The Principle of Enforcing Least Privilege (Part 1)

It seems that as a society, we always want more. More money, more prestige, more bandwidth, more memory, etc. Often times however, less is more. Oscar Wilde said, “Everything in moderation, including moderation.” When applied to our personal lives, moderation helps us achieve a healthy balance between work and leisure, alone time and socialization.

This same precept is applicable to our approach to desktop privilege allocation within the enterprise. Referred to as the Principle of Least Privilege (PoLP), this practice is about only giving users the essential access rights, computing processes and resources required to do their jobs.

The notion of allotting a PoLP runs counter to the sense of desktop entitlement that users are accustomed to, as consumerization of IT has emboldened them to take charge of their devices and applications. As a result, internal IT finds itself countering shadow IT initiatives as users pursue their own solutions to skirt bureaucratic processes and avoid the word “No” in response to solution provisioning requests. The word privilege is defined as “a special right, advantage, or immunity granted or available only to a particular person or group of people.” When you consider the PoLP from this perspective, it is clear that we are not stripping people of admin privileges because standard users should not have them anyway.

Least Privilege is No Different Than Other Organizational Policies

The principle means to give a user only those privileges which are essential to perform their job. It is about finding the balance between administrator and guest rights. It’s necessity is no different than the standard operating procedures, which ensure that tasks are completed in accordance with industry regulations, provincial laws or the standards of the business itself. Large expenditures must be approved by management, sensitive information is restricted to designated employees, and mergers and acquisitions are limited to C-level executives.

Similarly, applications have to be approved for deployment, access to sensitive data files must be restricted to authorized users, and configuration settings for applications should be managed by enterprise administrators. There must be a network enterprise hierarchy structure. Just as most employees do not require managerial rights, they also don’t require admin rights.

PoLP is about Security

According to Forrester Research, approximately 80 percent of security breaches involve privileged credentials that belong to the IT professionals who administer the systems, databases, and networks. Hackers don’t waste their time zealously assaulting the fortified firewall perimeter. They target users – which means they target devices. They attempt to gain access usingphishing emails, drive-by websites and insecure public WiFi hotspots. As the old saying goes, all roads lead to Rome… and all enterprise devices lead to your most valued digital resources once a hacker manages to infiltrate them.

As John Chambers, former Executive Chairman of Cisco once said, “The question for most organizations isn’t if they are going to be breached, but how they can isolate and mitigate the threat.” If a cyberattack is truly inevitable, it is critical that there are as few privileged connections as possible so that any compromised user sessions are limited in the potential scope of an attack. Enforcing PoLP helps reduce the attack surface of your active user sessions and limits the possible damage that can occur as a result of network exploits and computer compromise. The end goal is to prevent malware and malicious code from spreading to the system at large.

Enforcing the PoLP is Easy with PolicyPak

Yes, allocating local admin rights to standard users is easy, but with the right solution, enforcing PoLP is also easy – if you have the right tools and controls. PolicyPak Least Privilege Manager was created to create that happy medium between user access, proficiency and security. PolicyPak Least Privilege Manager provides a simple interface to point, click and create policies comprised of one or more rules that you can assign to designated applications, matched to criteria that you set. In part 2 of this blog series, we will examine the other areas of how the PoLP comes into play regarding other aspects of the desktop besides just security.