What are three principles of least privilege?
|
Least-privileged access is a cybersecurity strategy in which end users receive only the minimum level of access necessary to perform job-specific tasks. It is a crucial element of information security
that helps organizations protect their sensitive data by restricting lateral movement and unauthorized access to business applications or resources. As higher volumes of data move to and through the cloud, and cyberattacks become more frequent and sophisticated, organizations are searching for ways to protect their growing attack surfaces. This is where least-privileged access—also called the principle of least privilege
(POLP) or the principle of minimal privilege—comes into play as one of the foundational elements of a zero trust approach. Least-privileged access comprises three areas of consideration: user identity authentication, device security posture, and user-to-app segmentation. We’ll cover these in more detail shortly. Before we move on, let’s look at how these two terms relate to one another. “Least-privileged access” can sound a lot like “zero trust,” and indeed, they’re closely related but still crucially different concepts. You can think of least-privileged access like a key card you give to each of your employees that’s uniquely coded to their job function. This lets you
tailor access controls so most users can access common areas like Microsoft 365, but only some can access more sensitive material, such as financial information, HR data, and so on, reducing the risk of excessive permissions leading to data breaches. Zero trust takes this a step further, not granting trust simply because an employee has a unique key card. Before granting access, a zero trust policy establishes a user’s identity and full context for the connection request, such as the
user’s device, their location, the application in question, and its content. This way—to extend the metaphor—another user can’t simply pick up a key card, take on its access rights, and start getting into places they don’t belong. How Does Modern Least-Privileged Access Work?
Today, least-privileged access and zero trust are essentially inseparable, with a modern approach incorporating user identity authentication, device security posture, and user-to-app segmentation in its controls. Let’s examine these three core elements.
This is how you determine whether your users are who they claim to be. Identity and access management (IAM) providers and services (e.g., Okta, Azure Active Directory, Ping Identity) create, maintain, and manage identity information while offering various provisioning and authentication services.
A well-intentioned user with elevated privileges can still fall victim to malware. Paired with continuous assessment of endpoint security posture (provided by the likes of CrowdStrike, VMware Carbon Black, SentinelOne, etc.), modern least privilege policies can modify a user’s permissions based on their current device health.
The traditional way to limit network exposure and lateral movement is network segmentation, using firewalls inside the enterprise network to restrict segments to privileged accounts. Although it’s key to limit internal lateral movement, this approach is complicated and doesn’t provide the granular control modern organizations need. User-to-app segmentation is made possible with a zero trust network access (ZTNA) service, which enables granular segmentation through IT-managed business policies, not a stack of firewalls. ZTNA connects verified users directly to the applications they’re authorized to use without ever connecting them to your network, making lateral movement impossible. This access is extended to both remote and on-premises users, regardless of their location, with identical security controls. 3 Benefits of Least-Privileged AccessThe convergence of the three core elements with an effective ZTNA service forms the basis of a strong, resilient security posture for your organization, where:
A Word on Administrative PrivilegeOf course, your administrator accounts require some further consideration. Superusers carry an immense burden of trust, and by nature, they can’t work with limited access. The traditional solution here is privileged access management (PAM), which manages your entitlements, accounts, and operating systems at the data center level. However, the shift to the cloud is making PAM less effective. Today, the rise of DevOps means your cloud may see thousands of permission changes in a day. Cloud infrastructure entitlement management (CIEM) is succeeding here where PAM has begun to fail, as effective CIEM can manage and inventory cloud entitlements, perform privilege audits, detect and remediate privilege creep, confer admin rights to services, and carry out various other functions at a scale and level of complexity PAM can’t reach. CIEM is an important consideration for today’s cloud environments as you’re planning or refining your least-privileged access approach. How to Implement Least-Privileged Access in Your OrganizationAchieving modern least-privileged access with zero trust is easier than it sounds, with just three basic steps:
How Zscaler Helps with Least-Privileged AccessTraditional firewalls, VPNs, and private apps all create a massive attack surface. Hackers and other bad actors can see and exploit vulnerable, externally exposed resources, and outdated network security solutions like VPNs put users on the network, giving attackers easy access to sensitive data. Plus, they can't scale or deliver a fast, seamless user experience—they require backhauling, introduce added costs and complexity, and are too slow to serve today's distributed workforce. As the world’s most deployed ZTNA platform, Zscaler Private Access™ applies the principles of least privilege to give users secure, direct connectivity to private apps while eliminating unauthorized access and lateral movement. It can be deployed in hours to replace legacy VPNs and remote access tools with a cloud native, holistic zero trust platform. Zscaler Private Access is ZTNA, evolved. Visit our Zscaler Private Access page to learn more. What are the principle of least privilege?The principle of least privilege (PoLP), also known as the principle of minimal privilege or the principle of least authority, is an information security concept. It states that any user, device, workload, or process should only have the bare minimum privileges it needs to perform its intended function.
What is the principle of least privilege and why is it important?The least privilege principle forces network managers to keep comprehensive data records to understand who has access to what at any given time. Auditing, classifying, and organizing data is required to understand all the information held on a network and more importantly, who can access it.
What is the principle of least security?The principle of least privilege (PoLP) refers to an information security concept in which a user is given the minimum levels of access – or permissions – needed to perform his/her job functions.
What are the three primary areas of privilege management?To rise to the challenge, PAM must improve in three key areas:. Embrace the just-in-time (JIT) access model for cloud access.. Improve support for service accounts and the DevOps pipelines in infrastructure-as-a-service (IaaS) and platform-as-a-service (PaaS) environments.. |
