Getting Organizations Started on a Least Privilege Journey to Reduce Risk
By Joseph Carson, Chief Security Scientist,Thycotic
Organizations today typically face major challenges when seeking to implement the least privilege because built-in limits on access can impact employee productivity. If users can’t get access to an account, a service, or a device such as a printer, they have to spend time calling the IT helpdesk for a “fix.” In many cases, busy IT helpdesk workers may give users more privileges than needed to expedite the resolution of user problems. Least privilege is meant to prevent “over privileged access” by users, applications, and services to help reduce the risk of exploitation without impacting productivity.
Let’s get organizations started on the right path to a successful least privilege implementation journey. These steps highlight the key stages of activity and are meant to spur further research so you can be fully prepared with the tools you need to make the least privilege cybersecurity a reality.
Inventory Devices and Software
Produce a comprehensive inventory of your corporate devices, installed software, and software licenses. You also need to determine where applications typically are being installed from, as well as the software vendors that are approved to be used within your organization.
During the inventory process, create a list of trusted vendors, including signed certificate and trusted software sources for approved applications. These could include a software delivery solution, a software catalog, a network location, or Microsoft SharePoint. You also need to list the places you don’t want software being installed from that could include downloaded program files, email attachments, or any download locations on various devices.
With a complete device inventory, you can develop policies that incorporate trusted and untrusted privilege elevation requests. This process ensures employees can use a least privileged account to perform privileged actions based on approved policies.
Integrate Compliance and Regulations
Almost every organization faces some kind of compliance mandate or regulatory requirement. There have, for example, been major recent updates to regulations such as the Payment Card Industry Data Security Standard, National Institute of Standards and Technology, Cyber Essentials, EU General Data Protection Regulation, and the California Consumer Privacy Act. They all include requirements for data privacy meant to rein in over privileged access by users. Therefore, you must integrate compliance and regulations that apply to your organization into your data impact assessment, risk-based assessment, and privileged access management (PAM).
Combine PAM and Least Privilege to Control Access and Actions
A PAM solution helps with defining policies, discovering privileged accounts, applying security controls, auditing usage, and alerting abuse. Combining PAM with least privilege security allows an organization to elevate privilege On Demand, offer onetime passwords, and increase and decrease privileges based on dynamic risk and threats. PAM helps control privileges, so they’re available when needed, and end-users aren’t over privileged all the time.
Incorporate Application Control
Application control is technology that enables an organization to elevate application privileges so trusted and approved applications can execute even if users don’t inherently have access. On the flip side, application control prevents untrusted applications from executing even if the user has the privileges that permit them to install applications. If an application is unknown, it can be “quarantined” and prevented from executing until further analysis determines whether the application is malicious or authentic.
Manage/Protect Privileges Granted to Users
Separating least privileged users from privileged accounts allows an organization much more control and security over how privileges are granted to users and determine a risk-based approach to what’s an accepted risk. This step allows the organization to adopt a zero-trust security posture that’s enforced by the least privilege strategy, reducing the risk from cyber attacks but maintaining empowered employees and productivity without the pain.
Applying the core principles of least privilege is a foundational element of your cybersecurity strategy. By removing local administrative privileges on endpoints, you reduce your attack surface and block the primary attack vector, preventing the vast majority of attacks from occurring.
Before you start implementing next-generation Endpoint Protection Platforms (EPP) or complex Endpoint Discovery and Remediation solutions (EDRs), you should consider the least privilege strategy with application control solution. Proactive protection based on least privilege means less time and resources spent detecting an infection, chasing down hackers once they’ve already entered your network, and remediating the damage.
About the Author
Joseph Carson is the Chief Security Scientist at Thycotic. Joseph is responsible for cybersecurity research in the privileged access management industry accelerating Thycotic innovation and leadership positions. He is a cybersecurity professional and ethical hacker with more than 25 years’ experience in enterprise security specializing in the blockchain, endpoint security, application security & virtualization, and privileged access management. Prior to joining Thycotic Joseph worked on innovative blockchain solutions at Guard time and spent more than 10 years in leadership roles at both Altiris and Symantec and Arellia. He is a Certified Information Systems Security Professional (CISSP) and an active member of the cyber security community frequently speaking at cybersecurity conferences globally.