In information security, computer science, and other fields, the principle of least privilege (PoLP), also known as the principle of minimal privilege (PoMP) or the principle of least authority (PoLA), requires that in a particular abstraction layer of a computing environment, every module (such as a process, a user, or a program, depending on the subject) must be able to access only the information and resources that are necessary for its legitimate purpose.
The principle means giving any user account or process only those privileges that are essentially vital to perform its intended functions.
For example, a user account for the sole purpose of creating backups does not need to install software: hence, it has rights only to run backup and backup-related applications. Any other privileges, such as installing new software, are blocked.
The principle applies also to a personal computer user who usually does work in a normal user account and opens a privileged, password-protected account only when the situation absolutely demands it. When applied to users, the terms least user access or least-privileged user account (LUA) are also used. This refers to the concept that all user accounts should run with as few privileges as possible, and also launch applications with as few privileges as possible.
The principle of (least privilege) is widely recognized as an important design consideration towards enhancing and giving a much-needed ‘Boost’ to the protection of data and functionality from faults (fault tolerance) and malicious behavior.
Understanding the Principle of Least Privilege
The principle of least privilege (POLP) is a concept in computer security that limits users’ access rights to only what is strictly required to do their jobs. POLP can also restrict access rights for applications, systems and processes to only those who are authorized. This principle is also known as the access control principle or the principle of minimal privilege.
POLP is considered a cybersecurity best practice, as it restricts access to high-value data and assets. In addition, organizations that use POLP can improve their security posture by reducing their attack surface. It’s also used in zero-trust network access (ZTNA).
Depending on the system, some privileges might be based on attributes contingent on the user’s role within the organization. For example, some corporate access systems grant the appropriate level of access based on factors such as location, seniority, or time of day.
An organization can specify which users can access what in the system and the system can be configured so the access controls recognize only the administrators’ roles and parameters.
The principle of least privilege grants users permission to read, write or execute only the files or resources necessary to do their jobs. Time-limited privileges can also be enabled to ensure users have access to critical data for just the amount of time needed to perform a specific task.
Without this principle, an organization could create overprivileged users, which could increase their chance of data breaches and malicious actions.
How the Principle of Least Privilege works
The principle of least privilege works by limiting the accessible data, resources, applications and application functions to only that which a user or entity requires to execute their specific task or workflow. Without incorporating the principle of least privilege, organizations create over-privileged users or entities that increase the potential for breaches and misuse of critical systems and data.
Within ZTNA 2.0, the principle of least privilege means the information technology system can dynamically identify users, devices, applications and application functions a user or entity accesses, regardless of the IP address, protocol or port an application uses. This includes modern communication and collaboration applications that use dynamic ports.
The principle of least privilege as executed within ZTNA 2.0 eliminates the need for administrators to think about the network architecture or low-level network constructs such as FQDN, ports or protocols, enabling fine-grained access control for comprehensive least-privileged access.
Principle of Least Privilege account types
While account access is determined based on the needs of each individual, there are three main types of accounts:
- Superuser accounts. A superuser account, or admin account, has the highest level of privilege. Typically, only administrators have access to this account type since they are the most “trusted” users within an organization and need high levels of access to perform network monitoring and maintenance. Superuser or admin privileges can include:
- Activating or deactivating other user accounts, including privileged accounts
- Removing data
- Installing and updating software and other applications
- Adjusting network settings
- Least-privileged user accounts (LPUs). An LPU account offers users the bare minimum privileges necessary to complete routine tasks. This account type should be used by nearly all employees almost all of the time.
- Guest user accounts. A guest user has fewer privileges than an LPU and is granted limited, temporary access to the organization’s network. In order to reduce risk, organizations should limit both the number of guests allowed to use their network and their access within the system.
What is Privilege Creep?
Employees frequently change roles and responsibilities during their tenure. To perform tasks relevant to their updated roles, administrators need to re-evaluate or elevate necessary privileges.
While many organizations commonly add privileges to user accounts, it is rare for privileges to be revoked. As such, some standard users end up maintaining administrative access beyond what is needed to do their jobs. This results in unmonitored privilege escalation, or privilege creep.
As users accumulate elevated privilege access, the organization becomes more vulnerable to cyberattacks, including data breaches. An adversary, armed with the compromised credential to the user whose access rights have been accumulated over a period of time, can move laterally across the network and execute threats like ransomware and supply chain attacks.
