In June, I was fortunate enough to be invited onto the stage at Whitehall media’s IDM event in London. I joined Ismet Geri of Veza to talk about the Principle of Least Privilege, and how this cybersecurity staple applies somewhat obviously to identity security.
The principle is that each and every identity should only have the permissions they need in order to do what they need to do, and nothing more. I made the point at the time that it was anything but new, and that I had first come across the concept when working towards my ISC2 CISSP certification, under my IT Security mentor Bob Rodger over 15 years ago. He famously used to tell me, "All of this is pretty obvious stuff, Paul”.
The principle itself pre-dates even the term cybersecurity.
Author:
Paul Dawson
Chief Services Officer at CyberIAM
I'd spotted a thread on LinkedIn where the question had been asked as to whether the principle of least privilege is dead, which I immediately questioned in my head. With credential abuse being the number one route in for the bad guys (log in, not hack in), could it really be?
The post referred to modern approaches to PAM such as ZSP and JIT. Again, I thought to myself:
- Zero standing privilege (ZSP) is an approach that all organisations should work towards as a cornerstone of zero trust, but at some point, privileges need to be granted to achieve a requirement, and those should be the minimum required, thus aligning with POLP
- Just in Time access (JIT) should also be actioned, regardless of how short the time frame, with the minimum access needed during that time – also aligning!
Ultimately the post was more about the failure of the industry to reach POLP rather than the ongoing value of it as something to continue to strive for because, surely it is!
Why haven't organisations been able to achieve this principle across the board?
Put simply, it is hard. Here are a few points as to why.
- The scale of the task is significant. Even in mid-size corporations, there are hundreds of applications, meaning that the effort required to apply the principle is large. Identity is now a big data problem
- It is complex. Understanding the privileges associated with an account (and the identity itself) is tough to unpick. This complexity has increased over time. The best example being the different models that AWS, Google and Microsoft have around access. Most organisations have multiple CSPs, hence any analyst trying to understand current access must understand all of them – a tough ask! SAAS applications often have different and granular access models too, adding to the complexity
- The risk of getting it wrong. An under recognised reason for companies failing to get close to least privilege is because of the concern over the service risk in removing access. Removing/reducing required access for an individual account will result in an unhappy user unable to do their job, with the relevant negative impact on the business. But incorrect access removal on a service account (machine identity) can bring down an entire service and be difficult to troubleshoot and resolve
These challenges, plus the natural privilege creep/privilege sprawl that occurs over time in an organisation, means that in order to start looking at least privilege, one simply has to have the visibility of the access associated with the identities in your company. This is a straightforward example of the old adage that “you can’t secure what you can’t see”.
This is one reason why I am such a big fan of the prevalence of Identity Security Posture Management (ISPM) offerings we see on the market today. There is a realisation that visibility and the ability to understand the access an identity/account has, is key.
You need a picture of the permissions and where they are over-permissioned.
This must ...
- Be at a granular level if you are truly going to understand those permissions and be able to take action
- Go beyond a static view of the access, having the scope and usage of the access for a true and intelligent view of privilege
- The visibility must be for all access - human and non-human. Applying least privilege beyond carbon life forms is critical, especially since machine identities are increasingly the sources of breach
Only with that full visibility can you move towards the principle of least privilege. This isn’t the focus of this blog, but it does highlight the importance of ensuring that if you are in the market for ISPM tooling, you need to ensure it is the right one.
Perhaps you are lucky enough to have purchased and implemented an ISPM tool and you genuinely have that visibility. Of course, you then need to do something with it!
There will often be a lot of value in one-off exercises to remove access that has resulted from privilege creep when you first get that visibility, but after that, as you move towards BAU, the identities and associated accounts and entitlements need to be brought under management to prevent further and repeated privilege creep.
The introduction of roles, strong movers and leavers controls, plus access request and access review are all required to prevent creep.
More modern approaches to access review present the right level of data and context in that review (many now with AI-assisted suggested action), leading to better (braver?) decision making by managers and owners. Regular review and removal of unrequired entitlements is needed to maintain least privilege.
In summary, and just to confirm, the principle is certainly alive and well! To misquote Mark Twain, “the news of its death has been greatly exaggerated”.
My opinion is that our industry has evolved in last few years and is continuing to evolve, offering new approaches to addressing the same issues, and in this case, principles. ISPM, ITDR and CIEM and other more modern approaches to identity security give me hope that we can move the dial towards ensuring least privilege with increasing confidence.
Would you like to discuss the principle of least privilege further with our experts?
Perhaps you would like some advice on what to do next?
Book a meeting with our team and we will gladly help you with any of your identity security needs.
Get in touch
If you would like more information about CyberIAM’s Services
offering, contact us here and a member of our specialised team will be in touch as soon as possible
Current State Assessment guide
Access our comprehensive current state assessment guide to discover how we initiate our end-to-end analysis, setting the foundation for providing you with the best possible advice.