The principle of least privilege (POLP), an important concept of computer security, is the practice of limiting access rights for users, accounts and computing processes to only those needed to do the job at hand.
Privilege refers to the authorization to bypass certain security restraints. When applied to people, minimal privilege, means enforcing the minimal level of user rights that still allow the user to perform their job function. When applied to processes, applications, systems and devices, it refers to only having permissions required to perform authorized activities.
Regardless of how technically competent or trustworthy a user is, the principle of least authority can reduce cybersecurity risk and prevent data breaches. In fact, Forrester Researcher estimates that 80% of data breaches involve privileged credentials. And with the cost of a data breach reaching $3.92 million, the principle of least privilege can save your organization from reputational, regulatory and monetary damages.
How does the principle of least privilege work?
The principle of least privilege limits a user account or system functions to the set of privileges essential to perform their intended function. By strictly limiting who can access critical systems, you reduce the risk of intentional data breaches and unintentional data leaks. You also reduce the risk of malware infections like ransomware or computer worms, because the user or their operating system won't have permission to install them.
For example, a service account with the sole purpose of backing up sensitive data (like personally identifiable information (PII), protected health information (PHI) or biometrics) does not need to be able to install software.
Under the principle of least privilege, this account would only have the rights to run backup related applications. Any other access privileges would be blocked.
What is the difference between a privileged and non-privileged account?
The principle of least privilege relies on setting up four different types of user accounts:
- Standard accounts: A user account with limited access, only those required to perform normal duties. Also known as a least-privileged user account (LUA).
- Privileged accounts: A user account with elevated privileges. For example, software engineers need access to Github but a salesperson doesn't. The other type of privileged account are administrator accounts, such as the root user in unix and linux operating systems or the account that manages DNS and DNSSEC which could result in domain hijacking if compromised. In general, admins should have a user account and a privilege account and only use the superuser account to perform specific tasks.
- Shared accounts: A user account that is shared between individuals. In general, individual accounts are preferred to shared accounts but in some situations it is acceptable to have accounts that are shared among a group of users. For example, guest accounts may have bare minimum privileges for freelancers to perform basic tasks.
- Service accounts: A user account that isn't used by humans but requires privileged access. You might have a network intrusion detection systems that is used for network security that requires access to your internal networks to work.
When an employee leaves or you offboard a third-party vendor remember to disable their user access immediately and then delete their data after a period of time.
What are the benefits of the principle of least privilege?
The benefits of implementing the principle of least privilege are:
- Data security: Many data breaches involve gaining access to privileged credentials and then use the access granted by those credentials to move laterally through an organization with the end goal of gaining admin rights. This type of cyber attack is known as privilege escalation. By enforcing the principle of least privilege you can reduce the security risk of privilege escalation.
- System stability: When code is limited to the scope of changes it can make to a system, it's easier to test individual actions and interactions with other applications. For example, an application running with restricted rights won't have access to perform operations that could crash a machine or adversely affect other applications.
- System security: When applications have limited access to system-wide actions, vulnerabilities in one application cannot be exploited to gain access to other parts of the system, install malware, inject malicious code or spread computer worms like the WannaCry ransomware attack.
- Ease of deployment: In general, the less privileges an application requires, the easier it is to deploy within a larger environment.
- Reduced attack surface: Restricting privileges for individuals can mitigate the cybersecurity risk posed by insider threats and other attack vectors which could compromise network security, data security, information security or IT security. Applying POLP can also reduce the damage caused by leaked credentials or stolen passwords because access control will limit their ability to gain access to sensitive data, like personally identifiable information (PII) and protected health information (PHI).
- Mitigate social engineering attacks: Many social engineering attacks, like phishing and spear phishing, rely on a user executing an infected email attachment or logging into a fake website. By employing the principle of least privilege, administrative accounts can limit execution to only certain file types and enforce password managers that don't fall for phishing websites.
- Improved information security: Data classification is at the heart of information security and POLP can help organizations understand what data they have, where it resides and who has access to it, this can help with digital forensics and IP attribution after a data breach or data leak.
- Better regulatory compliance: By constraining the activities that can be performed, your organization can create a more audit-friendly environment. Many regulations (e.g. HIPAA, PCI DSS, FDDC, Government Connect, SIRMA and SOX) require organizations to apply least privilege security policies to improve data security.
