The principle of least privilege (PoLP) refers to an information security concept in which a user is given the minimum levels of access – or permissions – needed to perform his/her job functions.
The principle of least privilege is widely considered to be a cybersecurity best practice and is a fundamental step in protecting privileged access to high-value data and assets.
The principle of least privilege extends beyond human access. The model can be applied to applications, systems or connected devices that require privileges or permissions to perform a required task. Least privilege enforcement ensures the non-human tool has the requisite access needed – and nothing more.
Effective least privilege enforcement requires a way to centrally manage and secure privileged credentials, along with flexible controls that can balance cybersecurity and compliance requirements with operational and end-user needs.
What is Privilege Creep?
When organizations opt to revoke all administrative rights from business users, the IT team will often need to re-grant privileges so that users can perform certain tasks. For example, many legacy and homegrown applications used within enterprise IT environments require privileges to run, as do many commercial off-the-shelf (COTS) applications. For business users to run these authorized and necessary applications, the IT team has to give local administrator privileges back to the users. Once privileges are re-granted, they are rarely revoked, and over time, organizations can end up with many of their users holding local administrator rights again. This “privilege creep” reopens the security loophole associated with excessive administrative rights and makes organizations – that likely believe they are well-protected – more vulnerable to threats. By implementing least privilege access controls, organizations can help curb “privilege creep” and ensure human and non-human users only have the minimum levels of access required.
Why is the Principle of Least Privilege (PoLP) Important?
- It reduces the cyber attack surface. Most advanced attacks today rely on the exploitation of privileged credentials. By limiting super-user and administrator privileges (that provide IT administrators will unfettered access to target systems), least privilege enforcement helps to reduce the overall cyber attack surface.
- It stops the spread of malware. By enforcing least privilege on endpoints, malware attacks (such as SQL injection attacks) are unable to use elevated privileges to increase access and move laterally in order to install or execute malware or damage the machine.
- It improves end-user productivity. Removing local administrator rights from business users helps to reduce the risk, but enabling just-in-time privilege elevation, based on policy, helps to keep users productive and keeps IT helpdesk calls to a minimum.
- It helps streamline compliance and audits. Many internal policies and regulatory requirements require organizations to implement the principle of least privilege on privileged accounts to prevent malicious or unintentional damage to critical systems. Least privilege enforcement helps organizations demonstrate compliance with a full audit trail of privileged activities.
How to Implement the Principle of Least Privilege in Your Organization
To implement the principle of least privilege, organizations typically take one or some of the following steps, as part of a broader defense-in-depth cybersecurity strategy:
- Audit the full environment to locate privileged accounts – such as passwords, SSH keys, passwords hashes and access keys – on-premise, in the cloud, in DevOps environments and on endpoints.
- Eliminate unnecessary local administrator privileges and ensure that all human users and non-human users only have the privileges necessary to perform their work.
- Separate administrator accounts from standard accounts and isolate privileged user sessions.
- Provision privileged administrator account credentials to a digital vault to begin securing and managing those accounts.
- Immediately rotate all administrator passwords after each use to invalidate any credentials that may have been captured by keylogging software and to mitigate the risk of a Pass-the-Hash.
- Continuously monitor all activity related to administrator accounts to enable rapid detection and alerting on anomalous activity that may signal an in-progress attack.
- Enable just-in-time access elevation, allowing users to access privileged accounts or run privileged commands on a temporary, as needed basis.
The principle of least privilege is a foundational component of zero trust frameworks. Centered on the belief that organizations should not automatically trust anything inside or outside their perimeters, Zero Trust demands that organizations verify anything and everything trying to connect to systems before granting access. As many organizations accelerate their digital transformation strategies, they are shifting from traditional perimeter security approaches to the Zero Trust framework to protect their most sensitive networks.