This Q&A looks at the principle of “least privilege” so you can start to think about implementing it successfully in your own organisation.
You might have heard or read about the principle of least privilege in the context of cyber security – especially if you have looked into the Cyber Essentials scheme. This blog looks at why it’s important and how it can be implemented successfully.
Least privilege is an approach to access rights management that aims to reduce an organisation’s exposure to risk and, in particular, the risk of cyber-attack.
The core principle of a least privilege approach is to deny users and applications access to files, folders, systems, applications and areas of the network unless they need to access them for their job.
Least privilege is important because it is designed to limit your organisation’s exposure to cyber risks.
Cyber criminals target user accounts with privileged access rights because they have greater network access. Once hackers have privileged access, they can move across the network at will. It’s then easy for them to get to your most desirable systems and data.
By limiting access for the majority of users, you can deny hackers the ability to do this easily.
As well as the immediate advantage of reducing your potential attack surface, adopting a least privilege approach is important for several different compliance scenarios.
If you have compliance regulations to meet, such as HIPAA, PCI-DSS, SOX, FISMA, FedRAMP, CCPA or voluntary codes such as NIST or ISO, auditors and government agencies will be looking at the ways you are reducing risk within your organisation. Limiting user access rights is a good way to reduce risk.
Being able to demonstrate that you are following this principle can help with proof that you are taking measures to protect data in the event of a data breach, which is important under GDPR.
It’s also a key element within the UK Government’s Cyber Essentials scheme.
Least privilege requires you to limit every user’s access and application. Each should only be allowed to access the systems and data that are absolutely necessary to accomplish their day-to-day work.
Permissions and privileges must be carefully controlled.
Often this is achieved through the development of allow lists, deny lists and restrict lists.
Least privilege should apply to every user.
And to every application.
The rights of your executive team and other high-profile users should be managed even more tightly than those of others.
Spear-phishing attacks will target users in finance, IT and leadership roles, because they often have privileged access rights, or have access to the most desirable systems and/or data. By locking down the access those users enjoy to only the systems they really need, in the event of their user accounts being compromised, you have limited the data and systems to which the hacker has access and thus limited the damage they can cause.
• Communication is key – you need to ensure that budget holders, other stakeholders and your users are onside. As with any change, users need to understand what is happening and why.
• Be prepared to deal with any pushback that may arise from you taking away user rights. Give users information about how to contact the helpdesk immediately if they encounter any problems.
• Effective planning is also essential. You need to ensure that access rights are minimised, while ensuring that the removal of access rights does make it difficult for users to undertake their everyday work.
Finding the right balance between locking down your environment without hampering productivity will require a good understanding of users’ roles and requirements. If done well, users shouldn’t even notice that their rights have been removed.
• Least privilege needs to be applied to everyone – no exceptions. This may mean disabling local administrators’ rights to elevate privileges. You don’t want rogue IT support staff handing out extra access rights to users just because they happened to ask nicely.
You need to ensure your local IT team (or your outsourced IT support company) is fully signed up to enforcing the approach, so training may be something you want to consider.
• Least privilege is not a time-limited project – it has to be an ongoing approach. As users leave, start, change roles, and require different access rights, the management of their rights will need to be continually managed and updated.
Similarly, as applications change and are upgraded, they may also need different permissions and access rights given to or removed from them.
You can’t assume that users and / or applications will need access rights forever, so you should continually revisit user requirements to identify opportunities to reduce privileges further.
Probably the best advice is don’t consider doing it in isolation. This should be part of your overall IT security posture and culture. Improving your IT security – even privileged access - isn’t a one-off event or project but part of an overall stance to make data security something that’s always considered and prepared for.
If you would like to discuss how you can begin to adopt an approach of least privilege, our team are on hand to help. But why not use it as part of a broader discussion about your stance on security? Reach out to us on 0808 164 4142 for a no-nonsense initial chat about where to begin...