As part of a sound security structure, one of the most basic things a company can do is implement a principle of least privilege model within their organization. This blog will explain what this means and how this security model can up your security stature.
The principle of least privilege stems from the idea that users should only have access to the resources that they need so they can adequately perform the duties that they are required to do. For example, an employee who works in sales should not have access to financial records. An account created for someone in marking should not have administrator privileges.
An organization can reap many security benefits by implementing a principle of least privilege among their employees. We will dive into a few of these below.
An organization that successfully implements this model creates an environment where users can only access what is most important to them. Among other things, this can improve the efficiency of employees, having access only to the resources that they need and nothing else.
Many benefits exist for organizations that implement a principle of least privilege. A few are listed below:
Below are just two examples of how organizations can utilize the principle of least privilege.
Although this one may seem obvious, one of the most effective and underutilized ways to reduce risk is by making sure employees have an appropriate access level. By doing this, you can cut off the opportunity for malware to spread by having a low-level employee phished.
Sometimes, an employee temporarily will need high-level access or access to a resource they do not normally use. An example of this could be someone who works at a helpdesk or in IT Support. In cases like this, it makes sense to grant them just-in-time access. Stealthbits Privileged Activity Manager does just this – enabling secure, task-based administrative access delivered just-in-time and with just-enough privilege.
Just-in-time least privilege can also be a part of the zero standing privileges philosophy, which has the objective to eliminate these “always-on” privileges.
The steps below should be followed to implement a principle of least privilege policy in your organization:
Scan and catalog all systems and directories attached to the corporate network. Enumerate all accounts and groups including data such as password age, last login, and permissions.
Identify shared and dedicated privileged accounts and enumerate membership of built-in administrative groups. Know who has privileged access to servers and directories such as Active Directory.
Deploy vaulting mechanisms to rotate privileged accounts on schedule using strong passwords defined by policy. Any solution must provide the capability to provide access on a just-in-time basis and ensure that any credentials exposed for whatever length of time are rotated after use.
Audit usage of privileged accounts and build internal processes around regular entitlement certification and session review. Ensure that users have appropriate access to privileges according to their role and that entitlements are removed when no longer appropriate.
Eliminate administrative rights to desktops, servers, and directories through the use of agent-based or agent-less technologies. Make sure that no user has administrative access without going through a policy-based control mechanism that audits and governs access via policy.
Build delegated access policies that provide levels of access to tasks without the need to give full administrative rights. Where administrative rights are unavoidable, they should be delegated to dedicated user accounts for accountability and should be time-limited for specific maximum durations.
Proper data security begins with a strong foundation. Find out what you're standing on with a free deep-dive into the security of your Structured and Unstructured Data, Active Directory, and Windows infrastructure.Read more
Start a Free Stealthbits Trial!
No risk. No obligation.