Least privilege principle

The principle of least privilege, also referred to as least privilege principle, or POLP for short, is considered best practice in the field of cyber security. When used correctly and consistently, POLP ensures that individual users only have the privileges they actually need to carry out their job duties.

In this article, we are going to examine the risks organizations that do not apply the least privilege principle face and further discuss what you can do to set up or redesign your access structure in accordance with POLP.

Contents (show)

What Is the Principle of Least Privilege?

The principle of least privilege is a concept designed to guarantee that data is sufficiently protected. In organizations that live by this principle, users only have access to data and resources they need to do their jobs. Not only does failing to apply the least privilege principle increase the risk of data theft from within, it also encourages an accumulation of outdated and/or superfluous access rights, which again stimulates the spread of malware.

Least Privilege Principle vs. Need to Know

The term principle of least privilege is often used synonymously with the term need-to-know principle. While both concepts are similar in terms of meaning and both represent key components of any cyber security strategy, they are different in terms of what they encompass.

To guarantee that data is sufficiently protected, admins must evaluate and limit the privileges of human users, but also the privileges of non-human users.

While the need-to-know principle is essential to organizations with stringent security perimeters and is applicable exclusively to human users, the principle of least privilege additionally encompasses the privileges of systems, applications and network devices.

Privilege Creep: Accumulation of Privileges

Ideally, users are granted only the exact privileges they need to complete their job tasks. However, in companies where access management processes have not yet been automated (for instance through an access management software), admins or data owners must distribute all of these privileges manually.

This isn’t usually a problem at first. It’s not the initial allocation of access rights that causes trouble. The problem only starts when the time comes to take those privileges away again – that’s where admins tend to lose track.

In most organizations, users constantly need (and are granted) new privileges, for all sorts of reasons: They change departments where they need other or additional rights. They join various projects, each time requiring new rights. They go on parental leave, where they need less rights. The list goes on. However, the problem is that nobody remembers or bothers to withdraw those rights once the project is finished or the user moves to yet another department. This creeping accumulation of access rights is what we call a privilege creep.

Least Privilege

No More Access Control – Just Chaos

Sometimes, to save time when creating a new user, admins will use existing user access profiles as templates, or reference users. To be fair, the idea in theory is quite clever: Just copy the existing user account of someone with the same job as the new user and there you go. All privileges transferred.

All of them. Do you hear the alarm bells chiming? No? Remember the privilege creep? Yeah, that’s the problem. While the intention is to save time while supplying the new user with the necessary access rights quickly, what is actually happening is that all of the privileges the template user has accumulated over the years (privilege creep) are transferred to the new user.

This may include privileges exclusive to certain departments and/or special project rights. Sooner or later, no one will remember who gave User X access to Department Y, and since when and why User Q has privileges for Project F.

Why Is the Principle of Least Privilege So Important?

1. Least Privilege principle prevents malware spread

POLP is an important factor of endpoint security, which ensures that malware such as trojans or keyloggers cannot spread through the system. By reducing user privileges down to the absolute minimum, you can also restrict the ability of malware to move around. Malware usually infiltrates the system via phishing emails, zero-day exploits or application vulnerabilities that allow remote code execution.

Admin accounts and superuser accounts (e.g. databases, networks, and system admins) are of particular significance in this context because cyber attacks nowadays tend to be geared toward exploiting privileged credentials. It is therefore more important than ever to implement POLP in these sectors as well.

[FREE WHITE PAPER] Best practices for access management in Microsoft® environments.

Read our white paper to learn how to best handle access rights in Microsoft® environments.

Go to download

[FREE WHITE PAPER] Best practices for access management in Microsoft® environments.

Read our white paper to learn how to best treat access rights in Microsoft® environments.

Go to download

2. Least privilege prevents data misuse

Users can only steal data they have access to – that goes without saying. But one major risk that is often overlooked comes in the form of special rights, for instance remote access for users working from home. As an employer, you are usually not going to assume the worst and expect that your employees will abuse their privileges. However, if you do permit them to work from home using a VPN connection, you’ll still want to make sure that you have that DLP function (data loss prevention) in the VPN software activated. Just in case!

To learn what could happen if you choose to ignore this important security measure, read our post about Jerry and the forgotten VPN connection.

Another lurking danger that can be countered using the least privilege principle is your ex-employee with still upright privileges. If POLP is implemented correctly and consistently, the user’s privileges will be revoked completely once he or she leaves.

3. POLP saves time, POLP saves money

In organizations that have not yet implemented an access management software, admins sometimes grant admin privileges to non-admin users.

