What Least Privilege Means in Practice

Organizations today are accelerating their transition to zero trust security architectures, so they can enable cloud access for modern workforces while hardening enterprise defenses against breaches resulting from stolen or misused credentials. A key prerequisite for creating a zero trust architecture is a holistic approach to privileged access management (PAM). PAM solutions have been around for some time: Gartner describes PAM as “a foundational level of security to protect an organization’s most critical accounts, credentials and operations.”

To enforce the strongest security standards in the cloud, organizations needs total visibility into all privileged-account activities, plus strong tools to monitor and regulate that access. In practice, privileged access management starts with setting policies that define and enforce the ideal of least privilege, in which each person only gets the specific access they need—no more, no less. The closer an enterprise can hold to this ideal, the safer it is.

The Challenge of Privileged Access Management

Many of the world’s most high-profile breaches, including the infamous SolarWinds attack, were made possible because privileged accounts had been compromised or misused. A privileged account is a user or device with administrative access to sensitive enterprise resources, including data. Privileged accounts also typically have administrative access over a subset of other accounts. Administrators are often granted access to Active Directory service accounts, local administrative workstations, servers and hosts, and application accounts, for example. In some cases, privileged accounts can even convey account access that extends across the entire enterprise.

Some degree of privileged access is clearly necessary for the ordinary functioning of business, including maintenance, system updates, security, and other aspects of management. However, these powerful accounts are extremely attractive to threat actors, and require extra protection to keep the “keys to the kingdom” from falling into the wrong hands. The last thing the legitimate users of these privileged accounts need is additional security hurdles that hamstring productivity. But trying to keep them happy by preemptively giving them more access than they need, though common, is a dangerously unsafe practice—you may keep them productive in the moment, but at the cost of creating a security problem for tomorrow.

The State of PAM Solutions

Goals for PAM technology include discovery of privileged accounts across multiple systems, platforms and applications, and tools for centrally monitoring and controlling credential management, including elevating and removing privileges for privileged accounts. It’s a big business, and Gartner forecasts that the market for PAM technology will grow from $1.9 billion in 2020 to $2.9 billion in 2024. But the fact is that many companies don’t even know the extent of their privilege management issues.

A survey by The Ponemon Institute last year, for example, found that just 11% of government organizations were “very confident” that they had complete visibility and could confirm that privileged users were in compliance with key policies—about one in nine. Ponemon’s research also found that 73% of surveyed organizations were providing privileged-access rights beyond what is necessary, that 44% lacked complete control over access to sensitive information, that 43% were using outdated, unsafe manual approaches such as monitoring log files, and that only 28% were using automated threat-intelligence tools.

As the SolarWinds breach and other high-profile credential-based attacks demonstrate, organizations across the board need to master privileged access management, and implement least privilege access across their organizations. Alarmed by last year’s breaches, the White House issued an executive order urging agencies to accelerate their efforts to employ zero-trust practices. Among other things, the order recommended a data-centric security model that “allows the concept of least-privileged access to be applied for every access decision.”

Building a Least Privilege Framework

The gold standard is to grant access rights only at the “absolute minimum necessary for the system to operate and the agent to complete its tasks,” according to Akintola Dasilva, manager of the governance, risk and compliance program at MindPoint Group, a cybersecurity and risk assessment consulting firm. Organizations must create a plan for privileged access management at the enterprise platform and application levels, he noted.

To strengthen security across your enterprise, experts recommend taking an architecture approach to privileged access management. For example, build functions into each application’s user interface, so privileges can be controlled at the application layer instead of only at the operating system or infrastructure layers. And design specific emergency access procedures instead of frantically giving non-administrators privileged access whenever emergencies happen. Giving users privileges on an ad-hoc basis may not cause problems in the short run—the problem is that these privileges are rarely removed when they are no longer needed, leaving you with invisible weak points in your security. Ensure that all requests for elevated privileges trigger a notification to relevant managers, and that those elevated privileges are reviewed regularly and automatically.

Privileged access management isn’t possible if your enterprise doesn’t have a firm grasp on who has access to what, and how they’re using that access, at all times. Specifically, organizations must be able to identify every instance when users access apps, infrastructure, and most importantly, data, through privileged access credentials, whether on-premises or in the cloud, notes David O’Leary, senior director of security for global systems integrator SHI. “To reduce the risk of attackers gaining access to critical systems or sensitive data, give users only the bare minimum privileges needed to do their jobs,” like removing full local administrator access to endpoints, he advised in a recent blog post.

Sound complicated? Fortunately, there’s a comprehensive solution.

Veza: Purpose-Built to Enforce Least Privilege Access to what matters the most – data

Veza’s data security platform is built on the power of authorization, making it possible for organizations to manage, understand, and control least privilege to data, dramatically reducing the risk from credential misuse and data breaches. Using read-only permissions to discover authorization metadata —Veza can’t take action on your data, so there’s no risk of supply chain breach—our platform provides the oversight you need to inhibit privilege abuse from both external and internal sources while simplifying the often complex processes of access and entitlement reviews.

With Veza, security teams can use real-time search capabilities to easily drill into authorization information and discover least privilege violations in their environments, such as AWS misconfigurations or permission boundary conflicts. DevOps teams can validate authorization policies based on least privilege standards, manage access of ephemeral service accounts to data, and visualize data teams’ access to roles and associated permissions governed by corporate data systems. And data teams can easily standardize and replicate authorization for humans and services based on the golden standard of least privilege.

Privileged access management can feel like a runaway train in today’s fast-evolving digital ecosystems, but Veza’s solution puts enterprises back in the driver’s seat.

Table of Contents