What Is the Principle of Least Privilege?Information security is a complex, multifaceted discipline built upon many foundational principles. The three most important—confidentiality, integrity, and availability (the CIA triad)—are considered the goals of any information security program. A supporting principle that helps organizations achieve these goals is the principle of least privilege. Show
The principle of least privilege addresses access control and states that an individual should have only the minimum access privileges necessary to perform a specific job or task and nothing more. So, an employee whose job entails processing payroll checks would only have access to that specific function in a payroll application but would not have administrative access to the customer database. Similarly, to do their jobs, a marketing specialist does not need access to employee salary data, an entry-level government worker should not have access to top-secret documents, and a finance specialist should not be able to edit application source code. Most of us are familiar with the concept of restricting access and see or practice variations of this principle in everyday life. Parents use parental controls on their home devices to restrict children’s access to harmful content, ticketed airline passengers can board a plane but aren’t allowed in the cockpit, students have access to learning systems but not to teachers’ grading files, and a parking attendant with a valet key can park your car but can’t access the locked glove box, console, or trunk. As a principle, least privilege falls under the second A in an information security framework known as AAA —authentication, authorization, and accounting (or accountability). This framework addresses the need to verify the identity of users seeking access to a network or other resource (authentication), determine what they’re allowed to do (authorization), and track all actions they take (accounting or accountability). So, at a high level, the principle is meant to help organizations reduce riskRisk constitutes a specific threat matched to a specific vulnerability, where both likelihood and impact are evaluated to determine the level of risk. —to the business, its people, and its assets. More specifically, the goal is to reduce the potential damage that excessive privileges or their misuse can cause, whether accidentally or intentionally. What Least Privilege Is NotLeast privilege is sometimes confused with, but is different from, two similar security principles: need to know and separation of duties. Often used together with least privilege, need to know provides more specific access control based on need. Sales managers, for example, do not need continuous access to their direct reports’ personnel files but should have access for a limited time to complete each employee’s annual performance review. Separation of duties calls for assigning critical tasks to two or more people so no single individual has complete control of any action that could put the organization at risk. This principle might be used, for example, to prevent an accounts specialist from setting up fake vendor accounts and then paying phony invoices against those accounts as a way to steal funds from the company. Like need to know, separation of duties is often used in addition to least privilege. Who and What Does Least Privilege Apply To?In practice, the principle of least privilege applies not only to individuals but also to networks, devices, programs, processes, and services. When it comes to access control, all of these are considered subjects (active entities) that request access to resources, or objects (passive entities that contain or receive information), such as systems, files, applications, directories, databases, ports, and more.1 It’s critical for organizations to understand that the principle must apply to all of these entities because if compromised, any could potentially put the organization or its data at risk. What are some examples of least privilege applied to nonuser entities? “Hardening” a server by shutting down unnecessary ports and removing unused components is one. Enabling a web application to only retrieve data and not change or delete it is another. Authorizing an API to access only the specific data it needs rather than all data in a database is yet another. The Importance of Practicing the Principle of Least PrivilegeAlthough least privilege is one of the most commonsense security principles, organizations often do not take its enforcement seriously enough. Returning to the CIA Triad, a lax application of least privilege can violate the goals of maintaining confidentiality, integrity, and availability. In the examples noted earlier:
It’s also worth noting that the OWASP Top Ten,2 which lists common web app security weaknesses, explicitly calls out improper or broken authentication or access control as the culprit in at least four of the ten top web application security risks. One of the most obvious benefits of practicing least privilege is that it reduces an organization’s attack surface
Practicing least privilege also protects the organization from itself or, more accurately, its own users. Overly privileged users can easily put the organization’s data or other assets at risk through error, ignorance, or negligence as well as through intentional malicious acts by a vengeful insider. Restricting users’ ability to install or run unapproved applications can protect endpoints from becoming infected with malware or ransomware and, in turn, reduce the chances of it spreading throughout the organization. Finally, depending on the industry or type of business, many organizations must comply with laws and regulatory requirements, such as the EU’s General Data Protection Regulation (GDPR), the Payment Card Industry Data Security Standard (PCI DSS), HIPAA, the Sarbanes-Oxley Act in the United States, and others. Properly implementing and enforcing the principle of least privilege helps organizations achieve regulatory compliance and puts them in a better position to pass an audit. Least Privilege Best PracticesOrganizations that want to (or must) implement least privilege can begin by following these best practices:
ConclusionAs stated in the opening, although information security is a complex, multifaceted discipline, organizations should, at a minimum, strive to follow basic security principles and established best practices. The principle of least privilege helps organizations bolster their defenses by supporting the CIA triad and reducing the attack surface, which ultimately reduces their overall risk. For more information about security essentials, read What Is the CIA Triad?, and What Are Security Controls?, both from F5 Labs’ Learning Center. What authorizes a user to perform certain actions in Windows such as logging on or performing a backup?What authorizes a user to perform certain actions in Windows such as logging on or performing a backup? A right authorizes a user to perform certain actions on a computer, such as logging on to a system interactively or backing up a system's files and directories.
What is required for highly secure?We have identified seven necessary properties of highly secure, network-connected devices: a hardware-based root of trust, a small trusted computing base, defense in depth, compartmentalization, certificate-based authentication, security renewal, and failure reporting (in Section 2).
What is the name for the process of keeping track of user network activity?Accounting, also known as auditing, is the process of keeping track of a user's activity while accessing the network resources, including the amount of time spent in the network, the services accessed while there, and the amount of data transferred during the session.
What security term defines what resources can be accessed and used?Access control is a security technique that regulates who or what can view or use resources in a computing environment. It is a fundamental concept in security that minimizes risk to the business or organization. There are two types of access control: physical and logical.
|