Least Privilege

The concept of Least Privilege is sooooooooooooooooo important to maintaining and optimizing your Security Posture. Least Privilege is essentially the notion that each individual employee and Non-Human Account should ALWAYS ONLY have Privileged Access Rights and Permissions to Systems, Tools, Resources, and Data that they Need to Do Their Jobs. This helps combatting The Insider Threat by effectively mitigating how much damage an Insider can do by limiting how much access a User and Their System or Systems have to Company Resources. At the File Security level, only those who just need to be able to Read Files and View Content should have read access. If you need someone to be able to edit, create, and save Files you’ll grant them Modify Permissions. Read Only Users should not have Modify Permissions for obvious reasons. This is Least Privilege at its basic concept. You can go much deeper and much more granular with the concept. For example you may only want HR Staff to have access to printer in their section of The Office so you manage who can see the printer and who can install the printer by setting permissions on the centralized printer server. Always centralize your authentication as much as possible so you can most efficiently and effectively manage Least Privilege. If you get notice of a Termination you want to facilitate that Termination by disabling or deactivating a single account then from there all permissions should be tied to that account thus mitigating any and all threats associated with that object or account. If an exception needs to be made or someone needs new access and has an approved justifiable business case then there should be a process for granting new access permissions and privileges.

Nobody should be able to exfiltrate data via Removable Storage Devices so Reading and Writing to and from USB, SD, and Disk Drives should be disabled by default. All exceptions should be documented so if Data Loss occurs you have a list of ALL Users who even have the ability to exfiltrate data via Removable Media. Least Privilege also dictates who can access certain Office Rooms, Buildings, and Floors. Protecting Network Equipment is a huge responsibility so you should always find Physical Lock Controls on outer Doors, inner Doors, and all Closets that meet the Standards of being Tamper Proof. If I can use my Library Card to enter your Facility it is not really that Secure so don’t get lazy or cut corners when it comes to Least Privilege. A good Security Posture will only grant access to resources if absolutely necessary. Understand your Organization’s Processes, Procedures, and Culture to best field requests for new and modified access rights. It can become murky and confusing when the “approvers” are not clear especially when one or two of them leave the Organization. Access to Run Privilege Elevation should be sparingly and seldom granted to End Users. If exceptions are made there must be a valid reason such as a Developer needing to edit and run programs outside of Standard Baseline Software, then make sure those permissions are reauthorized at least once a year. Bottom line is Less Is More when it comes to granting access to company systems and resources so do it sparingly and document approvals.