As attackers continue to target passwords and other credentials to infiltrate organizations, IT and security teams must continue to protect these privileges. One of the top ways to secure these privileges is by instituting a least-privilege cybersecurity policy. This approach limits the exposure of credentials and reduces cyber risk by decreasing accessibility. Literally, this policy enables only the least amount of privilege needed, avoiding the granting of access to personnel who don’t need such access. Therefore, this limits the number of users with privileged access to credentials and accounts — and less users means less vulnerable endpoints.
Knowing that 80 percent of cybersecurity breaches involve the compromising of credentials, this protection is not just necessary — it’s vital.
These credentials enable access to organizations’ critical resources: services, applications, data and systems. These exist all over IT environments and are often taken for granted since access to them is part of the day-to-day task for many users. Few realize just how serious the credentials and the accounts and privileges they grant access to are within an organization. Attackers know this and the potential power they can gain if they are able to compromise the credentials — which is why they so often target these credentials.
Implementation of a least-privilege cybersecurity policy can dramatically shrink the attack surface, starting with the adoption of a zero-trust model.
Beginning with Zero-Trust
The zero-trust concept assumes that any user who attempts to access the organization’s network, services, applications, data or systems starts can’t be trusted and therefore is denied access. To gain authorized access, “trust” must be earned by the prospective user through verification. For example, verification can require two-factor authentication. In this instance, a user provides a password but then must take an additional step by using an authentication application. When new devices are introduced on the network — and before they obtain access to any resources — they must first identify and verify themselves based on security controls. The more sensitive the resources to be accessed, the more security controls they must satisfy.
Cybersecurity should always begin with zero trust, ensuring that only authorized access is permitted. After verification of identity is established, users can be classified according to the access they need to perform their jobs.
Least-privilege cybersecurity enables enforcement of a zero-trust security model whereby once a user is verified, the user’s access is limited to only what’s necessary to accomplish the specific task or job. If any user action desires or requires more access than granted via policy rules, permissions to elevate privileges are strictly controlled and monitored.
Cybersecurity classifications of “trust” should be dynamic. This means you need to create policies or rules across the enterprise for identities, services, applications, data and systems. For example, you can have an “always verify” and “always monitor” policy for third-party vendors or contractor identities. Internal employee classifications would be adaptive based on the sensitivity of the data being accessed. An “always verify” policy would require credentials and multifactor authentication, while an “always monitor” policy would audit and record all activity.
These policies must be explicit in what they allow access to and to whom in order to maintain the least-privilege guideline.
Enforcing Least-Privilege Cybersecurity
Least-privilege enforcement has two aspects that must be ensured:
- Privacy: When a user logs in, he or she can only see what she’s permitted to access.
- Security: Based on specific privileged access, a user has limits on what applications/tasks he or she can run.
Least-privilege enforcement typically starts by removing local administrative privileges on endpoints, such as user laptops or mobile devices, so you can reduce your attack vulnerabilities and prevent most attacks from occurring. Least-privilege cybersecurity is effective at reducing major patch management headaches. Enforcing least-privilege security can help eliminate more than 90 percent of Microsoft Windows patches because most vulnerabilities require admin privileges to exploit them.
At Thycotic, we understand that by adopting a least-privilege cybersecurity approach and instituting necessary enforcement policies, organizations can significantly reduce their risk of being infiltrated through the attack vector used in four out of five security breaches.
Trust me. It’s well worth it.