a good thing!
The principle of least privilege (PoLP), sometimes called the principle of minimal privilege, is a common sense approach to access control for enterprises. Users, systems and processes should only be given access to the networks, data and other resources required to perform their assigned function, and no more. Failure to adhere to PoLP can lead to massive data breaches, including the hacker that was able to steal customer data from Target by using the network credentials of a third-party HVAC vendor.
Permitting all users to have the same access to sensitive data and resources is a risk businesses cannot afford. The principle of least privilege is a framework that helps secure your resources from bad actors, including malicious and error-prone insiders. In addition to financial losses and damage to your brand, bad actors can install ransomware, disrupt operations and use stolen personal data for extortion or other crimes. Keeping access limited to just the resources a user actually needs reduces the amount of damage that can be done.
Setting up the parameters to implement the principle of least privilege starts at the planning stage and continues throughout the lifecycle of your enterprise. A review of current practices and access settings is a good place to start.
Zero Trust approach to security is based on the philosophy that enterprises should trust no one and verify everything, because external and internal threats exist at all times. Authentication and authorization are important steps in limiting access and protecting resources. Authentication requires users to prove their identities. Multi-factor authentication (MFA) requires users to provide two or more authentication factors, so hackers with compromised credentials will be stopped before entering your system. After users are authenticated, enterprises use authorization to control access to resources based on PoLP, which can be preassigned by role or customized for the user.
Identity and access management (IAM) solutions to build authentication and authorization policies are available for workforces, customers and partners.
Privileged accounts are a prime target for bad actors, because administrator-level privileges allow greater access and control to data, networks, systems and other resources. Privileged access management (PAM) solutions allow organizations to monitor, secure and control access to resources for privileged accounts. To further limit access to resources, just-in-time (JIT) privileges can be set for specific projects or timeframes. Privileged access management (PAM) solutions are used in conjunction with identity and access management (IAM) solutions, and they work together to support and enhance each other.
An application programming interface (API) is used to communicate between computers or applications, but can be overlooked as a cybersecurity vulnerability. Enterprises and programmers that lack security protocols during development put resources at risk. Four items on the Open Web Application Security Project (OWASP) API Security Top 10 (including the top two) relate directly to a lack of access control rules and strong authentication.
OWASP API Security Top 10
API1: Broken Object Level Authorization
API6: Mass Assignment
API2: Broken Authentication
API7: Security Misconfiguration
API3: Excessive Data Exposure
API4: Lack of Resource & Rate Limiting
API9: Improper Asset Management
API5: Broken Function Level Auth
API10: Insufficient Logging & Monitoring
Don't let things fall through the cracks after the initial implementation. Frequently review users, accounts, processes and systems to make sure they can only access necessary resources. People leave jobs, third-party vendors and partners change, and systems get updated or replaced. Ongoing security audits allow you to keep track of privileges that need to be revoked or updated.
There are numerous examples of ensuring users are limited to just the resources they need, including:
Please watch this video to see how people working remotely during the pandemic increased the adoption of Zero Trust security.