Principle of Least Privilege: Where Do Companies Go Wrong?
by JD Sherry, on Jan 25, 2021
Most information security professionals are fundamentally aware of the Principle of Least Privilege (PoLP): When you’re assigning access, give users what they need, only as long as they need it. Don’t give more. Just give them Just-in-Time access (JITA).
It’s an easy case to make: Implement the Principle of Least Privilege as broadly as possible and—when the bad actors show up on your doorstep—they won’t find a ton of admin access scattered around that they may use to wreak havoc on your network and gain lateral movement.
So, why has the Principle of Least Privilege become a lost art? Where do companies go wrong? Why do attack surfaces lie unprotected and vulnerable to attack while companies struggle with excess standing privilege?
Principle of Least Privilege – Evolving from the best intentions
The Principle of Least Privilege isn’t anything new. The concept has been around for a long time. Think back to shopkeepers centuries ago trying to decide who got a key to the front door, and how often the lock got changed. Security-minded shopkeepers tried to issue as few keys as possible, limiting their risk of break-in and damage—once the attackers got inside. The idea behind the Principle of Least Privilege is no different.
Fast forward to our present day. Now, everyone essentially has a key to the shop!
Standing Privileges—A dangerous crutch
Implementing the Principle of Least Privilege takes … time—time to get it right, time to fix the errors of the past and put in a system of Just-in-Time Administration; one that provisions and controls future access so that it complies with the Zero Trust model. But, depending on the method used, PoLP can also severely disrupt operations and normal workflows for IT administrators and developers.
The operational convenience of Just-in-Case Administration is real, but it’s a dangerous crutch. If your most trusted users already have all the access they need to do anything you might ever ask of them, that’s just saving time when they need to get things done for the business, right? Wrong!
How does PoLP limit your exposure during a breach?
While the Just-in-Case operating model can have significant consequences, it’s PoLP that can limit exposure during a breach. Fewer standing privileges (24x7 access) that grant admin access mean fewer attack paths to the proverbial crown jewels. The more difficult you make it for the adversary, the more likely they will move on to an easier target.
By extending beyond the limitations of perimeter-based controls and focusing on access, not authentication, like legacy PAM, the Principle of Least Privilege is built for today’s security risks, and provides a platform through which organizations can adopt best-practice models like Zero Trust and the emerging trend of enforcement via Just-in-Time Administration.
By implementing the Principle of Least Privilege, with Just-in-Time Administration, you can:
- Minimize your attack surface by reducing privileged credentials that can be hacked
- Reduce risk without sacrificing the speed of business
- Remove attackers’ opportunities to install malware across your network
- Reduce the chance that employees themselves may make an error by using unnecessary access
What gets in the way of the Principle of Least Privilege?
No one goes into access control and says, ‘let’s not control access. Let’s just give everyone all the access.’
But, what happens that keeps the Principle of Least Privilege from getting implemented? How do we end up with wide-open admin access, the precise antithesis of PoLP?
How do we end up with 480 admins having always-on access to each employee workstation in the typical mid-sized enterprise with 15,000 computers?
The Principle of Least Privilege—What goes wrong?
The road to wide-open admin access is paved with the good intentions of workers who want to make everyone’s jobs easier by saving time and entrusting them to do the right thing.
Wide-open access rears its head in:
- Privilege Creep/Admin Access Drift: Admins need powerful access to do their jobs. But, companies then forget to end-date that access. They forget to check back to see if that access is still needed.
- Vague Roles: Role-based access gets confusing. We create roles for jobs, then those jobs end. New jobs come up and we use those roles again. But, the jobs are different, and don’t require the same access.
- Duplication of Roles: Suppose Ted starts on my team. When they create his access, they just duplicate what I have. Ted ends up over-provisioned because he doesn’t need all the same access I have. (Maybe I don’t even need it?)
- “God” Access: We’ve been there. There’s an emergency and only “God” can fix it. So, we provision the access of God to our tech savior who sets in to fix whatever went wrong. As “God,” our savior has all the tools they need to fix the problem and we don’t lose precious hours first determining the access they need. It’s the grease that keeps the business going. But, this kind of access also gives hackers the tools they need to compromise your credentials and wreck your network.
- Temp Access: We all use contractors. We all grant them access. They move on more frequently than employees do. But, their access often stays live. This increases third-party access risk.
- M&A (Mergers and Acquisitions): Companies continue to grow via M&A. This also creates even more risk as those companies begin to integrate. Visibility of admin access across the companies is difficult at best and moving to the enforcement of proper controls like PoLP is extremely challenging.
A lost art
The Principle of Least Privilege is a lost art. It becomes the sacrificial lamb when administrators and developers are looking for operational convenience to get through their day-to-day tasks. They think that the Principle of Least Privilege disrupts the business, that it causes friction that slows down their jobs.
While PoLP can slow down some day-to-day activities, it can save the business a lot of time, money, and effort when a breach, like SolarWinds, comes along. The Principle of Least Privilege can also reduce lateral movement risks hidden in your network and make incident response much easier.
As leaders in information security, we need to move toward the Principle of Least Privilege, Just-in-Time access, and implementing a sound Zero Trust model. To minimize the damage we might experience in a breach like SolarWinds, we need to fix the standing privileges we’ve granted in the past and design a Just-in-Time access model that works to prevent them from resurfacing in the future.