evolving cybersecurity landscape where people are the perimeter, simple login credentials aren’t enough to protect an organization’s users and data. In fact, user credentials are actually an important threat vector: Forrester Research estimates that 80% of security breaches involve privileged credentials, such as certificates, keys, passwords, and tokens. And the effects of this can be devastating.
A 2013 attack on a national retail network was the result of hackers gaining unauthorized access to the company’s systems by stealing credentials from a third-party vendor—and it led to the loss of almost 70 million customers. To avoid these situations, businesses need to employ access management methodologies like least privilege access, ensuring that users and processes only have the minimum access and editing rights to the resources they require.
What is least privilege access?
Granting least privilege access goes beyond codifying users and groups in a software system by also establishing what resources they are able to access and what functions they are able to perform. By implementing this process within their broader identity and access management strategy, businesses can ensure that only the right people have the right level of access to the right resources—under the right conditions, and at the right time.
What does least privilege access look like in practice?
Within an enterprise environment, the principle of least privilege access ensures that a user or application only has the permissions required to perform their role or function—and no more. Within this context, depending on their role, users are only granted access to read, write, or execute files and applications they need, without getting access to any sensitive information beyond those resources.
This principle can be applied to access rights across applications, devices, processes, and systems, and can be dependent on certain factors like location or time of day. Role-based access rights can also be applied to specific business units like human resources, IT, and marketing.
How do you build a least privilege access approach?
As companies look to deploy least privilege access and enhance their risk mitigation strategies, these are some supplemental practices they can employ.
Audit privileges:
The first step in implementing least privilege access is to check that all existing accounts and credentials have the appropriate permissions. An audit should include all user accounts, groups, and passwords. Regular auditing can prevent a situation where users, accounts, and processes dangerously accumulate access levels beyond the appropriate scope.
Privilege bracketing:
Businesses should only create administrator accounts when absolutely needed—and for the shortest time possible. Removing admin access rights to servers and reducing every user to standard access will reduce the attack surface and help to secure a company’s most sensitive data and information. This is an approach the NSA took, reducing the number of system administrators by 90% to make its systems more secure.
As another element of privilege bracketing, the default access level for all new accounts should be set as low as possible.
Single-use credentials:
Businesses can track and trace user actions with single-use credentials. A good example of this is a password safe, where a single-use password is used only for the length of time the activity is being completed. Upon completion, the used password is retired.
Privilege access expiration:
In a similar approach to single-use credentials, setting expirations to privilege access ensures that user access is time-restricted or bound by the completion of a task or process.
Just-in-time privileges:
Privileges can be increased as and when they are required for specific applications and tasks without requiring admin credentials or exposing passwords.
By setting strict boundaries around user access, least privilege access is an important approach for enterprises looking to protect their data and prevent potential insider attacks. These principles offer a stronger approach to security, enhanced stability, and a reduced attack surface—all things that enable an organization to focus on their operations and growth.