As we finish the upcoming whitepaper ‘Least Privilege and the Value of User Logon Management‘, we began thinking about how organizations may see the point of least privilege as being different things. We all know, at a minimum, the implementation of the principle includes setting up users with the least amount of privileges possible (after all, it is right there in the name!)
But, once you establish least privilege, then what?
The way you answer this question determines what least privilege is really all about within your organization; it reflects what’s important to you when establishing security around this principle, as well as the scope and duration the principle needs to be in effect.
Not sure what I mean? Keep reading. There are a few ways to answer the question “then what?”:
1. Do Nothing.
Once you’ve established that everyone’s privileges are minimized down to the core necessity only to enable them to do their job, these is a bit of logic that says there’s nothing more to do here.
If you subscribe to the thinking that once the permissions have been limited, you’re done, then for you, least privilege is definitely about the current state of privilege.
2. Periodic Reviews of Privileges
Those of you with this response are definitely more in the “maintaining a state of Least Privilege” mindset – which is good. Having periodic attestation around privileges required, permissions assignments, and group memberships is a solid way to ensure control over what would otherwise becomes a entropic mess of over-permissioning with no visibility into the privileges assigned.
For your organization, least privilege is about maintaining a continual state of least privilege.
3. Monitor Privileged Account Use.
Those organizations in this camp definitely have a bit more mature viewpoint on the implementation of least privilege. When you add monitoring to the mix, you acknowledge that least privilege isn’t really about the privilege; it’s about the use of privileges. So, monitoring when and how privileged accounts are used – this can be as simple as monitoring all logons, leveraging a password vault where privileged accounts must be checked out, or can be as complex as monitoring user activity through session recording.
One of the challenges in this particular answer is you need to decide which user accounts are “privileged”. Is it just accounts with admin rights in Active Directory? Those with administrative rights to enterprise applications? Those with admin rights to endpoints? Servers? More than that?
If you’ve drawn a line somewhere in the proverbial sand, delineating a particular level of privileges and above that should be monitored, least privilege is about validating the state of privilege is not misused.
4. Monitor All Account Use.
Delineating the ‘privileged’ from the ‘low’ level user can be somewhat short-sighted. If you start with the data, applications and systems you deem critical (that is, you wouldn’t want them compromised, exfiltrated, etc.) and work back to your users, you quickly realize that even the low-level sales person who has access to at least a subset of your customer database is, by definition privileged. Certainly, nowhere near as privileged as the Administrator account in AD, but, nonetheless, they do have privileged access that users outside of sales do not.
So, it should be evident that if you’re going to take the route of monitoring privileged accounts, you need some level of monitoring use for even the accounts that represent a lower risk to the organization (like the sales user). Higher-risk users may require user activity or session monitoring, but all users should have a base level of monitoring for use, such as logon monitoring, to look for leading indicators of compromise, such as inappropriate or irregular logon attempts by otherwise, normal users.
Making Least Privilege about Privilege Use
As you’ve walked through the 4 possible answers to the question of ‘then what?’, it should become a bit clearer that you can’t simply stop with the limiting of privileges today.
Security is an ever-changing target; as the organization’s needs change, so does the current state of security. And, even if security remains static, the necessity exists to make sure certain user credentials aren’t misused by insiders and external attackers alike.
It’s only by monitoring account use (once a state of least privilege has been instituted) that you truly see least privilege reach its potential. This is the potential to establish and maintain the lowest levels of privileges, while simultaneously maintaining the highest levels of security around those privileges.
To further boost your knowledge on some of the biggest security risks that concern Microsoft Windows and Active Directory based infrastructure, check out IS Decisions Insights