The Principle of Least Privilege (PoLP) is a security concept that involves assigning users the minimum access privileges required to carry out their duties. It has become the cornerstone for cyber security guidelines and recommendations including: NIST 800-53r5, NIST CSF, The Joint Ransomware Task Force #StopRansomWare Guide and others.
The failure to implement the principle of least privilege has been the cause of multiple attacks resulting in millions of dollars of ransomware payments and damaged brand equity.
What is the Value of the Principle of Least Privilege (PoLP)?
As stated, PoLP helps ensure that users have the rights to only execute the assigned task germane to them – and nothing else. To be blunt, this means, not granting dangerous permissions such as admin and control permissions to every users. In fact the concept is to do the opposite – restrict the control functionalities to a limited and quantified set of users.
The Principle of Least Privilege is key for:
- Limiting access to sensitive information
- Limiting access to servers w/ sensitive information
- Limiting access to networks that hold sensitive information
- Limiting access in applications that enforce authorization to sensitive information
And, as is the case w/ the MGM hack, ensuring:
- Limiting access to those who can modify the access control polices
By doing this, organizations can ensure that any user is unable to access sensitive information, or change controls to who has access to these controls.
Why is it So Hard to Implement PoLP?
The key problem is sloppiness and Privilege Creep.
Sloppy Identity Management:
Some organizations simply are sloppy – and haven’t set up the proper access controls like a functional IAM system like Entra ID, Okta, JumpCloud, Ping, AD to ensure that users are organized and then assigned to applications and resources according to their group memberships.
And this is the key point: Group membership. It is a serious identity flaw that enterprises individually assign elevated privileges to users on an INDIVIDUAL basis as opposed to assigned to a group to these permissions and then putting a user in these “admin” powered groups.
Companies that continue to assign admin-powered permission on a continual basis – are sloppy and do NOT implement the principle of least privilege. (NOTE: This is ONE of the key complaints that the SEC charged against SolarWinds.)
The other enemy of PoLP is not as obvious as “sloppy identity management” – but probably more common and deadly. This enemy is called Privilege Creep – and is the natural tendency of identities to add permissions and become loaded with entitlements that are not required to do their current jobs.
Basically the problem being that enterprises are better than GRANTING privileges than reviewing and retracting privileges.
These excess privileges create a field day for hackers that can overtake these accounts and user for nefarious purposes.
Principle of Least Privilege in NIST 800-53r5 and NIST CSF
Federal organizations are required to follow NIST 800-53r5 for cyber security practices. The NIST CSF (Cybersecurity Framework) is framework created as a guidance for public institutions to utilize.
Both of these frameworks spell out the principle of least privilege
- Control: Employ the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks.
NIST Cybersecurity Framework (CSF) 1.1
- Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties.
NIST Cybersecurity Framework (CSF) 2.0
- Access permissions, entitlements, and authorizations are managed and enforced, incorporating the principles of least privilege and separation of duties (formerly PR.AC-3 and PR.AC-4 in NIST CSF 1.1)
YouAttest and The Principle of Least Privilege
YouAttest is a purpose based tool to help organizations enforce the Principle of Least Privilege in their enterprise and thus reap the cyber and compliance wards.
The cloud based offering is designed to audit any resource and to make the process and painless as possible by integrating directly into the IAM for a simplified user access review process. (Reviewers simply click on a link, via email or slack, and see only the roles they need to review.)
The most important part is that YouAttest can review key admin groups – in an automated fashion. YouAttest customers regularly review their admin privilege groups on a monthly basis – and log the evidence of these attestations. YouAttest can also provide triggers on these group policies, for real time attestations.
YouAttest is the only cloud-based IGA platform that deploys in minutes via application SSO into your existing IAM platforms and allows you to enforce the Principle of Least Privilege by automating your reviews of your user, groups and applications.
YouAttest uniquely connects directly to the enterprise IAM (Entra ID, Okta, JumpCloud, Ping) and uses the IAM SSO for reviewing entitlements to BOTH IAM resources and siloed (non-IAM connected) resources.
Contact us to learn how YouAttest can automate your access review process and help your enterprise enforce the Principle of Least Privilege in your enterprise