Principle of Least Privilege: No Fiction Here
No, this isn’t an article about a critically acclaimed tale of hitmen and mobsters, in fact something far more interesting: the Information Technology Principle of Least Privilege! Alright, I concede that this article may not be as exciting as friendly banter amongst John Travolta and Samuel L. Jackson, but we’ll do our best to keep things interesting.
You may be reading this just getting to the textbook definition of Least Privilege and if that’s the case, it’s pretty straight forward. The principle of the least privilege is the idea of giving the least amount of access necessary to an individual to complete their job. It is comparable to the “minimum necessary “requirement” in sharing PHI with HIPAA in that the less the better as laid out by the HHS. This article will give context to to the concept as well as some real world examples of the importance of Least Privilege.
Protect against Internal Threats
The year is 2013, the name Edward Snowden is plastered across newspapers, news broadcasting, and has the internet buzzing. Snowden worked in IT consulting for Booz Allen. Snowden infamously worked on a contract for the CIA and NSA and released thousands of classified documents regarding the United States unconstitutionally accessing data from it’s citizens and high profile individuals around the world. Had Booz Allen Hamilton utilized the principle of least privilege, Snowden would not have had access to all of this information. This was the voluntary release of data, however it shed light on the importance of restricted access for even internal uses for data security purposes. Many companies have plenty of safeguards in place for external cyberattacks, but what about internal threats? In many ways it makes sense for a high-level individual to have access to all of the levels below, but in others, lower level information might not directly affect higher level employees, so limited access would be valuable from a security perspective.
Safety from External Threats
Least Privilege also protects the data from external attacks. If someone outside the organization gets access to a higher level log-in, they could potentially access the data within the system. However, PoLP eliminates this issue by only giving limited access to individuals. Least privileged users or LPU’s are accounts with very low access and most commonly used for low tenure employees and employees with lower levels of authority. These users can typically do essential functions like email and browse the internet, but have very limited access to the company specific data. This way, even if someone gets access to a user's credentials, they only have limited access to data. In the event of a preach, ideally the hacker would only be able to access information having to do with the function of the compromised individual’s role rather than unfettered access to the entire system.
Privilege Creep?
Something that can interfere with this technique is privilege creep. This refers to when an individual over time receives more and more privileges within the system when not required. This primarily occurs when someone takes on new responsibilities within their current role, transitions to a new department, or receives a promotion. They receive access to new more relevant information, but their prior access is not revoked. This creates individuals with access to information that isn’t necessary for the scope of their result and exposes organizations to unnecessary risks. Like any sort of compliance, situations like this are great examples of why maintaining compliance in any degree is much more active rather than a passive checklist you do once and forget about. There is a level of regular maintenance that is an integral part of data security.
Need to Know Vs. Least Privilege (POLP)
Another common principle of information security is ‘need to know’. You’ve probably heard something along the lines of certain information being on a ‘need to know basis’-- the classic ‘AB’ conversation so ‘C’ your way out scenario. ‘Need to know’ and ‘least privilege’ go hand-in-hand, however there are a few key differences. Need to Know is more concerned with user access to information for viewing rather than modifying or editing. Least Privilege is primarily focused on abilities to complete tasks such as modify code, upload and download, and other privileges.
By incorporating both of these principles, organizations not only keep employees honest, but they also streamline their data in a way that makes audits much more efficient to accomplish. It creates clear parameters for which individuals have clear access and accountability to specific sections of data.
All in all, least privilege plays an important role in an organization's data security policies and procedures for ensuring that necessary steps are taken to mitigate the risk of a breach. Least Privilege helps to deter both internal and external threats from accessing important data that could have a detrimental impact on a business in the event of a breach.