Stealthbits

What is the Principle of Least Privilege (POLP)? – Definition and Best Practices

Blog >What is the Principle of Least Privilege (POLP)? – Definition and Best Practices
What is the Principle of Least Privilege (POLP) - Definition and Best Practices

As part of a sound security structure, one of the most basic things a company can do is implement a principle of least privilege model within their organization. This blog will explain what this means and how this security model can up your security stature.

Principle of Least Privilege Definition (POLP)

Principle of Least Privilege Definition (POLP)

The principle of least privilege stems from the idea that users should only have access to the resources that they need so they can adequately perform the duties that they are required to do. For example, an employee who works in sales should not have access to financial records. An account created for someone in marking should not have administrator privileges.

Benefits of Implementing a Principle of Least Privilege Model

An organization can reap many security benefits by implementing a principle of least privilege among their employees. We will dive into a few of these below.

What Does an Organization Accomplish Using Least Privilege?

An organization that successfully implements this model creates an environment where users can only access what is most important to them. Among other things, this can improve the efficiency of employees, having access only to the resources that they need and nothing else.

Benefits

Benefits of a Principle of Least Privilege (POLP)

Many benefits exist for organizations that implement a principle of least privilege. A few are listed below:

  • Better Security: When privileges are delegated responsibly, this can limit the damage from many potential insider threats
  • Reduced Opportunity for Lateral Movement Attacks: An overabundance of privilege accounts provide would-be attackers plenty of opportunity for lateral movement attacks
  • Protection Against other Attacks: Implementing a principle of least privilege can help stop the spread of other common attacks on organizations, such as malware
  • A Healthier Network: A clean, organized network where admins are required to audit the access of all employees is a healthy network. A virtual free-for-all can lead the chaos

Which Security Practices Are Examples of the Principle of Least Privilege?

Below are just two examples of how organizations can utilize the principle of least privilege.

Least Privilege User Accounts

Although this one may seem obvious, one of the most effective and underutilized ways to reduce risk is by making sure employees have an appropriate access level. By doing this, you can cut off the opportunity for malware to spread by having a low-level employee phished.

Just-in-Time Least Privilege

Sometimes, an employee temporarily will need high-level access or access to a resource they do not normally use. An example of this could be someone who works at a helpdesk or in IT Support. In cases like this, it makes sense to grant them just-in-time access. Stealthbits Privileged Activity Manager does just this – enabling secure, task-based administrative access delivered just-in-time and with just-enough privilege.

Zero Standing Privileges

Just-in-time least privilege can also be a part of the zero standing privileges philosophy, which has the objective to eliminate these “always-on” privileges.

Steps to Implement a Principle of Least Privilege Model (Best Practices)

The steps below should be followed to implement a principle of least privilege policy in your organization:

Steps to Implement a Least Privilege Model (Best Practices)

Discover

Scan and catalog all systems and directories attached to the corporate network. Enumerate all accounts and groups including data such as password age, last login, and permissions.

Evaluate Privileges

Identify shared and dedicated privileged accounts and enumerate membership of built-in administrative groups. Know who has privileged access to servers and directories such as Active Directory.

Manage

Deploy vaulting mechanisms to rotate privileged accounts on schedule using strong passwords defined by policy. Any solution must provide the capability to provide access on a just-in-time basis and ensure that any credentials exposed for whatever length of time are rotated after use.

Monitor

Audit usage of privileged accounts and build internal processes around regular entitlement certification and session review. Ensure that users have appropriate access to privileges according to their role and that entitlements are removed when no longer appropriate.

Build-in Administrative Rights

Eliminate administrative rights to desktops, servers, and directories through the use of agent-based or agent-less technologies. Make sure that no user has administrative access without going through a policy-based control mechanism that audits and governs access via policy.

Enforce Least Privilege Delegation

Build delegated access policies that provide levels of access to tasks without the need to give full administrative rights. Where administrative rights are unavoidable, they should be delegated to dedicated user accounts for accountability and should be time-limited for specific maximum durations.

Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe

DON’T MISS A POST. SUBSCRIBE TO THE BLOG!

 

Loading

© 2020 Stealthbits Technologies, Inc.

Start a Free Stealthbits Trial!

No risk. No obligation.

FREE TRIAL