What is the principle of Least Privilege
In an ideal world, users would have only the minimum access necessary to fulfill their job functions, thus reducing the organization’s attack surface and likelihood of unauthorized activities or breaches. This approach, called the “principle of least privilege,” is also a requirement of most industry compliance frameworks such as NIST, ISO 27001, and CIS.
In reality, achieving least privilege everywhere necessitates an endless battle against real-life dynamic business requirements. Security and IAM teams are overloaded with least-privileged alerts generated by various detection tools, most unactionable or do not translate to high-risk or impactful accounts. Because security and IAM teams have limited resources, they must prioritize projects with the highest return on investment (ROI).
Applying least privilege practices to the following security issues will result in the best bang-for-the-buck:
- Unused admin accounts
Often, distinct admin accounts are established for legitimate purposes and kept separate from employees' personal accounts, or separated between test and production instances. However, over time, these admin accounts might fall into disuse, or the employees who created them may be offboarded. In other cases, the main account of an offboarded employee had admin privileges, but was not disabled upon the employee’s departure.
These dormant accounts can serve as easy entry points for cyber attackers seeking unauthorized access to sensitive systems and data.
- Unused administrative privileges
A key challenge for achieving least privilege is that security teams strive to be business enablers and grant access and permissions as quickly as possible. When solutions such as “Just in Time” access are not available, or the out-of-the-box RBAC roles provided by the solution are too broad, people tend to assign higher privileges than required. Some examples include:
- AWS is considered the most challenging in this aspect, with options such as “All permissions” for a specific S3 bucket while users may need only “read”, or when IAM users do not use administrator permission sets assigned to them. Attackers can use these permissions to delete all organizational data.
- In Azure Active Directory, it is common to find admin accounts with built-in administrator roles, that their owners only view accounts and data but never perform an administrative action on them. A compromised account with a group administrator can be used to remove people from groups and cause business disruptions and denial of services
- In Okta, employees granted admin access may not even enter the admin panel.
- In Salesforce it is common to find non-admin users with “Modify All Data” privileges. These accounts are able to export or even delete all company data, but effectively just need to view or modify a specific scope for their role.
- Snowflake users may be given global privileges instead of custom role-based access control with clear separation between read and write access on specific resources.
- Unused privileged access to sensitive applications
It is a fact that workforce users have access to a larger number of applications than actually needed. An effective least-privilege project should focus on removing unnecessary access from sensitive critical applications, such as cybersecurity tools, customer data or production environment.
- Over-privileged birthright permissions
An organizational best practice is granting permissions to employees by assigning them to groups, created in the Identity provider or IGA (such as Active Directory, Okta or Sailpoint). Each group provides access to applications required to perform relevant tasks. Over time, business requirements may change, but access is still given. By detecting over-privileged groups with clear evidence of inactivity, privileged access can be reduced in scale and enforced over time.
Applying least privilege principles
Application of least privilege principles must be proactively planned out to net the most benefit for CISOs and IAM teams. Some of the key factors to consider include:
- Automated, context-driven prioritization and focus on critical privileged accounts
- Actionable insights for effective remediation
- Granular provisioning and permission controls
- Birthright access analysis
Spera’s platform is tailored for CISOs and IAM managers, committed to achieving least privilege access across their organization in a practical, comprehensive and effective manner. Spera empowers your organization to take control of its identity security posture, reduce risks, and build a resilient defense against evolving cyber threats.