How It Works
The POLP states that accounts, applications, and devices should only be granted the access and permissions required to do their job. This works by identifying these requirements based on business needs and a user’s, device’s, or application’s purpose within the enterprise.
For example, most employees do not need administrative access to their own computers to fulfill their roles, so POLP states that they should not have it. Similarly, finance personnel do not need access to HR records or IT systems, so they should not be granted it.
POLP also applies to limiting access to elevated permissions to tasks that require them. For example, an IT administrator may require privileged access to perform some of their job duties. However, they should use a non-privileged account for day-to-day tasks and only use their privileged account when it is necessary for a given task.
The Importance of Least Privilege
According to the 2021 Verizon Data Breach Investigations Report (DBIR), approximately 70% of data breaches involved privilege abuse. This means that an account with legitimate access to corporate resources was used to access and exfiltrate sensitive data. This may be due to a compromised account, negligence by the account owner, or an insider threat.
POLP helps to limit the risk of privilege abuse by limiting the privileges granted to a user, application, etc. If an account only has the permissions required to perform its role, then its ability to abuse those privileges is limited. While an account or application with legitimate access to the customer database may still access that database and steal the records within, this is a much smaller risk than if every user and application in the enterprise could potentially be used to do so.
Benefits
POLP limits access to an organization’s sensitive data and valuable IT resources. By doing so, it can provide several benefits to the organization, such as:
- Reduced Cyber Risk: By implementing POLP. an organization limits the access that a user, application, etc. has to corporate IT resources. This makes it more difficult for an attacker who has compromised an account or application to use that access to achieve their goals. For example, an account lacking access to the customer database cannot be used to steal and exfiltrate sensitive data from that database.
- Fewer Errors: Not all outages and data breaches are caused by a malicious actor. Negligence or a simple mistake by a non-technical user could result in malware being installed on a machine, database records being deleted, etc. With POLP, users’ access to critical resources is restricted, limiting the potential for accidental infections, leaks, or outages.
- Increased Visibility: Implementing POLP requires increased visibility into an organization’s access control systems to enforce restrictions as opposed to an “allow all” policy. This increased visibility can help with detecting potential cyberattacks or other incidents that may need attention.
- Simplified Compliance: The scope of compliance audits is often restricted to the users and systems that have access to the data protected by a regulation. By implementing POLP and restricting this access based on business needs, an organization can shrink the scope of compliance responsibilities and audits, making it easier to achieve and demonstrate compliance.
How to Implement Least Privilege in Your Organization
POLP can be implemented via the following steps:
- Perform a Privilege Audit: A good first step in implementing POLP is to audit the current access and permissions that users, applications, and devices have within an organization. Identifying what assets an organization has and how they’re used can help with determining required access.
- Define Roles: Based on business needs and existing privileges, define roles for privilege management. For example, identify what systems, software, data, etc. a finance employee needs to access to do their job and include that access within a finance role.
- Restrict Administrative Access: Most employees do not require administrator-level access for daily work. Remove default admin access and define processes for gaining elevated permissions when needed.
- Roll Out Role-Based Permissions: After roles and permissions are defined, roll these out to users, applications, and systems to implement POLP.
- Deploy Access Monitoring: Access monitoring is vital to detecting privilege abuse or misaligned permissions. Setting up monitoring helps an organization to detect if permissions assigned to a user are too restrictive or too general.
- Review and Revise: Definitions of roles and privileges may not be perfect the first time and may change over time. Periodically review assigned roles, access, and permissions and make changes as needed.
Least Privilege with Harmony Connect
Effectively implementing zero trust and POLP requires tools that can support its access controls. For example, virtual private networks (VPNs) are not ideally suited to zero-trust or POLP because they are designed to provide legitimate users with unrestricted remote access to corporate networks.
Check Point’s Harmony Connect provides POLP-compatible secure remote access via zero trust network access (ZTNA) as part of its SASE solution. Learn more about implementing zero trust remote access in your organization. You’re also welcome to sign up for a free demo of Harmony SASE to learn about deploying POLP for your distributed workforce.
Feedback