IT teams rely on a variety of security and access management tools to safeguard sensitive information and systems. However, the broad industry consensus is that no system can be 100% secure and every IT team must operate under the assumption that breaches are inevitable. Thus while we still need to do everything to improve security posture and decrease the likelihood of a breach, we must expect a breach and govern our systems in a way that minimizes the impact of a potential breach. The best way to accomplish this is to achieve and maintain least privilege.
What is the principle of least privilege?
The principle of least privilege was originally coined in The Protection of Information in Computer Systems, a research paper by Jerry Saltzer, a computer scientist at MIT, and his doctoral student Michael Schroeder. In their paper, the researchers outlined 10 design principles that they believe are important in designing secure software systems. The principle of least privilege, is one of those 10 and is described as: “Every program and every user of the system should operate using the least set of privileges necessary to complete the job.” Today the principle of least privilege is most commonly used by information security professionals to describe the access governance framework where systems, and processes should be granted the minimum levels of access — or permissions — needed to accomplish their job.
Examples of applying the principle of least privilege to access governance.
Let’s say Mary is a marketing manager who requests access to the CRM system in order to track lead volumes and conversion rates. Your CRM system contains material non-public information such as sales forecasts. To comply with government regulations, public companies must restrict access to any material non-public information, and it’s a best practice for private companies to do so as well. According to the principle of least privilege, Mary probably shouldn’t have more than read-only access to your CRM system, and she should not have access to sales forecasts. In addition, depending on Mary’s scope, you might want to limit her access to other sensitive information in the CRM such as price books and discount schedules.
One of the easiest ways to determine over-privilege is to monitor for access going unused. For example, if Mary only logs in once a quarter to download a few reports, it would be better to not grant her any access to the CRM system at all, but rather figure out a way for someone to run those reports for her.
Keep in mind that according to the principle of least privilege, access should be re-evaluated periodically, and especially when users change roles. For example, say that Mary changes roles and becomes a sales representative. What she can and cannot access in the CRM system will need to change. She probably no longer needs any access to the records that she does not own. She most likely does need new access to create and edit her sales forecasts.
According to CIO.com, the principle of least privilege is “the cornerstone of safeguarding sensitive data,” and most security teams still have a lot of work to do in order to achieve and maintain least privilege.
What are the benefits of least privilege?
- Minimize blast radius – The fewer resources a user has access to, the fewer harmful actions can be taken by that user (if they turn malicious) or on that user’s behalf if their identity is compromised. Thus if every user has access to as few resources as possible, the impact of any potential breach is minimized.
- Simplified compliance – The fewer resources a user has access to, the fewer permissions there are to track and justify for audit and compliance purposes. Thus adhering to the principle of least privilege simplifies compliance and makes it easier to prepare for audits.
- Optimal performance – Revoking unnecessary permissions and users makes systems easier to manage and improves performance.
- Lower subscription spend waste – about 50% of SaaS licenses are not being used and only 5% of IT leaders have complete visibility into all the SaaS licenses that are being used by their employees. Revoking unnecessary access and reclaiming licenses can result in significant cost savings for most organizations.
How to achieve and maintain least privilege?
- Prioritize and categorize – Start by understanding what systems, data, and resources you have, and prioritize them based on sensitivity and importance.
- Define employee roles – Clearly define roles within your organization and understand what access each employee requires to perform their duties effectively.
- Use access control tools and perform regular audits – Utilize tools that help you right-size everyone’s access and conduct regular audits to ensure that permissions align with each employees’ current needs and roles.
- Monitor and rightsize access continuously – The least privilege principle is not a set-and-forget approach. It requires ongoing monitoring and adjustment to adapt to changes in roles, responsibilities, and the evolving list of IT systems. You should continuously scrutinize all access to resources like Snowflake tables or S3 buckets as well as to apps. Any access that hasn’t been used for 30 days, or 90 days, or whatever threshold makes sense for your environment, should be removed.
- Educate and train – Ensure that all team members understand the importance of least privilege and are trained to recognize the risks of excessive permissions.
By adopting the principle of least privilege, organizations can improve their security posture, streamline operations, and simplify compliance. Check out our short demos to see how Veza can help you review and rightsize permissions across your organization and visualize and control who can do what with your data.
About Veza
Veza is the Access Control Platform that enables identity governance. The platform helps companies to monitor privilege, investigate identity threats, automate access reviews, and bring access governance to enterprise resources like SaaS apps, data systems, cloud services, infrastructure services, and custom apps.