What to Do with the Principle of Least Privilege?
It seems organizations may see the point of least privilege as being different things. Setting up users with the least amount of privileges possible is the idea (the clue is in the name), but then what? The way you answer this question determines what least privilege is really all about within your organization; it reflects what’s important to you when establishing security around this principle, as well as the scope and duration the principle needs to be in effect.
Not sure what I mean? Keep reading. There are a few ways to answer the question “then what?”
Once you’ve established that everyone’s privileges are minimized down to the core necessity only to enable them to do their job, there is a bit of logic that says there’s nothing more to do here.
If you subscribe to the thinking that once the permissions have been limited, you’re done, then for you, least privilege is definitely about the current state of privilege.
2. Review Privileges Periodically
Those of you with this response are definitely more in the “maintaining a state of Least Privilege” mindset – which is good. Having periodic attestation around privileges required, permissions assignments and group memberships is a solid way to ensure control over what would otherwise become an entropic mess of ‘over-permissioning’ with no visibility into the privileges assigned.
For your organization, least privilege is about maintaining a continual state of least privilege.
3. Monitor the Use of Privileged Accounts
Those organizations in this camp definitely have a bit more of a mature viewpoint on the implementation of least privilege. With monitoring in the mix, you acknowledge that least privilege isn’t really about the privilege; it’s about the use of privileges. This can be as simple as monitoring all logons, leveraging a password vault where privileged accounts must be checked out, or can be as complex as monitoring user activity through session recording.
One of the challenges in this particular answer is that you need to decide which user accounts are “privileged”. Is it just accounts with admin rights in Active Directory? Those with administrative rights to enterprise applications? Those with admin rights to endpoints? Servers? More than that?
If you’ve drawn a line somewhere in the proverbial sand, delineating a particular level of privileges and above that should be monitored, least privilege is about validating that the state of privilege is not misused.
4. Monitor the Use of All Accounts
Delineating the ‘privileged’ from the ‘low’ level user can be somewhat short-sighted. If you start with the data, applications and systems you deem critical (that is, you wouldn’t want them compromised, exfiltrated, etc.) and work back to your users, you quickly realize that even the low-level sales person who has access to at least a subset of your customer database is, by definition privileged. Certainly, nowhere near as privileged as the Administrator account in AD, but, nonetheless, they do have privileged access that users outside of sales do not.
So, it should be evident that if you’re going to take the route of monitoring privileged accounts, you need some level of monitoring use even for the accounts that represent a lower risk to the organization (like the sales user). Higher-risk users may require user activity or session monitoring, but all users should have a base level of monitoring for use, such as logon monitoring, to look for leading indicators of compromise, such as inappropriate or irregular logon attempts by otherwise normal users.
Least Privilege is about Privilege Use
As you’ve walked through the 4 possible answers to the question of ‘then what?’, it should become a bit clearer that you can’t simply stop with the limiting of privileges today.
Security is an ever-changing target; as the organization’s needs change, so does the current state of security. And, even if security remains static, the necessity exists to make sure certain user credentials aren’t misused by insiders and external attackers alike.
It’s only by monitoring account use (once a state of least privilege has been instituted) that you truly see least privilege reach its potential. This is the potential to establish and maintain the lowest levels of privileges, while simultaneously maintaining the highest levels of security around those privileges.