- Reduced third-party risk and fourth-party risk: The principle of least privilege shouldn't be limited to your internal users. Your third-party vendors can introduce significant cybersecurity risk. For example, hackers gained access to ~70 million Target customer accounts through a HVAC contractor who had permissions to upload executables. This is why vendor risk management is so important. Develop a robust risk assessment methodology, vendor management policy, vendor risk assessment questionnaire template and third-party risk assessment framework to streamline the assessment process. Ask to see current and potential vendor's SOC 2 report and information security policy.
- Better incident response planning: POLP helps organizations understand who has access to what and when they last accessed it, which can help with incident response.
- Simplified change and configuration management: Every time a user with administrative privileges uses a computer, there's potential for the system's configuration to be changed inappropriately, either deliberately or accidentally. Least privilege minimizes this risk by controlling who can change settings or configurations.
What are the limitations of the principle of least privilege?
The principle of least privilege is one layer in a comprehensive defense in depth strategy. Even with the principle of least privilege, some users will likely need access to sensitive data and they could be the target of spear phishing attacks that gather information about them to maximize effectiveness.
Another common issue is the lack of visibility and awareness of who actually has a privileged account, access to sensitive assets or has exposed credentials. Organizational inertia and cultural challenges can make it hard to introduce restrictive access controls too.
PLOP does reduces the number of possible attack vectors but doesn't mitigate cybersecurity risk completely, particularly risks related to third-party vendors. Consider investing in a tool that can automate vendor risk management, help you plan your vendor security assessment process and request remediation at high risk vendors.
How to implement the principle of least privilege
There are six common ways to implement the principle of least privilege security strategy:
- Group-based access management: Managing individual user access for hundreds or thousands of employees while adhering to the principle of least privilege is almost impossible. This is why identity access management (IAM) tools exist. IAM tools grant users access based on groups or job roles, then manage privileges based on groups rather than individuals. For example, imagine your organization invests in a new cyber security ratings tool. Instead of granting each IT security member access to the application individually, you simply set the IT security group appropriate permissions. Similarly, if a member leaves the team, you can simply remove their access to that group rather than revoking dozens or hundreds of applications and rights.
- Working hours-based access management: For employees who work consistent schedules, you can restrict access to the individual's working hours. For example, if a staff member only works 8:00am to 5:00pm Monday to Friday, they should not be able to use their keycard at 4:00am on Sunday morning.
- Location-based access management: For critical systems, you may only want people to access it from your office building.
- Machine-based access management: Like location-based access management, you may only want critical systems to be accessible from certain machines.
- One-time use access management: Use password safe where a single-use password for privileged accounts is checked out until the action is completed and then it is checked back in.
- Just-in-time access management: Elevate privileges on an as-needed basis for a specific application when needed then revert back to a standard account once the task is complete.
What all these methods share in common is that they are configured to only be capable of doing what the user is intended to do and nothing else.
Once you have set up your desired access management strategy (or a mixture), you need to perform regular audits:
- Usage audits: Usage audits allow you to monitor what each user ID is doing, what data they access, create and delete. It can also help you identify suspicious activity.
- Privilege audits: Over time, a user can end up with privileges they no longer needed. This often occurs when a person changes roles. Regular privilege audits can help spot accounts with excess privileges or membership in the wrong groups.
- Change audits: Changes to passwords, permissions or settings can lead to a data breach, where is why it can be helpful to invest in configuration management tools that notify about all changes.
How UpGuard can improve your organization's cybersecurity
Companies like Intercontinental Exchange, Taylor Fry, The New York Stock Exchange, IAG, First State Super, Akamai, Morningstar and NASA use UpGuard to protect their data, prevent data breaches, monitor for vulnerabilities and avoid malware.
UpGuard Vendor Risk can minimize the amount of time your organization spends managing third-party relationships by automating vendor questionnaires and continuously monitoring your vendors' security posture over time while benchmarking them against their industry.
Each day, our platform scores your vendors with a Cyber Security Rating out of 950. We'll alert you if their score drops.
UpGuard BreachSight can help monitor for DMARC, combat typosquatting, prevent data breaches and data leaks, avoiding regulatory fines and protecting your customer's trust through cyber security ratings and continuous exposure detection.
If you'd like to see how your organization stacks up, get your free Cyber Security Rating.