The idea behind this is to give certain people, e.g. department heads, admin rights so they can assign privileges to their subordinates without having to go through the IT department every time. It is a total time-saver because it frees up time for IT admins, allowing them to tend to more important matters. Right?

Wrong! The outcome is actually the opposite of what you are trying to achieve. With every additional privilege that is granted, data controllers give up yet another bit of control. In the end, the mess is so big it becomes impossible to tidy up. Have you ever tried untangling Christmas lights you chucked in the attic and forgot about the year before? Well, it’s kind of like that. Only worse.

Assume your company is expecting a compliance audit and you have to prepare all reports for it manually. Yikes. That’s not just going to keep your IT staff busy for weeks on end, but many other people including, quite likely, your boss. And your boss’s boss, too. That’s a pretty expensive Christmas light.

4. Stay compliant, optimize audits

Every company must ensure that both internal and external compliance policies are met. Such policies include the GDPR and HIPAA, for instance. These regulations stipulate that measures be taken that are all, in some way or another, based around the principle of least privilege.

Implementing the Principle of Least Privilege

To establish the principle of least privilege in your company, you must first declutter your current access structure and identify the weakest links in your network. Here is a list of measures you must take to do this:

  • Locate all privileged accounts throughout the enterprise (on-premise, in the cloud, in DevOps environments and at endpoints).

  • Remove any unnecessary local admin rights. Also, check for superusers with unnecessary admin rights.

  • Implement Just-in-Time access instead of assigning privileges in advance “just in case”.

  • Set fixed expiry dates for any privileges you assign on top of standard ones.

  • Keep admin accounts separate from standard accounts and protect the former, e.g. by managing privileged credentials exclusively within a digital vault.

  • Ensure that all activities related to admin accounts are seamlessly documented. This will help you identify unusual events faster and fend off any ongoing attacks.

  • Appoint data owners (e.g. department heads) and require them to regularly review whether existing permissions are still needed or not.

Implement POLP With Access Management

Once you have tidied up your access landscape, you must ensure the principle of least privilege will be applied rigorously wherever necessary in the future. In organizations with fewer employees, this can usually be achieved manually if admins work precisely and carefully. Still, human errors can never be ruled out entirely.

Organizations with hundreds or even thousands of users should strive to automate the processes involved in implementing the principle of least privilege.

But even if your company does not have thousands of users, automating processes might still be a goal worth pursuing, for instance if the internal processes in your organization are very complex and require a more diverse and flexible access structure. Whether it is the number of users or complexity of your environment that applies, or both – investing in an access management or identity and access management software is probably a good idea.

How tenfold Implements POLP

There are many options and tools that can help you implement POLP and achieve a high degree of data security. The question is how much time you are willing and/or capable of investing into the manual efforts required and whether you believe the operational discipline needed for the implementation is strong enough in your company.

Not only does the access management software tenfold assign permissions to users automatically and in accordance with POLP, it also cleans up your organization’s access structure.

Least Privilege Principle and tenfold

tenfold builds your access structure automatically according to the principle of least privilege. How does it do this? First, tenfold’s profile wizard analyzes which privileges should be included in the standard privilege set for each department. Once this is done, the software assigns the specified standard rights to users automatically and for all connected systems (including Active Directory and SAP).

One of the key differences between the software and a manual management of access rights is that the software will also automatically take care of obsolete privileges. For instance: if a user changes to a different department, the software will automatically revoke that user’s old privileges (after a pre-defined transition period, e.g. for the duration of training) and assign the necessary new privileges to the user for the new department.

If a user leaves the organization, tenfold will automatically delete all associated accounts and privileges, thereby preventing an anew privilege creep from occurring.

Recommended action Solution in tenfold
Remove all outdated and/or superfluous privileges Once an access profile has been defined, tenfold compares the data set with current access structures to determine which privileges do not match the profile. The software then automatically removes any privileges that divert from the profile specifications.
Implement Just-In-Time access In tenfold, users can request access rights via self-service and data owners can respond to such requests by approving or declining them. It is not possible to request or approve privileges “just in case they might be needed“.
Fixed expiry dates for extra privileges tenfold is able to model the workflow for privileges that are granted on top of a department’s standard set and which require an expiry date due to security reasons. Data owners can always push back such expiry dates if necessary.
Seamless documentation of all activities related to admin accounts tenfold ensures that ALL processes and activities are seamlessly documented and produces audit-proof reports at a click.
Require data owners to review privileges regularly User access reviews are an integral component of tenfold.