Hey Hackers!!!
Hope You’re Doing well, Welcome to the new Episode of Cybersecurity Fundamentals, today we gonna discuss about a very simple but most complex principle in the field of cybersecurity, that is The Principle of Least Privilege.
In Simple words, Principle of Least Privilege is a security concept that ensures that the users, application are given no more than necessary rights & permission in order to perform their functions and tasks. This sound’s like a very commonsense approach for security while we discuss and when seen on papers and documentations, but it becomes complicated when it come to implementation of this in an actual organization environment.
Let’s Understand the complexity that comes when we implement this principle in an organizational environment, beginning with a single user, any employee within the organization needs basis permission and rights with respect to both physical and logical access, physically employee might need access to the building they work in, common areas, and other organization resources. Logically, employee might need access to all the applications, file servers, Office 365 Applications and any other application or service that might need to perform their tasks, Now multiply all of these permission to thousands of employees different employees needs access to different work locations, Moreover, different users will need different rights & permission for application and other services, identifying power users such as administrators among them is also a task, Different departments varying their application requirement, Also add new hires, Employees that are migrated or promoted, you can now imagine how making sure that employees have minimum access and rights in order to perform their functions.
Infact, Not only employees, In order to ensure Principle of least Privilege is applied properly we need to make sure that Applications are also given limited permissions only to perform their tasks, This becomes difficult cause determining which service to grant and revoke access is a complex task, especially if you’re using Active Directory , which has granular and detailed permission granting structure. In such case finding which permission an application requires to function can be complicated.
The implementation of principle is not standardized, organization uses different methods in order to achieve it, some of the methods are as follows:
- Groups : Groups can be used to logically group users & applications so that the permissions are not divided on the basis of user-by-user or application-by-application. Similar thing happens in Active Directory when it comes to implement Policies.
- Multiple Accounts for Administrators : Many organizations create Two accounts of Administrators, One with a normal user permissions and other with all the administrative rights, this way organizations eliminates the challenges that comes while implementing principle of least privilege that relates to Admin. Also its not often that a admin performs its user tasks as an administrators.
- Third Party Applications: One can make use of third party application in order to manage permission, these applications could be account lifecycle management application & auditing application or firewall applications.
- Process & Procedures: One of the easiest way to manage permissions is by creating and implementing a solid framework of process and procedures. With this framework, organization doesn’t have to address account as a unique circumstance. They can rely on defined process to determine how the account is created, classified, permissioned & maintained.
Principle of Least privilege has been stapled in the field of information security since a long time, But most of the organizations fails to implement it, But due to increase in focus of security various regulatory organization such as Sarbanes-Oxley, HIPPA, HITECH and other state regulatory bodies along with the increases focus in security by businesses, vendors and consultants are driving organization to invest in tools, process and other resources to assure that this principle is followed.
Hope you enjoyed this topic and have learned something new today, Keep Coming for more.
Happy Hacking !!