Least privilege, often referred to as the principle of least privilege (PoLP), refers to the concept and practice of restricting access rights for users, accounts, and computing processes to only those resources absolutely required to perform routine, authorized activities. Privilege itself refers to the authorization to bypass certain security restraints. A least privilege security model entails enforcing the minimal level of user rights, or lowest clearance level, that allows the user to perform his/her role. However, least privilege also applies to processes, applications, systems, and devices (such as IoT), in that each should have only those permissions required to perform an authorized activity.

A Brief Overview of Privileged Accounts & Access

Depending on the system, some privilege assignment, or delegation, to people may be based on attributes that are role-based, such as business unit, (i.e. marketing, HR, or IT) as well as a variety of other parameters (seniority, time of day, special circumstance, etc.). Additionally, various operating systems provide different default privilege settings for different types of user accounts.

Superuser accounts

Primarily used for administration by specialized IT employees, may have virtually unlimited privileges, or carte blanche, over a system. Superuser account privileges can include full read/write/execute privileges, and the power to render systemic changes across a network, such as creating or installing files or software, modifying files and settings, and deleting users and data. In Linux and Unix-like (including Mac) systems, the superuser account, called ‘root’, is virtually omnipotent over the system, while in Windows systems, the Administrator account holds superuser privileges. There are many different types of privileged accounts, but superuser accounts are the most powerful, and, if misused, the most dangerous.

Standard user accounts

Sometimes called least-privileged user accounts (LUA) or non-privileged accounts, have a limited set of privileges. In a least privilege environment, these are the type of accounts that most users should be operating in 90 – 100% of the time.

Guest user accounts

Have access that is even more restricted than standard user accounts.

While most non-IT users should, as a best practice, only have standard user account access, some IT roles (such as a network admin) may possess multiple accounts, logging in as a standard user for routine tasks, while logging into a superuser account to perform administrative activities. Because administrative accounts possess more privileges, and thus, pose a heightened risk if compromised or misused compared to standard user accounts, a best practice is to only use these administrator accounts when absolutely necessary, and for the shortest time needed.

In addition to privileged accounts, a least privilege strategy will also need to account for privileged processes within applications, services, etc. For instance, some apps might request access to sensitive resources or require a higher level of privileges to perform a function. As with privileged accounts, applications can be compromised, with the threat actor then able to leverage the elevated privileges of the application in leveraging their attack.

Chief Benefits of Implementing a Least Privilege Model

  • A condensed attack surface: Limiting privileges for people, processes, and applications means the pathways and ingresses for exploit are also diminished.

  • Reduced malware infection and propagation: As the malware (such as SQL injections) would be denied the privileges necessary to elevate processes that allow it to install or execute.

  • Improved operational performance: Limiting the number of privileges to the minimal range of processes to perform an authorized activity reduces the chance of incompatibility issues cropping up between other applications or systems, and helps reduce the risk of downtime.

  • Easier path to compliance: By restricting the potential activities that can be performed, least privilege enforcement helps create a less complex, and thus, a more audit-friendly, environment. Moreover, many compliance regulations (including HIPAA, PCI DSS, FDDC, Government Connect, FISMA, and SOX) require that organizations apply least privilege access policies to ensure proper data stewardship and systems security.

How to Implement Least Privilege

While straightforward conceptually, least privilege access can prove complex to effectively implement, depending on the particular variables, which may include:

  • heterogeneous systems (Windows, Mac, Unix, Linux, etc.)

  • the expanding number and types of applications and endpoints (desktops, laptops, tablets smartphones, IoT, etc.)

  • diverse computing environments (cloud, virtual, on-prem, hybrid)

  • the many different types of user roles

  • third-party/vendor access

Organizations looking to implement least privilege environments typically rely on automated privileged access management (PAM) solutions, firewalling, network segmentation, and other tools and tactics. Here’s a brief breakdown of each:

Privilege access management (PAM)

Alternatively referred to as privileged identity management (PIM) or simply Privilege Management, involves the creation and deployment of solutions and strategies to manage and secure accounts, and control privilege delegation and escalation activities for users, applications, services, processes, tasks, etc. PAM solutions enable organizations to remove admin rights from users (across both servers and desktops), and instead, elevate privileges for authorized applications or tasks as-needed.

Network segmentation

Such as the creation of different zones through firewall configuration and rules, enables the enforcement of least privilege in broad strokes. By controlling access and movement between zones, which may have a different mix of applications and services, firewalls can restrict users broadly based on privileges. Firewalls, for instance, are often used to create a DMZ (demilitarized zone) between a corporate network and the public network. Firewalls can also block unauthorized privilege elevation activity (such as from service requests) based on rules applicable to the zone.

Separation of privilege

Involves separating different types of privileged and non-privileged accounts and activities, as well as compartmentalizing privileges for different application and system sub-tasks or processes. This essentially creates moats around users and system/application processes, condensing the attack surface by reducing the ability for lateral movement.

Systems hardening

Entails the elimination of unnecessary programs, accounts, and services, A common systems hardening use case is the closing of un-needed firewall ports. This practice not only markedly improves security posture by reducing the attack surface, but it also reduces complexity and simplifies the environment.