2. Least privilege prevents data misuse
Users can only steal data they have access to – that goes without saying. But one major risk that is often overlooked comes in the form of special rights, for instance remote access for users working from home. As an employer, you are usually not going to assume the worst and expect that your employees will abuse their privileges. However, if you do permit them to work from home using a VPN connection, you’ll still want to make sure that you have that DLP function (data loss prevention) in the VPN software activated. Just in case!
To learn what could happen if you choose to ignore this important security measure, read our post about Jerry and the forgotten VPN connection.
Another lurking danger that can be countered using the least privilege principle is your ex-employee with still upright privileges. If POLP is implemented correctly and consistently, the user’s privileges will be revoked completely once he or she leaves.
3. POLP saves time, POLP saves money
In organizations that have not yet implemented an access management software, admins sometimes grant admin privileges to non-admin users.
The idea behind this is to give certain people, e.g. department heads, admin rights so they can assign privileges to their subordinates without having to go through the IT department every time. It is a total time-saver because it frees up time for IT admins, allowing them to tend to more important matters. Right?
Wrong! The outcome is actually the opposite of what you are trying to achieve. With every additional privilege that is granted, data controllers give up yet another bit of control. In the end, the mess is so big it becomes impossible to tidy up. Have you ever tried untangling Christmas lights you chucked in the attic and forgot about the year before? Well, it’s kind of like that. Only worse.
Assume your company is expecting a compliance audit and you have to prepare all reports for it manually. Yikes. That’s not just going to keep your IT staff busy for weeks on end, but many other people including, quite likely, your boss. And your boss’s boss, too. That’s a pretty expensive Christmas light.
4. Stay compliant, optimize audits
Every company must ensure that both internal and external compliance policies are met. Such policies include the GDPR and HIPAA, for instance. These regulations stipulate that measures be taken that are all, in some way or another, based around the principle of least privilege.
Implementing the Principle of Least Privilege
To establish the principle of least privilege in your company, you must first declutter your current access structure and identify the weakest links in your network. Here is a list of measures you must take to do this:
Locate all privileged accounts throughout the enterprise (on-premise, in the cloud, in DevOps environments and at endpoints).
Remove any unnecessary local admin rights. Also, check for superusers with unnecessary admin rights.
Implement Just-in-Time access instead of assigning privileges in advance “just in case”.
Set fixed expiry dates for any privileges you assign on top of standard ones.
Keep admin accounts separate from standard accounts and protect the former, e.g. by managing privileged credentials exclusively within a digital vault.
Ensure that all activities related to admin accounts are seamlessly documented. This will help you identify unusual events faster and fend off any ongoing attacks.
Appoint data owners (e.g. department heads) and require them to regularly review whether existing permissions are still needed or not.
Implement POLP With Access Management
Once you have tidied up your access landscape, you must ensure the principle of least privilege will be applied rigorously wherever necessary in the future. In organizations with fewer employees, this can usually be achieved manually if admins work precisely and carefully. Still, human errors can never be ruled out entirely.
Organizations with hundreds or even thousands of users should strive to automate the processes involved in implementing the principle of least privilege.
But even if your company does not have thousands of users, automating processes might still be a goal worth pursuing, for instance if the internal processes in your organization are very complex and require a more diverse and flexible access structure. Whether it is the number of users or complexity of your environment that applies, or both – investing in an access management or identity and access management software is probably a good idea.
How tenfold Implements POLP
There are many options and tools that can help you implement POLP and achieve a high degree of data security. The question is how much time you are willing and/or capable of investing into the manual efforts required and whether you believe the operational discipline needed for the implementation is strong enough in your company.
Not only does the access management software tenfold assign permissions to users automatically and in accordance with POLP, it also cleans up your organization’s access structure.
Least Privilege Principle and tenfold
tenfold builds your access structure automatically according to the principle of least privilege. How does it do this? First, tenfold’s profile wizard analyzes which privileges should be included in the standard privilege set for each department. Once this is done, the software assigns the specified standard rights to users automatically and for all connected systems (including Active Directory and SAP).
One of the key differences between the software and a manual management of access rights is that the software will also automatically take care of obsolete privileges. For instance: if a user changes to a different department, the software will automatically revoke that user’s old privileges (after a pre-defined transition period, e.g. for the duration of training) and assign the necessary new privileges to the user for the new department.
If a user leaves the organization, tenfold will automatically delete all associated accounts and privileges, thereby preventing an anew privilege creep from occurring.
||Solution in tenfold
|Remove all outdated and/or superfluous privileges
||Once an access profile has been defined, tenfold compares the data set with current access structures to determine which privileges do not match the profile. The software then automatically removes any privileges that divert from the profile specifications.
|Implement Just-In-Time access
||In tenfold, users can request access rights via self-service and data owners can respond to such requests by approving or declining them. It is not possible to request or approve privileges “just in case they might be needed“.
|Fixed expiry dates for extra privileges
||tenfold is able to model the workflow for privileges that are granted on top of a department’s standard set and which require an expiry date due to security reasons. Data owners can always push back such expiry dates if necessary.
|Seamless documentation of all activities related to admin accounts
||tenfold ensures that ALL processes and activities are seamlessly documented and produces audit-proof reports at a click.
|Require data owners to review privileges regularly
||User access reviews are an integral component of tenfold.