Blog / Have you heard of the Principle of Least Privilege?
There’s lots of advice to be given about how to set up your computer security. The toolbox is massive, with plenty of different models to choose from. A security model or framework, like the Principle of Least Privilege, is just an outline that doesn’t contain specific items (like “enable this exact settings” and such). Instead, it describes an overview or approach towards tackling the security problem.
Let’s look at this with a quick little thought experiment. Ask yourself, “What is a car?” It’s easy enough to describe one, but if you stop and think about it you may realize your description probably doesn’t contain details about how the mechanisms within actually work. It’s the same idea behind a framework; there are few specifics involved but you need to understand the idea so you can actually apply it. If you haven’t guessed already, the framework I’d like to talk about today is called The Principle of Least Privilege (PoLP), and it’s been around for a long time.
The idea behind the PoLP is simple: You’re trying to make certain that you provide only the access/permission/resources that are necessary to accomplish a given task. It’s a good approach because it helps to ensure employees only have the necessary permissions.
I touched on the PoLP briefly in a previous newsletter, but essentially it boils down to the idea that you should have zero trust regarding anything new entering your organization. Every door should be locked and the keys closely guarded. To carry this analogy into computers, new devices should have no access without permissions being provided first. A good example would be connecting a brand new device to the corporate wi-fi. Even if the proper credentials are provided, the device itself should still not connect because it is not implicitly trusted and hasn’t been authorized, and just putting in a password is not authorization. Providing wi-fi for employees’ business use is not the same as letting house guests use your home network and should have an extra layer of authorization beyond just knowing the password.
A similar example is network file sharing. Creating a new user in a directory service shouldn’t result in access to any of the file shares because the user is not implicitly trusted. The purpose of a user is to provide links to a login and email address, nothing more. Additional steps need to be taken in order to access additional resources, such as MAC address filtering on access points. In order to do this properly an organization needs to keep close track of its digital inventory. File share permissions should be setup with groups that apply only to those file shares (which means making sure that file share permissions are setup properly and monitored for changes).
So where to begin? Well, you could start by briefly allowing complete access to ensure the task can be accomplished, then tightening restrictions until you run into problems, at which point you back up a little. Another option is to keep everything closed and provide access up until the task can be accomplished. Arguments that can be made for both ideas, and both approaches should result in only the necessary access being granted (although the latter approach typically leads to fewer errors). This second approach is known as Zero Trust, and it goes hand in hand with the PoLP.
When it comes to providing access to your business’s assets, abiding by the PoLP and a zero trust approach to onboarding is a must. But even though there’s been plenty of ink shed about each, you’re unlikely to find step-by-step instructions (especially if you have any kind of specialized business needs). The hard truth is that you need to understand the concepts and apply them appropriately. Too much access for everyone can easily lead to mistakes as those resources are outside that persons job/training, causing frustration and wasting time and resources. Worse, unfettered access can also lead to serious abuse.
It seems like a common theme sometimes, but it’s true that cyber security can be more about the people, policies, and principles your business lives by than antiviral software and firewalls. Abiding by the Principle of Least Privilege and showing zero trust are among the very first steps and most effective steps you can take to protect yourself, and you don’t even need to know a single lick of code.
A great quote to sum up why the PoLP is important comes from Macbeth Act 1 Scene 7, as the titular character muses on his planned betrayal of the king: “False face must hide what the false heart doth know.”
If you have any questions about the Principle of Least Privilege, or making sure your business access policies reflect these important cyber security principles, please reach out to your TRINUS Account Manager for some stress-free IT.
By Kind, Courtesy of Your Friendly Neighbourhood Cyber-Man.