App Tiers Affected:
What Is the Principle of Least Privilege?
Information security is a complex, multifaceted discipline built upon many foundational principles. The three most important—confidentiality, integrity, and availability (the CIA triad)—are considered the goals of any information security program. A supporting principle that helps organizations achieve these goals is the principle of least privilege.
The principle of least privilege addresses access control and states that an individual should have only the minimum access privileges necessary to perform a specific job or task and nothing more. So, an employee whose job entails processing payroll checks would only have access to that specific function in a payroll application but would not have administrative access to the customer database. Similarly, to do their jobs, a marketing specialist does not need access to employee salary data, an entry-level government worker should not have access to top-secret documents, and a finance specialist should not be able to edit application source code.
Most of us are familiar with the concept of restricting access and see or practice variations of this principle in everyday life. Parents use parental controls on their home devices to restrict children’s access to harmful content, ticketed airline passengers can board a plane but aren’t allowed in the cockpit, students have access to learning systems but not to teachers’ grading files, and a parking attendant with a valet key can park your car but can’t access the locked glove box, console, or trunk.
As a principle, least privilege falls under the second A in an information security framework known as AAA —authentication, authorization, and accounting (or accountability). This framework addresses the need to verify the identity of users seeking access to a network or other resource (authentication), determine what they’re allowed to do (authorization), and track all actions they take (accounting or accountability). So, at a high level, the principle is meant to help organizations reduce riskRisk constitutes a specific threat matched to a specific vulnerability, where both likelihood and impact are evaluated to determine the level of risk. —to the business, its people, and its assets. More specifically, the goal is to reduce the potential damage that excessive privileges or their misuse can cause, whether accidentally or intentionally.
What Least Privilege Is Not
Least privilege is sometimes confused with, but is different from, two similar security principles: need to know and separation of duties. Often used together with least privilege, need to know provides more specific access control based on need. Sales managers, for example, do not need continuous access to their direct reports’ personnel files but should have access for a limited time to complete each employee’s annual performance review.
Separation of duties calls for assigning critical tasks to two or more people so no single individual has complete control of any action that could put the organization at risk. This principle might be used, for example, to prevent an accounts specialist from setting up fake vendor accounts and then paying phony invoices against those accounts as a way to steal funds from the company. Like need to know, separation of duties is often used in addition to least privilege.
Who and What Does Least Privilege Apply To?
In practice, the principle of least privilege applies not only to individuals but also to networks, devices, programs, processes, and services. When it comes to access control, all of these are considered subjects (active entities) that request access to resources, or objects (passive entities that contain or receive information), such as systems, files, applications, directories, databases, ports, and more.1 It’s critical for organizations to understand that the principle must apply to all of these entities because if compromised, any could potentially put the organization or its data at risk.
What are some examples of least privilege applied to nonuser entities? “Hardening” a server by shutting down unnecessary ports and removing unused components is one. Enabling a web application to only retrieve data and not change or delete it is another. Authorizing an API to access only the specific data it needs rather than all data in a database is yet another.
The Importance of Practicing the Principle of Least Privilege
Although least privilege is one of the most commonsense security principles, organizations often do not take its enforcement seriously enough. Returning to the CIA Triad, a lax application of least privilege can violate the goals of maintaining confidentiality, integrity, and availability. In the examples noted earlier:
- A payroll processing clerk who deletes the customer database violates availability.
- A marketing specialist who views employee salary data violates confidentiality.
- A finance specialist who changes application source code violates integrity.
- An entry-level government worker who alters top-secret documents violates both integrity and confidentiality.
It’s also worth noting that the OWASP Top Ten,2 which lists common web app security weaknesses, explicitly calls out improper or broken authentication or access control as the culprit in at least four of the ten top web application security risks.
