Light Dark
November 13, 2019 By Jasmine Henry 5 min read
Identity & Access

It all starts with a PDF attachment. An employee doesn’t detect the signs of a social engineering attack, and so they open the attachment on their work-issued laptop, not knowing that their computer has local administrator access. Invisible malware then edits the laptop’s registry and erases the audit trails as it infiltrates the whole network. And this entire security breach could have been prevented with the principle of least privilege.

Identity and access management (IAM) issues aren’t technically the leading cause of data breaches, but they’re definitely contributors. Countless enterprises are still using static, role-based access methods from the pre-cloud era, but assigning local admin group privileges based on a user’s job title is a recipe for overprivileged users and widespread vulnerabilities.

The Principle of Least Privilege Means Minimal Trust

The principle of least privilege is a simple cybersecurity concept. It means assigning the least amount of capabilities possible to accomplish a task and limit the possible impact of identities and applications dynamically in order to limit risk exposure. A least-privilege model balances risk, productivity, security and privacy in environments where workloads and risks change constantly.

Minimal trust describes the concept of providing the least privilege possible to get the job done. It’s a risk-based model for IAM that requires a dynamic approach to security, privacy and privilege. The benefits of privileged access management are obvious, but implementing the idea will require some work.

The Overprivileged Account Epidemic

How bad is the crisis of overprivilege, anyway? One study from Centrify found that 72 percent of enterprises know they struggle to control excessive admin accounts, but the actual figure is likely higher. Experts estimate up to 99 percent of user privileges are unused and represent points of failure, according to MIS Training Institute.

And humans aren’t the only privileged users in the enterprise. “Identity” extends to anything that can access secure resources, including service accounts and APIs. MIS Training Institute noted that users represent just one-seventh of an enterprise’s identities. There’s an epidemic of issues concerning privileged access management among human users, but that’s just the tip of the iceberg.

Putting the Principle of Least Privilege to Work

The principle of least privilege isn’t a formula. Minimal trust is a concept, and it’s a moving target. Any efforts to mitigate privileged access management issues are worthwhile if they reduce vulnerabilities. For example, simply targeting overprivileged user accounts can have an effect. Targeting excessive local admin privileges can significantly reduce the risks of patch vulnerabilities. More than 80 percent of patch vulnerabilities on operating systems require admin privileges for a successful exploit.

Putting the least privilege principle into practice means finding the perfect balance between user trust, privacy and security across identities, applications and services. Getting there requires adopting a new IAM life cycle for minimal trust, which involves:

  • Discovery
  • Defining policy
  • Managing
  • Detecting and responding
  • Reviewing and auditing

Discover

The first step is an assessment of assets, identities, access and risk. To that end, a data risk assessment can reveal a comprehensive index of your assets and the risks they pose. Identity your business-critical assets based on which ones would have the greatest impact on the enterprise if they were breached, stolen or compromised.

Identify privileged accounts and map access pathways between identities and assets. Understand where privileged identities exist across all types of identities, including both internal and external users, services, applications and systems. Next, map all possible points of privileged access, including hardware, software, on-premises environments and those that exist in the cloud.

Discovery needs to be a comprehensive effort to see all privileged account management concerns, including third-party access issues and cloud vulnerabilities. This is an opportunity to see legitimate use cases for privileged access and instances of excessive permission.

Define Policy

Dynamic access policies are the foundation of the least privilege principle. To orchestrate and automate minimal trust, you need policies that dictate the baseline for trust. To that end, create an application whitelist and blacklist. For example, whitelisting for trusted apps and processes could include an “always trust” policy for mobile apps downloaded from your corporate app store. A blacklist policy might set a policy to “always quarantine and monitor” applications that come from sources other than verified vendors.

Your policies define the level of risk you’re willing to accept in applications, identities and services and how you monitor and verify access to secure assets based on a user’s behavior. An effective policy balances security and trust with minimal disruption to the end user. You may choose to “always verify” external user identities (by requiring credential sign-in and multifactor authentication (MFA) or biometrics) and grant trust to internal users on known devices.

Manage

Discovering privileged accounts and defining policies are ongoing processes. Least privilege in a dynamic enterprise environment requires a continual effort to apply controls based on actual risk by auditing behavior for anomalies and adopting controls that identify potential abuse.

