Employing a principle of least privilege is one of the most effective means of protecting an organisation’s network from both external and internal security threats. Apart from improved security, benefits also include reduced costs, employee empowerment and fast-tracked compliance.
The idea is simple: give users and applications permission to view and use only those assets needed for their job role or function and nothing else. In that way if someone tries to infiltrate a network to gain access to a particular account, they will be limited in what they can do and their potential to move laterally within the network is curtailed.
Seems simple enough, yet in reality the picture is a little more complex as Thycotic’s Global State of Cyber Security 2020shows. Our research found that 22 percent of organisations that have previously tried to implement least privilege have failed.
It is important, however, to keep trying. A successful least privilege approach that encompasses strong privileged security and a zero trust risk based model must follow three basic rules. Firstly, least privilege must be ongoing, it is not a “one and done” exercise. Secondly, if security processes throw up too many barriers to user productivity it will fail. Users will find simpler work arounds or administrators will overcompensate by giving them more access than strictly necessary. Finally, every organisation is different and comes with its own challenges so every company must first align to business risks.
Attitudes to least privilege
Our research shows that least privilege enjoys wide recognition as an effective form of cyber security. Nearly all respondents to our survey (94 percent) knew what least privilege was and could define it. What is more, around two out of three said implementing it was their top security priority. This is hardly surprising as more than eight out of ten cyber incidents use compromised credentials. Clearly this type of account requires the strongest controls possible.
Yet it appears that insider threats are one of the biggest concerns, with more than a third of respondents (36 percent) saying the main reason for deploying least privilege was to combat the risk of accounts being abused by employees, partners and third-party contractors or suppliers.
The second biggest factor (22 percent) was to ensure regulatory compliance. Organisations have a number of regulations - local, regional, industry or voluntary - they must abide by that demand they use the principle of least privilege. If end users have access to information they don’t need for their job the regulators may fine companies for non-compliance.
Least privilege security must be continuous
Being able to enforce a principle of least privilege across an organisation can be complex as it involves controlling the permissions of hundreds, or even thousands of users, applications, services and endpoints. IT and security stakeholders must work closely together to plan, roll out and maintain a successful least privilege programme that focuses on automation.
It’s not a case of implementing a least privilege programme and then forgetting about it. The nature of business and IT means that permissions must be constantly reviewed and updated. For example, new applications, files, folders and employees need to be catered for along with any changes in roles and circumstances.
By necessity, organisations need to deploy a range of different technology solutions to manage this. Our research found that the most popular were Privileged Access Management (PAM) tools, which were being used by nearly six out of 10 respondents, followed by application controls and/or anti-virus and anti-malware solutions (38 percent), while a third (34 percent) implemented endpoint discovery and remediation systems.
A PAM solution is arguably the most popular as it provides the essential cornerstone for automating the implementation of least privilege and its ongoing management.
To succeed, least privilege can’t hinder productivity
By far the biggest reason for least privilege initiatives failing was too many complaints from end users (46 percent). These are likely to have been around not being able to access the files, folders and tools they need to do their work. This is a concern because if a security initiative is too prohibitive it will impact upon productivity, which will be bad for business. Conversely, to avoid complaints, the IT team might give users too many admin rights so that they end up being granted too much access, which is an obvious security risk.
Instead, organisations need to look to tools that work quietly in the background to ensure users can still carry out their day-to-day roles without realising that their privileges have been reduced. While this is being rolled out, good communication at all stages between decision-makers and stakeholders is essential for maintaining the executive buy-in necessary for success.Security must be usable.
One size does not fit all
When looking to create a least privilege strategy, organisations must consider what will work best for them. This should start with discovering those applications that present the most risk on the IT network, particularly those that require elevated permissions and address these first.
Also, businesses need to get their employees on side to make least privilege a success. This involves training through the use of the workforce development budget and frequent communication.
As already touched upon, by using automated PAM solutions that run in the background, organisations can set and maintain least privilege best practices without impacting on the work of employees.
Least privilege for the long run
The principle of least privilege should be a cornerstone of any cyber security strategy. But for it to be a long-term success the needs of security, IT, desktop support, and users have to be met, which requires planning, collaboration, and the right tools. Organisations which try to dive into least privilege without proper planning are destined to join the 22 percent of firms that have tried and failed in the past.