One of the most obvious benefits of practicing least privilege is that it reduces an organization’s attack surface
Attack surface refers to all entry points through which an attacker could potentially gain unauthorized access to a network or system to extract or enter data or to carry out other malicious activities.. A broad attack surface is challenging for organizations to defend. The outcomes can be disastrous if, for example, attackers happen upon unprotected cloud-based databases, APIs with no authentication controls, backdoorsAn undocumented way to access a system that allows an attacker to bypass typical security controls. left in critical software, or servers that are wide open to any type of traffic. Any of these situations can lead to destructive attacks or significant data breaches like the following recent examples, which occurred in part due to excessive or nonexistent privilege:
- The 2019 Capital One data breach that exposed the personal information of 106 million consumers was due in part to a firewall that had been assigned excessive privileges, allowing it to run commands and access data in cloud-based storage it should not have had access to.3, 4
- In 2019 and 2020, multiple data breaches exposed the personal information of millions of users, and in one case, 1.2 billion users. In all instances, cloud-based databases were exposed because they had no password protection or access controls of any kind.5, 6, 7, 8
- The 2019 data breach of India’s search engine company Justdial exposed personally identifiable information of over 100 million users. The breach was attributed to unauthenticated APIs which, in turn, gave attackers unrestricted access to the APIs’ back-end data.9, 10
Practicing least privilege also protects the organization from itself or, more accurately, its own users. Overly privileged users can easily put the organization’s data or other assets at risk through error, ignorance, or negligence as well as through intentional malicious acts by a vengeful insider. Restricting users’ ability to install or run unapproved applications can protect endpoints from becoming infected with malware or ransomware and, in turn, reduce the chances of it spreading throughout the organization.
Finally, depending on the industry or type of business, many organizations must comply with laws and regulatory requirements, such as the EU’s General Data Protection Regulation (GDPR), the Payment Card Industry Data Security Standard (PCI DSS), HIPAA, the Sarbanes-Oxley Act in the United States, and others. Properly implementing and enforcing the principle of least privilege helps organizations achieve regulatory compliance and puts them in a better position to pass an audit.
Least Privilege Best Practices
Organizations that want to (or must) implement least privilege can begin by following these best practices:
- Adopt “least privilege as default.” This principle is so fundamental it should be the default mind-set for all security professionals yet, surprisingly, many organizations do not adequately enforce it. One data risk study of nearly 800 companies found that 20 percent had folders that were open to all employees, almost two-thirds of companies had 1,000 or more files open to every employee, and 39 percent of companies had over 10,000 “stale but enabled” user accounts, all of which unnecessarily increase the attack surface.11 If you’re not applying least privilege and are unsure where to begin, start by using role-based access control, which determines users’ privileges based on their job or assigned task.
- Enforce related security principles. Using need to know and separation of duties in conjunction with the principle of least privilege refines privileges granted to subjects, further reducing risk.
- Limit the number of privileged accounts. Because system administrators have virtually unlimited privileges, attackers frequently target those accounts, so limit administrators to the lowest number necessary, preferably fewer than 10 percent of total users. Any more than that increases both the risk and the amount of work required to oversee and monitor logs.12 In addition, grant standard users local administrator rights only when absolutely necessary.
- Disable unnecessary components. When configuring new systems or applications, remove or disable all unnecessary services, which are often enabled and running by default at start-up. Should someone discover vulnerabilities in those components in the future, you won’t be at risk.
- Review logs frequently. Log and monitor all authentications and authorizations to critical systems and review logs daily, if feasible. Use automation to summarize common events and alert you to anything unusual. Look for both successful and failed login attempts as well as any type of access control changes, for example, newly added firewall rules or user accounts that were added without prior management approval.
- Regularly reevaluate accounts and privileges. If possible, review privileges monthly or, at a minimum, quarterly. Ensure active accounts have the minimum privileges required, revoke any excess privileges, and properly terminate any old or inactive accounts. Regular review helps eliminate “privilege creep,” which often occurs when departments reorganize or individuals change roles and subjects retain privileges they no longer need. A common nonuser example is a firewall that has pages and pages of years-old, project-specific rules that have never been cleaned up.
- Use time-limited privileges. As much as possible (without impeding an employee’s ability to do their job), grant privileges just long enough for a subject to perform a specific task (such as a user changing a password or, as mentioned earlier, a manager completing a performance review). Whenever feasible, do the same for specific administrator tasks to reduce the threat window.
As stated in the opening, although information security is a complex, multifaceted discipline, organizations should, at a minimum, strive to follow basic security principles and established best practices. The principle of least privilege helps organizations bolster their defenses by supporting the CIA triad and reducing the attack surface, which ultimately reduces their overall risk.