NEW: Microsoft Vulnerabilities Report 2022 - Read the Findings of Our Annual Report Read Now

  • Partners
  • Support
  • Careers
  • English
    • Deutsch
    • français
    • español
    • 한국어
    • português
BeyondTrust
  • Products

    Privileged Password Management

    Discover, manage, audit, and monitor privileged accounts and credentials.

    • Password Safe
    • DevOps Secrets Safe
    • Privileged Access Discovery Application

    Endpoint Privilege Management

    Enforce least privilege across Windows, Mac, Linux, and Unix endpoints.

    • Windows and Mac
    • Unix and Linux
    • Active Directory Bridge

    Secure Remote Access

    Centrally manage remote access for service desks, vendors, and operators.

    • Remote Support
    • Privileged Remote Access
    • Privileged Access Discovery Application

    Cloud Security Management

    Automate the management of identities and assets across your multicloud footprint.

    • Cloud Privilege Broker

    BeyondInsight

    Experience the industry’s most innovative, comprehensive platform for privileged access management.

  • Solutions

    Use Cases

    • Cloud Security
    • Compliance
    • Cyber Insurance
    • Digital Transformation
    • Endpoint Security
    • Operational Technology
    • Ransomware
    • Service Desk Efficiency
    • Zero Trust

    Industry Applications

    • Financial Services
    • Government Agencies
    • Healthcare
    • Law Enforcement
    • Manufacturing
    • Schools & Universities

    Solutions

    The BeyondTrust Privileged Access Management portfolio is an integrated solution that provides visibility and control over all privileged accounts and users.

  • Resources

    Learn

    • Blog
    • Customer Stories
    • Competitor Comparisons
    • Datasheets
    • Demos
    • Glossary
    • Podcast
    • Whitepapers

    Attend

    • Events
    • Go Beyond
    • Training
    • Webinars

    Support

    • Changelog
    • Professional Services
    • Technical Documentation

    Universal Privilege Management

    Our innovative Universal Privilege Management approach secures every user, asset, and session across your entire enterprise.

  • Company
    • About
    • Leadership
    • Core Values
    • Partners
    • Careers
  • Watch Demo
  • Contact Sales

Overcoming Two Least Privilege Problems: Minimal Access and Expiration of Access

March 23, 2016

  • Blog
  • Archive

Least Privilege

There are three core areas of focus when managing and controlling access: Authentication, Authorization and Accountability. We call it 3As.

  • Authentication is focused on verifying the identity of an individual and proving that someone is who they claim to be.
  • Authorization is controlling and managing what access an individual has.
  • Accountability is tracking and monitoring what a user account is doing, looking for and finding indications of a compromise.

The key component of authorization is least privilege: giving someone the least amount of access they need to do their job, and properly maintaining that access. The two big problems with least privilege are minimal access and expiration of access.

Minimal Access

When assigning or providing access, in many cases an admin is not sure whether or not someone needs access. In the past, if an admin was not sure if a user needed access, the default rule was to go ahead and provide the user with access. While this potentially minimized support desk calls and user frustration, it introduced considerable risk.

If you provide additional access and it is not needed, no one ever notifies the help desk. Ultimately, providing access to a user beyond what he or she needs to perform his/her role leads to a massively increased attack surface that leaves organizations wide open to damage from hackers and insiders.

However, if we have a paradigm shift and not provide access unless we are 100% sure of a user’s need, the system will stay in a secure state.

Now, if the access is not provided and it is needed, the user can notify the help desk, get appropriate approval, and then get the access added. In light of many disastrous real world examples of privileged access gone wild, this is a much safer and smarter approach to managing access. If it is intelligently implemented, the initial user frustration and help desk calls can be mitigated with granular policies, versus broad strokes of privileged denials.

Expiration of Access

The second big problem with data access is expiration. In most organizations, once access is provided to a piece of information, it is never removed. This leads to what I call the sticky principle. Over the course of employment at an organization, as a user’s role and responsibilities change (or the technologies they need to access grow), more access is granted to the user. However, rarely is the previous access, when no longer relevant to a user’s role, removed.

I have seen this in many organizations where someone who has worked for the company for 20 years in various different roles and, thus, has accumulated access to almost every piece of information and system.

Thus, a best practice is to set expiration time periods for access. Therefore, after a certain period of time, if the access is not renewed or extended, it will expire and proper access will be maintained on the system. This is analogous to the expiration of your password and requires a simple periodic reset.

How BeyondTrust Can Help

Eliminating excessive rights on user endpoints is a common starting point for many organizations to close avoidable security gaps, but legacy approaches to solving this problem are insufficient. Existing tools lack visibility into the security profile of applications targeted for elevation, and the risk-reducing effects of eliminating over-privileged users are negated if a vulnerable or exploited application is elevated for use. The traditional approach to solving these endpoint least privilege problems requires security and IT teams to cobble together point tools from multiple vendors resulting in unnecessary complexity and cost, and no visibility into user behavior throughout the enterprise.

BeyondTrust solves this problem by:

  • Removing excessive rights on all endpoints, reducing risk, and simplifying least privilege enforcement
  • Providing visibility into target system and asset security, reducing risk from elevated application vulnerabilities
  • Providing application control on the endpoint, block listing hacking tools
  • Analyzing and reporting on privileged user and account behavior, reducing risk from anomalies
  • Delivering a modular, integrated platform, speeding implementations and reducing costs

If you would like to learn more about how you can take these best practice recommendations and translate them into real use cases, download my white paper, It’s All About the Endpoint: Protecting and Enabling End Users with Least Privilege.

Photograph of Dr. Eric Cole

Dr. Eric Cole, World Renowned Cybersecurity Expert, CEO of Secure Anchor

World Renowned Cybersecurity Expert with more than 30 years of network security experience, Dr. Eric Cole is a distinguished cybersecurity expert and keynote speaker who helps organizations curtail the risk of cyber threats. Many of the foundational principles of this course and training in cybersecurity were developed by Dr. Cole. He has worked with a variety of clients ranging from Fortune 50 companies, to top international banks, to the CIA, for which he was a professional hacker.

Stay Up To Date

Get the latest news, ideas, and tactics from BeyondTrust. You may unsubscribe at any time.

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

You May Also Be Interested In:

Whitepapers

Microsoft Vulnerabilities Report 2022

Whitepapers

Cybersecurity Insurance Checklist

Whitepapers

Privileged Access Management: PAM Checklist

Keep up with BeyondTrust

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

Customer Support
Contact Sales

Products

  • Endpoint Privilege Management
  • Password Management
  • Privileged Remote Access
  • DevOps Secrets Safe
  • Remote Support
  • Cloud Privilege Broker

Resources

  • Blog
  • Case Studies
  • Competitor Comparisons
  • Datasheets
  • Glossary
  • Podcast
  • Videos
  • Webcasts
  • Whitepapers

About

  • Company
  • Careers
  • Contact
  • Events
  • Leadership Team
  • Partner Program
  • Press
BeyondTrust Logo
  • Facebook
  • Twitter
  • LinkedIn
  • Privacy
  • Security
  • Manage Cookies
  • WEEE Compliance

Copyright © 1999 — 2022 BeyondTrust Corporation. All rights reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust Corporation is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.