The Power of One in Least Privilege

Jason Silva, January 24th, 2017

Least Privilege

In everyday life we make decisions – some small, some more important. To do so we determine the goal(s), look at resources available and compare that to what’s on hand. Inevitably, we find one thing that stands out, one top goal to measure success, one major hurdle to overcome, or even, one driver for the project.

Securing corporate assets is no different. Your one goal is simple: Make it harder for attackers to gain a foothold in your environment. This may be driven by best practices, compliance or as a result of a previous breach, but time and again we learn (the hard way) that one of the most impactful ways to secure corporate assets is to enforce standard user privileges and remove admin rights on end-user machines.

But the question becomes, How do you do this? How can you take a machine historically accessed by a company full of administrator users, and secure it; only allowing your users to have standard user rights while still being able to do their jobs?

This is what the concept of least privilege, a key component of privileged access management, is about. One of the critical factors to your success in reducing risks associated with over privileged users, and malicious or vulnerable software, is doing so on every platform in your environment – Windows, Unix, Linux and Mac devices as well as other networking equipment. And while it’s one thing to address excessive privileges on an end-user’s day to day client or server machine, or on devices with a lot of software on them, it’s the often times overlooked on machines used for a single purpose (i.e. kiosks, ATMs, slot machines, etc.) that can be the biggest risks to privilege abuse.

While these types of devices may only have one application that needs to run, we often see this software requiring administrative access to launch. This opens the door for malicious software or hackers as the account used to log into these systems requires administrative access. If the account uses shared credentials across all devices the risk is further compounded.

Why “one” is the most powerful number

This makes ‘one’ a very powerful number. One application can cost your company money, time, reputation. One application can be the doorway into your company. One application can be the difference between a good day and a bad week.

So what’s your One. What is the one the application causing your users to keep admin rights? What’s the one device you wish you had better security around? Check out our white paper, “It’s All About the Endpoint,” to learn some strategies for finding your One.