The Principle of Least Privilege (PoLP), refers to the theory and practice of restricting access rights for users, accounts, and computing processes to only those staff who are absolutely required to perform regular, authorized activities. Within the context of the Principle of Least Privilege, the term privilege itself refers to the authorization to bypass certain security restraints. A least privilege security standard necessitates enforcing the minimal level of user rights, or lowest clearance level, that allows each user to perform his/her regular duties. However, outside of individual users, the least privilege also applies to processes, applications, systems, and devices (such as IoT devices), in that each should have only those permissions necessary to perform an authorized activity.
In information security, the Principle of Least Privilege (PoLP), requires that in a particular abstraction layer of a computing environment, each and every module (process, user, application, system etc.) must only be able to access only information and resources that are necessary for its defined purpose.
Overview & Application of Principle of Least Privilege
As stated, with respect to information security, the Principle of Least Privilege (PoLP) refers to allowing a user account only those privileges which are vital to perform its intended function. For example, a user account for the sole purpose of performing password resets does not need to creating new account: hence, it has rights only to reset passwords. Any other privileges, such as creating new accounts are blocked. The Principle of Least Privilege also applies to a personal computer user who usually does work in a normal user account, and opens a privileged, password-protected account (admin, or superuser, for example) only when the scenario absolutely requires it.
When the Principle of Least Privilege (PoLP) is applied to users, the terms least user access or least-privileged user account (LUA) are also used, referring to the working model that all user accounts should run with as few privileges as possible, and also launch applications with as few privileges as possible at all times.
Principle of Least Privilege Applied
The Principle of Least Privilege (PoLP) is commonly recognized as an essential design consideration for enhancing information security and functionality. Depending on the system, some privilege assignment may be based on attributes of their particular role within an organization. For example, it makes logical sense that Human Resources user privileges would differ from the privileges of a user working in the Information Technology. Additionally, there are a number of other parameters that come into consideration such as time of the day, or seniority. At a high level, below we’ve broken down the basic distinguishable differences between the basic tiers of privilege assignment to communicate the basic model.
Administrator (Admin) Account
Primarily used for administration by IT employees, administrator (admin) accounts may have virtually unlimited privileges over a system or network. Admin account privileges often include complete read, write, execute privileges, and the ability to render system changes across entire networks, such as; creating or installing files or software, modifying files and settings, and deleting users and data. There are many different types of privileged accounts, however admin accounts are often the most powerful, and, if abused, have the potential to cause the most damage to an organization, hence the admin account often represents a primary target for malicious parties.
Basic User Account
Referenced earlier in the article as least-privileged user accounts (LUA), the basic user account has a limited set of privileges, directly related to the required function of the user. In a Principle of Least Privilege environment, these basic or standard user account is the account that most users should be operating with few exceptions.
Multiple User Accounts
As a security best practice, the majority of non-IT users must only have standard user account access. However, there are some exceptions, in some IT roles, such as a system admin, may possess multiple accounts, logging in as a standard user for regular tasks, while logging into an admin account to perform administrative activities. As previously mentioned, because administrative accounts possess more privileges, and thus, pose a greater risk if/when compromised or misused compared to standard user accounts, a best practice is to only use these administrator accounts when absolutely necessary.
Principle of Least Privilege: The Benefits
In well-planned application, the benefits of Principle of Least Privilege are far-reaching; below, we have compiled a brief list that captures the key benefits.
Easy Deployment: Overall, the fewer privileges an application requires, the easier it is to deploy within an extensive environment. That said, applications that install device drivers or require elevated security privileges typically have only a few additional steps involved in their deployment.
Superior system stability: When code is limited in the range of actions it can make to a given system, it is easier to test its possible actions and interactions with other applications. By limiting the number of privileges to the smallest range of processes to perform an authorized activity, we effectively reduce the chance of incompatibility issues popping up between other applications and/or systems. This greatly reduces the risk of any potential downtime.
Superior system security: When code is limited in the range of actions it may perform, vulnerabilities in one application cannot be used to exploit the rest of the machine. Running in basic user mode gives the system increased protection against inadvertent system-level damage caused by malware, spyware, and viruses. As well, by reducing privileges across people processes and applications, a PoLP approach effectively limits the pathways for potential exploits, due to significantly reducing the attack surface.
Key Takeaways from Principal of Least Privilege:
- Have an admin account for admin functions. Log in using your only your regular account.
- Use a similar approach for O365/GSuite; make use of both a separate admin account and regular email account.
- On most corporate networks, there are administrators with permissions on all systems. If an admin uses this same computer or email, with the same account, and becomes compromised, it’s game over.
- Administrators must separate their administrative duties to an admin account (i.e. jsmith and jsmith-admin).
- Under no circumstances, should you browse the internet with your admin account
To summarize, the Principle of Least Privilege (PoLP) works by allowing its users only enough access to perform the required function. Within an IT environment, adhering to the Principle of Least Privilege significantly reduces the risk of attackers attaining access to critical systems or sensitive data by compromising a low-level user account. Implementing the Principle of Least Privilege helps to contain compromises to the location of origin, thwarting them from spreading to the system at large.
If you would like to learn more about how the Principle of Least Privilege can benefit your organization, please contact us for more information.