Least privilege is a foundational tenet of zero trust security, with the core philosophy to grant only as much access as necessary. While initially discussed as part of a network security strategy, applying zero trust security to the application layer for consumable resources (applications, services, data, etc.) is far more effective. This approach allows you to tie specific resource access policies to the people and programs accessing them.
Least-privilege access is a security strategy focused on ensuring that identities, people, and processes are granted the minimum level of permissions needed to be productive—or in the case of programmatic access, functional. In their 800-12R1 introduction into information security, NIST (National Institute of Standards and Technology) points to common concerns addressed by least privilege:
Privilege creep is when a user accumulates entitlements beyond the justification of their role within the organization. It usually happens gradually over time, and often affects organizations that need to secure their regulated or sensitive information. When individuals change roles, permissions are often granted quickly to get people productive, but because responsibilities may linger previous entitlements are often kept in place. The types of resource where least privilege needs to be assessed include:
At some point the leadership team realizes that they need to get a handle on privileged access to their core services and sensitive information. They prioritize and sponsor security teams to join forces with information owners to form privileged access tiger teams. Projects are kicked off and objectives defined. With their newly designed identity governance environment that automates access requests and approvals, the maintenance of it is handed off to operations. Too often, this type of focus isn’t ongoing—but even with automated requests and approvals, privilege creep is still a potential risk.
Often privilege creep builds as business dynamics diverge from defined governance policies. Permission workflows have a tendency to expand as organizations morph and responsibilities drift. Some of the most common sources of privilege creep include:
Privilege creep is nearly inevitable as organizations adapt or respond to various dynamics imposed on them. But it violates a key zero trust tenant designed to protect organizations from outsiders, and is a contributing factor to the large breach costs that continue to grow across virtually every industry.
One of the most difficult aspects of protecting against privilege creep is that it often happens over time while reviewers, who are responsible for many things, are focused on other things. It’s not observable at any one point of time, but rather must be viewed across a relatively long span of time. Acknowledging the subtle way that an account can morph into an unacceptable risk level without detection, the extent to which it poses a security concern depends on the volume of users, the number of changes users go through, and the sensitivity of the information being protected. It’s a security challenge that can’t be solved with a spreadsheet.
Separation of duty and other corporate policies designed to comply with regulations translate well into governance rules, but risk criteria are more subjective. Here are the most common ones:
It’s quite difficult for reviewers to identity permissions that drift over time. These types of evaluations can be aided with automated analysis of change over time. Reviewers can then access that information in a dashboard or report. While it’s not feasible to appraise all users across an organization, it is possible to effectively review and vet the top dozen who pose the highest risk.
Other types of auto-generated risk alerts and reports are derived from analysis of the governed resources. Resources containing sensitive information that are not periodically reviewed are assigned a higher risk score. For all of these alerts, today’s dominant governance innovation is the identification and highlighting of risk areas across the entire environment.
Least privilege access is one of the core components of a Zero Trust Architecture. This means granting only as much access as needed, with only the minimum permissions for the shortest duration necessary.
Other zero trust components include:
Deliver the right access to the right users with the least amount of friction
Protect all data with simplified compliance and user access review processes
Centralize control over admin accounts across your entire IT landscape
Gain insights, secure unstructured data, and prevent unauthorized access