Download Principle of Least Privilege: Implementation, Benefits, and Best Practices and more Exercises Auditing in PDF only on Docsity!
USERS ARE GIVEN ONLY THE
AMOUNT OF ACCESS THEY NEED
TO CARRY OUT THEIR JOBS
The principle of least privilege (POLP) is a policy in which end users are given only the amount of access they need to carry out their jobs — nothing more and nothing less. Understandably, some end users aren’t thrilled with POLP, because once enforced, it means they can no longer access certain non-essential apps, tools and networks. In some cases, it can involve removing interfaces such as USB ports from devices so that end users cannot unintentionally facilitate an infection by copying malware-laden files from a USB drive – or intentionally exfiltrate confidential information by copying it to a USB drive.
Principle of Least Privilege (POLP): What,
Why & Best Practices
However, POLP is not designed to punish end users and make their lives more difficult. Rather, it is meant to minimize the size of the attack surface, and ultimately reduce the likelihood and severity of a cyber attack. This is especially important now that hackers routinely exploit compromised low-level accounts in order to spread laterally across devices and networks, and ultimately access critical systems and sensitive data.
ADDITIONAL BENEFITS OF POLP
In addition to minimizing the size of the attack surface, POLP offers additional security benefits, including :
- Stronger security : Before implementing POLP, organizations must first analyze current access levels for each end user. This process often reveals that many — and in some cases, most — end users have too much access in the first place, and it can be reduced accordingly. This is explored further in the “Best Practices” later in this article.
- Thwarting malware : POLP can help contain malware to a single device or to a limited number of devices, which can give security teams the time they need to investigate, contain and remediate.
- Greater stability : POLP prevents end users with relatively low-level accounts from executing changes that would affect the entire system.
- Data classification : POLP helps organizations identify what data they have in their ecosystem, where it lives, and who has access to it.
- Audit readiness : POLP significantly simplifies and streamlines the auditing process.
POLP FACTORS
Depending on the operating system, POLP can be implemented across one or multiple factors, such as :
- Role (e.g. project managers, resource managers, etc.)
- Seniority (e.g. supervisors, managers, executives, etc.)
- Business Unit (e.g. development, marketing, HR, etc.)
HOW DEVOLUTIONS PASSWORD SERVER HELPS
Devolutions Password Server (DPS) can be an important piece of the overall POLP puzzle. It securely and centrally empowers organizations to :
- Establish enterprise-wide role-based access to privileged accounts and critical assets.
- Set customized granular and global permission settings.
- Centrally control privileged access management logs.
- Ensure that only authorized sysadmins can grant privileged access.
- Hide privileged credentials from users and prevent them from reaching endpoints.
- Store all usernames, credentials, and privileged account access in a centralized vault that is protected by U.S. Federal-government-approved encryption. In addition, when integrated with Remote Desktop Manager (RDM), DPS supports one-click direct connection to websites, apps and remote IT resources, providing a simplified and highly secured remote access management. It also features an easy-to-use and simplified web interface for end users to store passwords and other confidential information.
THE BOTTOM LINE
At the 2017 Black Hat conference, privileged account solutions company Thycotic conducted a survey of more than 250 self-described hackers who revealed that the number one way to get hold of sensitive data is by hacking privileged accounts. And according to the Verizon 2017 Data Breach Investigation Report, a whopping 81% of breaches derive from stolen, default or weak passwords. Add it all up and it means that POLP is not just a smart idea, but it is essential on an increasingly threatening landscape where the risks and costs of a breach are getting higher and higher.
