Do you leave the door to your home wide open while you’re on vacation? Probably not, and your IT systems are no different. When it comes right down to it, security is a basic necessity, and following some simple principles will help you develop a meaningful security program.
The principle of least privilege is a founding principle for secure systems. Simply put, the principle of least privilege means that you must only give people the bare minimum access required to perform their duties. To make this possible, you have to understand what it is that users need.
While least privilege is an accepted core tenant of information security, it may not be well understood by business users, and is often met with some resistance. Here are some general tips on how implement it successfully.
#1 Develop a complete perspective..
To start, you must understand what motivates the business. Ask the obvious questions of yourself first. What is the potential risk to the business if a system is misused? Define the security principals that are most relevant, personally, I often refer to the CIA Triad, Confidentiality, Integrity, and Availability.
#2 Get the stakeholders on board..
The capabilities of any enterprise system are implemented to support business activities. Our goal is to get the job done with the least amount of risk possible. To understand and mitigate the risk, identify your stakeholders right away.. They are best equipped to articulate what their departments need. If your system is used by HR, Finance, and Operations, then you need to engage the leaders from each area. If necessary, engage your executive team to get buy-in..
#3 Users are assigned roles not privileges..
Allocating access to roles is far easier to manage than assigning access at the user level. It’s also a smart way to prevent access creep, where overtime, a person gains more and more access. Additionally, its easier to manage when people move around in the organization.
#4 Create a management process.
Define a procedure that is easy to follow, and train everyone to follow it. Make changes traceable, and I strongly encourage working with stakeholders to develop an acceptable approval process. This creates accountability, helps reinforce good behavior.
#5 Review early and often.
Following your management process, schedule a reviews. Check to make sure that roles and access still match. I suggest quarterly reviews in high risk organizations, but at a minimum, reviews should be conducted annually. This helps you stay on track with your stated business requirements.
#6 Make it easy
The most common problem with changes to an environment is that it becomes too hard to get access to a resource when it’s needed, people will continually request more access than is necessary just in case.. Remember to keep is short and simple, a process that is quick and easy is a key factor to success.
Final Thoughts
Remember that a holistic view of security at multiple levels is important. You may need to have a perspective of security from clients accessing the network, application accessing a database, and users accessing the applications.. However, a simplistic view of each independently allows actionable change. If you attempt apply these principals to all layers simultaneously, you may find it increasingly difficult to manage the scope…
Perhaps in a future post, I’ll provide a more technical explanation along with examples that demonstrate the application of least privileged principles using a real world scenario.