How does the principle of least privilege increase security?
- It reduces the cyber attack surface. Most advanced attacks today rely on the exploitation of privileged credentials. By limiting super-user and administrator privileges (that provide IT administrators will unfettered access to target systems), least privilege enforcement helps to reduce the overall cyber attack surface.
- It stops the spread of malware. By enforcing the least privilege on endpoints, malware attacks (such as SQL injection attacks) are unable to use elevated privileges to increase access and move laterally in order to install or execute malware or damage the machine.
- It improves end-user productivity. Removes local administrator rights from business users helps to reduce the risk, but enables just-in-time privilege elevation. Based on policy, this helps to keep users productive and keeps IT helpdesk calls to a minimum.
- It helps streamline compliance and audits. Many internal policies and regulatory requirements require organizations to implement the principle of least privilege on privileged accounts to prevent malicious or unintentional damage to critical systems. Least privilege enforcement helps organizations demonstrate compliance with a full audit trail of privileged activities.
Benefits of PoLP for modern applications
The principle of least privilege is all about providing the minimum amount of privilege possible for users to get their work done. Unfortunately, legacy security solutions require organizations to allow access to a broad range of IP addresses, port ranges and protocols in order to use SaaS and other modern apps that use dynamic IPs and ports.
This approach violates the principle of least privilege, creating a huge security gap that can be exploited by an attacker or malware.
ZTNA 2.0 enables comprehensive usage of the principle of least privilege with Prisma Access and its patented App-ID functionality to provide dynamic identification of all users, devices and applications. It also provides application functions across any and all protocols and ports.
For administrators, this enables very fine-grained access control to finally implement true least-privileged access.
Benefits of PoLP for private applications
Many private applications lack the built-in, fine-grained access control capabilities that exist in most modern SaaS apps. Something as simple as allowing users to access an application to view – but not upload or download – data is simply not possible because the application is identified purely based on IP address and port number.
With the PoLP capabilities available through ZTNA 2.0 and Prisma Access, organizations get granular control at the sub-app level. This enables them to identify applications at the App-ID level.
Benefits of PoLP for client-server applications
The comprehensive principle of least-privilege technologies – like those available in Prisma Access – enables bidirectional access control between a client and server to define application access policies. This easily enables least-privileged access for applications that use server-initiated connections.
This includes mission-critical applications such as update and patch management solutions, device management applications and help desk applications.
How to Implement the Principle of Least Privilege
To implement the principle of least privilege, organizations typically take one or some of the following steps, as part of a broader defense-in-depth cybersecurity strategy:
- Audit the full environment to locate privileged accounts – such as passwords, SSH keys, password hashes and access keys – on-premise, in the cloud, in DevOps environments and on endpoints.
- Eliminate unnecessary local administrator privileges. Ensure that all human and non-human users only have the privileges necessary to perform their work.
- Separate administrator accounts from standard accounts and isolate privileged user sessions.
- Provision privileged administrator account credentials to a digital vault to begin securing and managing those accounts.
- Immediately rotate all administrator passwords after each use. This invalidates any credentials that may have been captured by keylogging software and mitigates the risk of a Pass-the-Hash.
- Continuously monitor all activity related to administrator accounts. This enables rapid detection and alerts on anomalous activity that may signal an in-progress attack.
- Enable just-in-time access elevation. This allows users to access privileged accounts or run privileged commands on a temporary, as-needed basis.
- Consistently review all cloud IAM permissions and entitlements in AWS, Azure and GCP environments. Also strategically remove excessive permissions to cloud workloads.
The principle of least privilege is a foundational component of zero trust frameworks. Centered on the belief that organizations should not automatically trust anything inside or outside their perimeters, Zero Trust demands that organizations verify anything and everything trying to connect to systems before granting access.
As many organizations accelerate their digital transformation strategies, they are shifting from traditional perimeter security approaches to the Zero Trust framework to protect their most sensitive networks.
Recommended Articles
- Why Is Cybersecurity Important?: All You Should Know
- Cybersecurity Risk Assessment: What It Is & How To Perform It
- What Is Keylogging & How Does It Work?
- CIA Triad in Cybersecurity: What Is It & Why Is It Important?
- Managed Cybersecurity Services: All You Should Know
- Air Gapped Computer: What Is It & How Do You Secure One?
References
