What is the principle of least privilege (PoLP)?
The principle of least privilege is a cybersecurity concept that reduces an organization’s attack surface by granting access on a strictly as-needed basis. Users’ access rights are limited to those needed to do their job or complete a specific task. The objective of least privilege access is to reduce attack surfaces and blast radiuses by minimizing lateral movement and, thus, the damage that can be done in the event of unauthorized access.
Least privilege access is applied to all read, write, and execute functions that users require to do their jobs. It controls rights for human and non-human users (e.g., applications, backup systems, databases, Internet of Things (IoT) devices, operating systems, and servers).
With least privilege, access rights can be fairly broad to granular. In some cases, least privilege rights are based on attributes associated with a user’s role within an organization. In other cases, least privilege access is tied to location or time of day. In addition, least privilege can extend to the specific systems or applications a user can access.
The three core elements of least privilege access are:
- Identity authentication
Enforcing least privilege access by confirming users that attempt access are verified as authorized
- Device health
Using least privilege access to protect users from becoming tainted by compromised devices by assessing device health before granting access
Implementing granular segmentation for both network and user-to-application access to enforce the principle of least privilege
Definition of privileged accounts
A privileged account is any user account, human or non-human, with more access and rights than ordinary users. Privileged accounts, often referred to as administrator or admin accounts, can be associated with a variety of admin and non-admin users, including:
- Third-party or fourth-party contractors
- Database administrators
- Helpdesk experts
- IT administrators
- Security teams
- System and application administrators
- Non-humans, such as:
- Application-to-application (A2A)
- Backup systems
- Internet of Things (IoT) devices
- Machine-to-machine (M2M) servers
- Operating systems
- Services accounts
Least privilege is particularly important for privileged accounts, because of the access rights granted to them. Since most attack vectors leverage access to execute their crimes, privileged accounts are often targeted as they offer greater lateral movement opportunities and facilitate escalation tactics as part of an attack chain.
Using least privilege access controls for privileged accounts allows them to be safely used to perform their duties with limited risk from exploitation. Special administrative or elevated privileges that privileged accounts have include:
- Accessing sensitive information, such as personally identifiable information (PII), protected health information (PHI), legal documents, employee information, customer information, government files, and trade secrets
- Extended, sometimes global, rights within the IT resources (e.g., applications, databases, devices, servers, and systems)
- Installing or removing software
- Modifying configurations for applications, systems, or devices
- Upgrading or modifying operating systems
- User administration (e.g., add, remove, and disable accounts, or modify permissions)
Privileged access and the cloud
Cloud deployments depend on access controls to manage workloads. Cloud instances require support to ensure user access is authorized, as instances, runtime, and resources are based on a permissions model.
Because cloud computing is highly dynamic, layers of privileges are often provisioned, especially in multi-cloud environments.
Least privilege access can address the many issues related to cloud deployments by restricting access based on need. It mitigates the issues related to overprovisioning and reduces the attack surface for all cloud instances.
Common threat vectors to privileged access
Following are some of the many threat vectors that target privileged accounts.
Privilege escalations allow attackers to propagate attack vectors on target systems for a number of reasons, including to:
- Deploy malicious software on a target system
- Gain root access to a target system or an entire network
- Modify security settings or privileges to elevate access privileges
- Procure access to other connected systems, applications, or data
What happens with a privilege escalation attack depends on whether a horizontal or vertical attack is perpetrated.
- Horizontal privilege escalation
With a horizontal privilege escalation attack, the perpetrator starts with one account, then uses that to gain access to the rights of other accounts with comparable privileges. These accounts can be humans or machines.
Referred to as an account takeover or lateral movement, horizontal privilege escalation attacks typically target lower-level accounts that are often lacking enhanced security protections.
- Vertical privilege escalation
Also referred to as a privilege elevation attack, vertical privilege escalation attacks increase access privileges beyond those the user (e.g., a person, application, system, or device) already has. The attacker usually has to execute several steps to bypass or override privilege controls, exploit vulnerabilities, or obtain privileged credentials.
Among the techniques used as part of a vertical privilege escalation attack are taking advantage of common weaknesses and flaws, such as:
- Overprovisioning of privileges
- Lack of awareness of privileged accounts
- Hardcoded and embedded credentials
- Shared admin accounts
- Weak passwords
The growing requirement for strong passwords results from a rise in successful password hacking. Cybercriminals are becoming increasingly adept at developing and using programmatic techniques and automation to determine users’ login credentials.
In addition, if the account holder reuses passwords between resources, the risks of password guessing and lateral movement dramatically increase. Imagine a person who uses only one or two base passwords everywhere—for all their digital presence and privileged accounts. Unfortunately, this is a frequent occurrence.
A low-tech and sometimes no-tech way of procuring users’ login credentials is shoulder surfing, whereby a cybercriminal watches users enter usernames, passwords, and personal identification numbers (PINs). They can also access users’ credentials by getting them from notes left on desks, which is more common than many organizations expect.
