November 15, 2022 By Jonathan Reed 3 min read

Every security officer wants to minimize their attack surface. One of the best ways to do this is by implementing a least privilege strategy.

One report revealed that data breaches from insiders could cost as much as 20% of annual revenue. Also, at least one in three reported data breaches involve an insider. Over 78% of insider data breaches involve unintentional data loss or exposure. Least privilege protocols can help prevent these kinds of blunders.

Clearly, proper management of access privilege is critical for strong security. In this article, we’ll explore how least privilege works to make this happen. We’ll also see how least privilege fits into broader privilege access management and zero trust strategies.

What is least privilege?

Bank tellers have access to their workstations, but only during their work shifts. And only a few employees have access to the main vault. If a bank employee leaves the bank, they have to relinquish access. That’s how least privilege works.

According to Cybersecurity and Infrastructure Security Agency (CISA), least privilege means “only the minimum necessary rights should be assigned to a subject that requests access to a resource and should be in effect for the shortest duration necessary.”

The business drivers behind using least privilege are varied. First, there’s the need to thwart threats (intentional or unintentional) that come from employees, third parties and attackers. Compliance is also a common reason to adopt least privilege efforts.

A single compromised endpoint with admin rights can provide an adversary or malicious insider the means to gain undetected network access. And today’s endpoints are more diverse and distributed than ever, with more remote workers, billions of IoT devices and the ongoing migration to the cloud. Least privilege helps manage the expansion of endpoints that organizations encounter as the security perimeter disappears.

How is least privilege implemented?

Every least privilege approach must evolve to fit the organization. Overall strategy can be developed based on key activities, which include:

  • Discovery – Assess identities, assets, risk and access. Identify the business-critical assets that would have the greatest impact if they were breached, stolen or compromised. Discovery tools can quickly identify local admin accounts, service accounts and applications in use on endpoints.
  • Defined policy – Your policies define the level of acceptable risk for applications, identities and services. Policy also determines how you monitor and verify access to secure assets based on a user’s behavior. The key is to balance security and trust with minimal disruption to the end user.
  • Management – Least privilege management involves ongoing efforts to discover privileged accounts, audit usage and apply new security controls and policies. Orchestration and automation make management efforts easier. The key is to remove potential points of exposure by elevating and removing privileges in real-time.
  • Detection and response – Detection efforts reveal and resolve instances where an identity no longer needs privileged access. Behavioral analytics allow organizations to respond to a user’s context or unusual behavior. Sign-in attempts from a new location or device could trigger a requirement for identity verification. High-risk behavior results in an immediate user account or application quarantine.
  • Reviews and audits – Reviews and audits should tell a clear story about your organization’s success at contextual privileged account management. Review key metrics over time to monitor privileged account ownership or policy-based application controls, and use this intelligence to refine the life cycle.

Part of privilege access management

When considering access, we often think of users. Least privilege is a core component of a larger privilege access management (PAM) approach. PAM also monitors applications and processes that must access different network areas and other apps to function.

This strategic approach grants or denies privileged access to the network — including infrastructure and apps. PAM purposely manages access using a single point of sign-on for users and a single point of management for admins. Privilege access management refers to the tools used for access management and the overall PAM process.

It’s critical, however, that performance also remains uncompromised. PAM strategies must also allow for fast access to multiple databases, applications, hypervisors, network devices and security tools to manage across an expanding attack surface. Ideally, PAM solutions should deploy rapidly with turnkey installation and out-of-the-box auditing and reporting tools.

Embracing zero trust

Threat actors will take advantage of stolen credentials and weaponized APIs to penetrate networks. Meanwhile, machines request access faster and at exponentially higher volumes than humans. A massive quantity of automated applications and APIs also require authentication.

New approaches are required to secure this ever-expanding universe of connectivity. Both least privilege and PAM strategies fall under the umbrella of a zero trust approach. Zero trust architecture extends the perimeter to its furthest end, be it a user, device, application or API asking for network access. Denial of access is the default position until identity and authenticity can be verified.

By enforcing these strategies, organizations can reduce their attack surface and remain better protected against breaches.

More from Zero Trust

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

Does your security program suffer from piecemeal detection and response?

4 min read - Piecemeal Detection and Response (PDR) can manifest in various ways. The most common symptoms of PDR include: Multiple security information and event management (SIEM) tools (e.g., one on-premise and one in the cloud) Spending too much time or energy on integrating detection systems An underperforming security orchestration, automation and response (SOAR) system Only capable of taking automated responses on the endpoint Anomaly detection in silos (e.g., network separate from identity) If any of these symptoms resonate with your organization, it's…

Zero trust data security: It’s time to make the shift

4 min read - How do you secure something that no longer exists? With the rapid expansion of hybrid-remote work, IoT, APIs and applications, any notion of a network perimeter has effectively been eliminated. Plus, any risk inherent to your tech stack components becomes your risk whether you like it or not. Organizations of all sizes are increasingly vulnerable to breaches as their attack surfaces continue to grow and become more difficult — if not impossible — to define. Add geopolitical and economic instability…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today