Understanding the Principle of Least Privilege in Cybersecurity

Written by: Paul Cooney As a business owner or executive, you trust your employees with regards to their cybersecurity training and overall knowledge, right? Definitely. Probably. Maybe.Whatever your level of trust may (or may not) be, most savvy business leaders don't want to have to rely solely on their employees remembering and acting in line with their training in the event of a cybersecurity threat – even if things like password hygiene and phishing awareness are staples of cybersecurity training and most employees should have at least a basic understanding of these.One very effective safeguard for proactively strengthening your defenses and mitigating the effects of inevitable human error is the implementation of the Principle of Least Privilege (PoLP).

Basic Principles of PoLP

PoLP is a very simple concept at the abstract level, but it gets more complex as businesses attempt to implement it effectively. The complexities are exacerbated further when we look at modern IT systems, which may involve nebulous architectures such as virtual private networks (VPNs) and software-defined wide access networks (SD-WANs).In other words, if PoLP was a sports car, it’d be a Bugatti Chiron – because this baby can go from 0-60 pretty darn quickly.Let’s put it in simple terms: PoLP is defined by restricting access to 'areas' of a computer system down to the only bare minimum needed to carry out a specific function. This includes everything from preventing a program from accessing computer memory on a single device, to stopping a sales rep logging into the VPN used by accounts.

Three Benefits of PoLP Implementation

Say hello to the Three Wise Men of PoLP implementation: Security, Stability and Usability.The security benefits are fairly clear. On the software level, designing applications in accordance with PoLP will reduce the chances of malware piggybacking on the software to access other applications or deeper areas of the system.When it comes to employee permissions, PoLP can reduce the surface area of a cyber-attack significantly if, say, staff members only have passwords for a specific area of the network. Should one of those passwords be compromised, it won’t affect the entire network.In terms of stability, software with too much freedom to use computer resources can interfere with the smooth operation of the system, causing crashes in other applications, devices or even networks. Software built with PoLP in mind tends to be much more stable in these respects.Finally, software which requires only minimal access privileges tends to be easier to install and runs much more quickly compared to those requiring broader or deeper system access. PoLP helps make software usability a breeze, or close to it.

Three Challenges of PoLP Implementation

If Security, Stability and Usability are the Three Wise Men brining you the gift of sleeping more soundly, then Privilege, Precision and Abstraction are the Three Little Pigs that could keep you awake.Once again, although PoLP is a simple concept, it is much harder to follow than it may appear. You may think you’re building a system out of bricks, when in reality you’re using straw and sticks.On a technical level, most programs will not function without some degree of privileged system access. And getting the right level of precision when dealing with access to shared memory, I/O device addresses, processing time, etc. can be very challenging. Models such as the object-capability model have been designed to manage this complexity, but there are always loopholes. Just ask the wolf.Related: Cybersecurity and Privacy: Tips for People with Substantial WealthPrecision is also important to get right when it comes to human user access. An overly-stringent PoLP strategy can lead to IT support being overwhelmed whenever a permission change is necessary, which could be all the time. On the other hand, a policy that is too lax defeats the overall security objective.The third challenge comes from the amount of abstraction in IT technology. The divisions between areas of a computer system and network are less clear-cut than models might suggest. Virtualization has added yet another level of complexity, with data and architecture now often shared between globally dispersed hybrid cloud networks.

How to Implement PoLP in your Network

Implementing a watertight PoLP into your network is a tricky undertaking which requires some technical know-how. But don’t fret – there are a few steps you can take to make sure you at least have the basics covered:
  • For on-site servers, make sure you understand your directory service. For Microsoft users, your server will run Active Directory (AD), which organizes objects (e.g. users, printers, devices, etc.) into hierarchies known as trees, forests and organizational units (OU). OUs are designed to map closely onto your company hierarchy. By understanding how AD is currently being used to manage permissions, you will be able to fine-tune the rules as you see fit.
  • If you’re using a public cloud provider, you should be able to review and adjust permissions through a dedicated access management service. For example, AWS includes its IAM service at no additional cost. You should also consider a direct connection to your cloud provider rather than using the Internet, which improves your speed and security. If you’re not sure how to set up a direct connect to the cloud, there are some very talented and experienced consultants out there who partner with every major public cloud provider (AWS, Azure, GCP, etc.) in the industry and can do this for you at a great price.
  • If you are using SD WAN to connect branches and data centers, be aware that you will need to secure your physical SD WAN terminators, as these automatically grant access to your network. Once again, consider bringing in verified SD-WAN consultants to ensure that this is done correctly. If you want to educate yourself further, this article on SD-WAN security risks is worth reading.
  • The Principle of Least Privilege is the gold standard for any security-conscious business, and it’s one that you can’t afford to neglect. Providing better security, stability and usability to your computer systems should be a top priority, but it’s also important to understand that the complexity of modern IT networks and the difficulty in finding the right balance of access control and efficiency means that you shouldn't rely on PoLP alone to protect your assets from an impending cyber-attack.Paul Cooney is the Founder and President of Shamrock Consulting Group, the leader in technical procurement for telecommunications, data communications, data center, SD WAN consultants, dark fiber and cloud procurement services.