Like other CISO’s, I have long had a love and hate relationship with the principle of Least Privilege. I love the measurable benefits that could be achieved by aiming for least privilege. You can quickly reduce the attack surface by simply removing accounts, roles, services, privileges, and permissions. Hell everything that isn’t needed. As a result the likelihood and frequency of breaches also reduces exponentially.
But in practicality, I hate the easy target that it gave auditors when it is written into policy. It often felt that every audit would find some user who didn’t need access, but still had access to something. Whether it was someone who had changed roles, or left the organization, or a segregation of duties issue, it was there to be found. Failures in least privilege are left waiting for an auditor to prove yet again that we failed. This is still so widespread a challenge. A lightning talk at the Art into Science conference focused purely on how to change auditors’ interpretation of least privilege. The challenge for CISO’s is that often this is based on a definition that is hard coded into security policy.
What is the Principle of Least Privilege?
The principle of Least Privilege is a cornerstone of effective information security and Zero Trust. It was originally posited by Saltzer and Schroeder in 1975, and has stood the test of time. It advocates granting the minimal access for the shortest period of time to complete necessary tasks. As I posited in The forgotten Principle of Least Privilege (a blog written shortly before joining Gartner in 2019), the most commonly repeated definition of least privilege both ignores the concept of time and the completion of the task at hand.
Why is it so important?
Organizations that continuously rightsize access to least privilege can significantly enhance their security. This narrows their attack surface and the opportunity for attackers to move laterally. An effective least privilege approach not only fortifies an organization’s defenses, but also streamlines access to data and applications.
Least Privilege has gained renewed importance in the face of increased regulations and cyber threats. Modern privacy laws and regulations provide constraints on who is authorized to access personal information. The combination of increased cyber threats and growth of data within organizations further raises the stakes.
Why is Least Privilege So Hard to Achieve?
Least Privilege is much like Zero Trust. A North Star to aim for rather than an achievable steady state. Still we insist on writing poor definitions of least privileged access in to security policies. The principle’s essence—to grant the minimum necessary privileges for the shortest time—remains relevant, albeit challenging to implement as a policy state. The examples I shared in my previous blog to illustrate the challenges remain relevant. On reflection, they are made more challenging when focusing on data.
Least Privilege for Data is Most Challenging
The challenge of achieving least privilege at the data object level is significantly magnified by the vast scale of data that modern organizations manage. Data proliferates across disparate cloud services, and data stores. Organizations struggle to maintain a comprehensive understanding of data types, sensitivities, and locations at this scale and rate of change. This lack of visibility directly impacts the ability to achieve Least Privilege. Least privilege depends on understanding what data exists, where it resides, and its relevance to roles within the organization.
It is not only scale though, the precision required for adequate Least Privilege implementation complicates matters. Ideally, access would be so refined that they restrict access to the most granular data object based on business need. Achieving this precision demands sophisticated classification tools and dynamic policy enforcement that can adjust to evolving data usage and roles. Yet, many organizations are stuck with static, broad access controls, unfit for nuanced data access management.
The Solution: Treat Least Privilege for Data as an Ongoing Process
It’s essential to view Least Privilege not as a static goal but as an ongoing, dynamic process. The security policies and standards should also reflect this.
Treating Least Privilege as process specifically caters to the nuanced needs of data access and security, acknowledging that the privileges necessary for interacting with data should be granted based on immediate necessity, for the shortest possible duration, and then promptly revoked. Ultimately this process should introduce as little user friction as possible, balanced against the most risk. Adopting this methodology necessitates a series of targeted actions, each geared towards ensuring that access privileges are finely tuned to the actual data access requirements:
Educate and Empower
Often the most important step in governance is education stakeholders. Educate stakeholders about the importance of data object-level security and empower them to make informed decisions regarding data access. This includes training on the potential risks associated with excessive access and the benefits of a minimally privileged environment.
Develop and Maintain a Comprehensive Data Inventory
Start by cataloging all data assets across your organization. This inventory should not only locate and list data but also classify it according to type, sensitivity, and criticality to business operations. Tagging data with its classification level aids in the automatic enforcement of access controls and compliance measures. Utilizing automated discovery tools such as Symmetry can help in identifying data across diverse environments, from on-premises servers to cloud storage. By integrating the development of a data inventory into the broader data access governance process, organizations can achieve a granular level of control over who accesses data, when, and why. This method not only enhances security by aligning data access with actual needs but also ensures compliance.
Review and Update Fine-Grained Access Controls.
Organizations must develop and implement access control mechanisms that operate at the level of individual data objects or records. This means moving beyond role-based access control (RBAC) to attribute-based access control (ABAC). ABAC allows organizations to make access decisions based on attributes of the user, the data, and other context.
Temporal or Just-in-Time Access Provisioning for Data
For data that is needed only occasionally, set up processes to grant access on a temporary basis. As we’ve seen with Microsoft, these JIT tokens should be setup to be auditable and continually monitored. This ensures that access to sensitive data is provided only at the time it is needed, reducing the window of attack.
Continuous Monitoring of Data Access Patterns
Implement systems to regularly monitor how data is accessed, identifying which privileges are actively used and which are not. This step helps in understanding the real-world application of access rights and adjusting them to fit actual needs. Leading organizations should use Data Detection and Response Capabilities to monitor for any unusual data access or requests, which could indicate a security threat. Automated responses can help mitigate risks before they escalate into breaches.
Pruning Inactive Data Access Rights
Regularly review and adjust permissions based on these insights, ensuring that PoLP is effectively maintained.policies. Revoke access from identities that haven’t utilized specific data privileges for an extended period. This reduces the risk of data being accessed unnecessarily or maliciously. Systematically remove data access rights that are no longer in use. Keeping the access landscape clean minimizes potential vulnerabilities and ensures compliance with data protection.
In conclusion, the principle of Least Privilege, while challenging, remains a fundamental tenet for securing data. As CISOs, embracing least privilege as an ongoing, dynamic process rather than a static policy goal allows us to balance the various demands. By investing in education, developing comprehensive data inventories, implementing fine-grained access controls, and continuously monitoring and adjusting access rights, organizations can strike a balance between minimizing risk and facilitating business operations.
This approach not only helps in maintaining a robust security posture but also aligns with the broader objectives of regulatory compliance and operational efficiency. As we move forward, the ability to adapt and refine our strategies around the principle of Least Privilege will undoubtedly play a critical role in safeguarding our organizations’ digital assets and maintaining trust in an increasingly interconnected world.