Password changes and resets
Cybercriminals routinely take advantage of password change and reset functions in many applications and systems. This is a ripe target for attackers, because users tend to make common mistakes, such as:
- Communicating new passwords verbally so that they can be overheard
- Creating passwords that are so complex that users write them down and save them
- Resetting passwords via email or text message and keeping the new credentials
- Using the same generic password when resetting users’ accounts (i.e., by helpdesk teams)
No review of threat vectors is complete without malware. Among the types of malware used to target privileged accounts are:
- Bad bots
Always an effective tool for cybercriminals, social engineering attacks are often used to compromise privileged accounts. Common social engineering ploys include:
Least privilege access challenges
At its root, least privilege is about providing users with as little access as possible. This means restricting access and removing access when it is no longer needed. Both seem prudent, but these two fundamental components of least privilege access cause challenges.
With least privilege, administrators handle granting access, which can be a nuanced process. In many cases, administrators do not know specifically how much access is actually required, and may “round up,” and grant users more access than they actually need to minimize the hassle of having users request additional access. However, if insufficient access is granted, users suffer from productivity loss from not being able to perform their tasks and time spent requesting additional privileges.
Expiration of access
Another least privileged access challenge is changes in users’ tasks. Least privilege access dictates that it should be set according to the needs of the task and when access is no longer needed, it should be terminated. However, during the course of a project, requirements may change, and timelines may be extended as a result. When access is terminated based on preset determinants, productivity and morale can suffer.
Least privilege access benefits
Following is a review of the benefits that least privilege access can provide to organizations. These benefits also demonstrate why least privilege access has become integral to many security portfolios. By restricting what users can access, least privilege prevents a number of malicious and accidental activities that can compromise security.
- Bolsters system stability by limiting the number of users making changes or updates
- Contains malware to limit its impact by keeping its ability to propagate to a minimum, as most users only have limited access to other resources that could be compromised
- Controls access to data to limit users’ ability to view, edit, share, or extract data from systems and applications
- Reduces helpdesk calls by giving users the access they need to complete their designated tasks
- Decreases the chances of an internal leak of sensitive information
- Enhances data security by limiting the number of people who have access to sensitive data
- Helps keep superuser accounts and privileged administrator accounts and access to a minimum
- Improves audit readiness and the scope of audits
- Improves user productivity by providing direction for how access is provisioned and managed
- Make it easier to track the source of a cyber attack or data breach, because there are a limited number of users with access to that data
- Minimizes the points of entry available for cybercriminals to exploit by reducing the user access attack surface
- Mitigates the impact of human error by limiting users’ access to systems, applications, and data that could be inadvertently changed or deleted
- Protects against privilege escalation attacks by limiting users’ privileges, including superusers and administrators
- Provides guidelines and processes to manage the elevation of access privileges
- Reduces the downtime and losses that result from a cyber attack or data breach
- Restricts access to applications, systems, and devices to prevent unauthorized configuration or access changes
- Supports compliance with regulatory mandates that require protections against data breaches and cyber attacks that could compromise data and systems
Least privilege access best practices
The implementation of least privilege access will vary by each organization to accommodate their unique requirements. However, the following are seven best practices that have proven to be effective for many organizations.
Conduct regular audits
The success of least privilege depends on access staying current. Users’ requirements, roles, and employment statuses continuously change.
A key part of enforcing least privilege access is having processes in place to audit usage and requirements and making necessary adjustments routinely. These least privilege audits should review all existing accounts, processes, and programs to ensure they have the minimum permissions and that access is still needed. This prevents cases where older users, accounts, and processes accumulate privileges over time, whether they still need those things or not, and flags inactive accounts.
Elevate privileges for a limited time
Least privilege allows for access to be elevated. However, it is recommended that this is temporary.
Any access beyond the established least privilege should be restricted by time or number of logins. The privileges granted must be temporary whenever a user needs to raise the level of access for a specific project. This elevation in least privilege access can be restricted by time (e.g., a month), single-use access until a project is complete, or until there is a change in the user’s role.
Extend least privilege access on an as-needed basis
Least privilege access should be elevated on a case-by-case basis. Before a user is granted elevated privileges, a thorough review of access requirements should be conducted.
Identify high-level functions that require elevated least privilege access
Avoid productivity losses and user frustration by identifying users that require elevated access. Organizations can take care not to restrict authorized users by deploying a blanket approach to access, then adding privileges. This will be necessary in some cases, but taking time to grant elevated access where it is appropriate proactively is important.
Start with least privilege access for new accounts
Establish least privilege access requirements for the types of users in the organization. When provisioning new accounts, follow least privilege guidelines and elevate access as need is demonstrated.
Starting with a default of least privilege facilitates implementing and managing a least privilege access protocol for IT.
Note that least privilege access should take compliance requirements into consideration.
Track all user actions
Monitor and track all user activity (e.g., elevation or access requests, logins, activities, and system changes) to detect any instances of overprovisioning. This important function of least privilege access ensures that misappropriation of privileges is rectified quickly to minimize risk and reduce threats.
Importance of least privilege access
When strategically implemented, least privilege access strikes the elusive balance between usability and security to protect critical data and systems. Least privilege is a cybersecurity approach that minimizes the attack surface, prevents cyberattacks, enhances operational security, and reduces the impact of human error.
Least privilege access is an effective security approach to defend all types of users and use cases in today’s hybrid enterprise environments—from employee and third-party access to applications and operating systems. While it requires continuous monitoring and updates, least privilege access can be part of the line of defense for any organization.
You might also be interested in:
How mature is your identity security strategy?
Discover the 5 horizons of identity security.