In a nutshell, the Principle of Least Privilege means limiting access to whom and for what is necessary to perform one’s duties. The concept of restricting access to data, information, applications, operating systems, servers, network equipment, etc.. is nothing new. In fact, the concept has been around for decades and ignored for just about as long, by many organizations.
I keep hearing/reading about a shift from focusing on preventative controls to focusing on detection and remediation, when it comes to “cyber-security”. I find a problem with this mindset for two reasons: 1) This should not be an all or nothing approach and it runs counter to the principle of a defense in depth Information Security Strategy. You don’t have to sacrifice one for the other; 2) One of the main reasons we see breach after breach and ransom after ransom, is that most organizations do a poor job implementing (or a great job of not implementing) the most basic of preventative controls…adhering to the Principle of Least Privilege.
I remember the early days of my consulting career of walking into an Novell NetWare 3.11 environment where all 30 users were logging in as the Supervisor account. Still today I see Microsoft Active Directory environments where there are, in some cases dozens, of day-to-day user accounts that are members of the administrators, Domain Admins and Enterprise Admins groups. There are network file shares with full control access to Everyone. There are users logged in with full administrator access to there PCs and User Access Control (UAC) disabled. Couple this chaos with having applications and systems that are either several versions behind the currently available (and maybe not even vendor supported anymore) or are not running the latest service packs, patches/hot-fixes, roll-up updates and not running anti-malware/virus software and we have the perfect playground for hackers.
I’ve always liked the Six P’s of Project Management (Proper Planning Prevents Poor Project Performance) to explain the value of using project management for all types of projects, big and small. So, I came up with my own Six P’s for Least Privileged Access:
Are you ever going to 100% prevent a data breach or ransomware attack, probably not, but you can greatly lessen the impact of such an event by implementing the Principle of Least Privilege. Protecting your information and your customers’ information takes a balanced approach and diligence. When it comes to Information Security, an ounce of prevention truly is worth a pound of cure.