Orchestration and automation are key to making ongoing management efforts seamless. Solutions that help to orchestrate least-privilege security can remove potential points of exposure in ways that are invisible to users by elevating and removing privileges in real time. In other cases, you can establish trust quickly for legitimate access attempts by requiring one-time passwords to protect the most business-critical assets.

The management stage of the life cycle involves ongoing efforts to discover privileged accounts, audit usage and apply new security controls and policy. Automation and orchestration efforts can help the enterprise elevate user privileges on-demand and increase or decrease identity privileges based on emerging risks or threats. In practice, the principle of least privilege means limiting overprivileged accounts and providing seamless access to trusted users.

Detect and Respond

Least privilege implementation requires continual detection of unnecessary privilege, compliance issues or risky behavior. Ongoing detection efforts may reveal and resolve instances where an identity no longer needs privileged access. Behavioral analytics are key to detecting anomalies without disrupting end users.

The principle of least privilege allows organizations to respond to a user’s context or unusual behavior. Sign-in attempts from a new location or device could trigger a requirement for identity verification, while high-risk behavior results in the immediate quarantine of a user account or application.

Detection and response are highly contextual, and data is needed to balance user requirements with risk. Orchestration and automation solutions can escalate privileges seamlessly during legitimate access attempts and immediately respond to risks, such as user attempts to download blacklisted applications.

Review and Audit

Protecting your assets requires a clear audit trail of applications, identities and response activities, and successful adoption of the least privilege principle is a moving target. Reviewing audit trails is necessary for compliance, and it can reveal progress toward putting minimal trust to work.

Review and audit activities should tell a clear story about your organization’s compliance and success at contextual privileged account management, such as instances where a graylisted application was quarantined in a sandbox environment. Review key metrics over time to monitor privileged account ownership or policy-based application controls and use this intelligence to refine the life cycle.

Balance Risk, Security and Trust

Effective enforcement of the principle of least privilege requires a life cycle mindset and coordinated efforts between security, IT, risk and compliance leadership. Minimal trust in practice requires effective policy and solutions that help orchestrate and automate IAM. Balancing security with trust requires ongoing monitoring and response across identities, endpoints and environments.

 |  |  |  |  |  |  |  |  |  |  |  | 
Jasmine Henry

More from Identity & Access
December 1, 2023

Taking the complexity out of identity solutions for hybrid environments

4 min read - For the past two decades, businesses have been making significant investments to consolidate their identity and access management (IAM) platforms and directories to manage user identities in one place. However, the hybrid nature of the cloud has led many to realize that this ultimate goal is a fantasy. Instead, businesses must learn how to consistently and effectively manage user identities across multiple IAM platforms and directories. As cloud migration and digital transformation accelerate at a dizzying pace, enterprises are left…

September 13, 2023

“Authorized” to break in: Adversaries use valid credentials to compromise cloud environments

4 min read - Overprivileged plaintext credentials left on display in 33% of X-Force adversary simulations Adversaries are constantly seeking to improve their productivity margins, but new data from IBM X-Force suggests they aren’t exclusively leaning on sophistication to do so. Simple yet reliable tactics that offer ease of use and often direct access to privileged environments are still heavily relied upon. Today X-Force released the 2023 Cloud Threat Landscape Report, detailing common trends and top threats observed against cloud environments over the past…

August 1, 2023

Artificial intelligence threats in identity management

4 min read - The 2023 Identity Security Threat Landscape Report from CyberArk identified some valuable insights. 2,300 security professionals surveyed responded with some sobering figures: 68% are concerned about insider threats from employee layoffs and churn 99% expect some type of identity compromise driven by financial cutbacks, geopolitical factors, cloud applications and hybrid work environments 74% are concerned about confidential data loss through employees, ex-employees and third-party vendors. Additionally, many feel digital identity proliferation is on the rise and the attack surface is…

July 18, 2023

X-Force certified containment: Responding to AD CS attacks

6 min read - This post was made possible through the contributions of Joseph Spero and Thanassis Diogos. In June 2023, IBM Security X-Force responded to an incident where a client had received alerts from their security tooling regarding potential malicious activity originating from a system within their network targeting a domain controller. X-Force analysis revealed that an attacker gained access to the client network through a VPN connection using a third-party IT management account. The IT management account had multi-factor authentication (MFA) disabled…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2023 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature