The Principle of 'Least Privilege' in the World of Cybersecurity

Image

The principle of least privilege in cybersecurity prescribes that no user should have access to system resources beyond what's necessary for fulfilling a specific task. Adhering to this principle has become essential, as one of the primary ways malicious actors breach a system is by compromising (legitimate) user access.

The 2020 Global State of Least Privilege Report shows that two-thirds of organizations now consider the implementation of least privilege a top priority in achieving a zero-trust security model.

Below, we take a look at some of the critical drivers for the adoption of least privilege. We also explore the failure of traditional systems and how modern solutions such as Software-Defined Perimeter, Secure Web Gateway and Risk-Based Authentication, among others, engender greater enterprise network security.

Access is Responsibility

According to an Identity Defined Security Alliance (IDSA) study published last year, 79% of enterprises experienced an identity-related security breach in the previous two years. Last year, just as the COVID-19 pandemic gathered momentum, another report revealed a rise in attacker access to privileged accounts, which puts businesses at a greater risk.

It is important to note that in this age where data is everything, access is equal to responsibility. Therefore, the greater access a person has at a given moment, the greater responsibility they have to protect the data that they have access to. According to the State of Security blog, author Anastasios Arampatzis states that the central goal of privilege access management, which he admits covers many strategies, is the enforcement of least privilege.

Privileged accounts are a liability precisely because the data they have access to makes them attractive targets to cyber attackers. The greater the level of access an account has, the more significant the impact of an attack would be. More so, the greater the number of privileged accounts on a network, the more catastrophic an account compromise could be. Basically, every additional privileged account multiplies the risks on a network. Therefore, it is crucial to keep the circle of privilege small in order to limit unnecessary data exposure.

Legacy Systems: The Failure of VPNs to Adequately Secure

Amidst the current challenges in privileged access management, organizations are beginning to explore alternative solutions to traditional VPN technology and other legacy security solutions which have failed in actively securing privileged accounts. One notable problem is the lack of remote user security on many VPN products, and they neither integrate well with identity providers nor properly implement user policies on identity access and authorization. The weakness of VPNs are made more apparent in this age of remote work.

At the turn of the pandemic, companies had to allow their employees to work from home. This led to a surge in VPN adoption. According to the Global VPN Adoption Index report, VPN downloads reached 277 million in 2020 based on data collected from 85 selected countries.

The cybersecurity landscape can be described as a kind of cat-and-mouse race. In response to this trend, cyber attackers shifted their focus to exploiting VPNs, amongst other techniques such as phishing. However, being a legacy technology that has somehow due to its ubiquity made its way to more modern times, VPNs have become quite weak. Based on the assertion that “VPNs are designed to secure data in transit, not necessarily to secure the endpoints,” it is easy to see why the ‘new normal’ in cybersecurity is the protection of endpoints in an age where data is gold.

Least Privilege Solutions and Technologies

The current overhauling of our approaches to access management and authentication has given birth to the rising adoption of the cybersecurity of least privilege. This principle is connected to another swelling trend in cybersecurity: the zero-trust model.

Zero trust cybersecurity entails the withholding of access to a protected network until legitimate authorization is established. Access control and identity management are part of the components of a zero trust security architecture.

True zero trust technologies adopt the principle of least privilege by default. Some of these solutions, include:

• Software-Defined Perimeter (SDP): An SDP ensures comprehensive network visibility and perimeter security by basing authorization on a need-to-know model. With SDP, access is not device-based, thus making it harder for a malicious entity to exploit weak endpoints.

• Tripwire Enterprise: This tool uses sophisticated security configuration management (SCM) and file integrity monitoring (FIM) to track network behavior and easily detect changes to the network. This can help organizations to detect changes before they become breaches, thereby keeping the organization one step ahead of advanced attacks.

• Secure Web Gateway (SWG): A secure web gateway uses URL filtering and other zero trust technologies to implement an organization’s corporate cybersecurity policy from endpoint to endpoint.

• Risk-Based Authentication (RBA): One of the concepts championed by zero trust cybersecurity is continuous authentication, which RBA helps to implement. The RBA solution passes authorization to accounts based on the level of risks that access brings, usually by continuously monitoring the context. This limits the possibility of an attacker hijacking a legitimate user session.

• Cloud Access Security Broker (CASB): CASB solutions are not a technology, per se. Instead, they integrate different technology authorization and encryption with malware detection and others. Similarly, they can be used to integrate zero-trust solutions on a cloud platform.

• Next-Generation Firewall (NGFW): Gartner’s definition is apt: “Deep-packet inspection firewall that moves beyond port/protocol inspection and blocking to add application-level inspection, intrusion prevention, and bringing intelligence from outside the firewall.”

Conclusion

The principle of least privilege in cybersecurity is not just an exciting fad that would go away soon. Rather, it is becoming a standard model and best practice for network protection in the new normal of cybersecurity.

Implementing least privilege works like buying insurance; the strength and impact of an attack can be measured by the level of privilege a compromised account has. This can put things into perspective in fighting data breaches.

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire.