Permissions, accounts or logons: Where do you draw the line for least privilege?
Identify privilege anomolies and allow IT to respond, before a breach takes place, by implementing least privilege for access management at the logon.
Updated June 6, 2023Captain Picard (from Star Trek: The Next Generation) has been known to produce some pretty memorable quotes. One such quote comes from an episode where the Federation is fighting the Borg, with Captain Picard saying (in reference to where they must fight the Borg):
“The line must be drawn here! This far, no further!”
And it got me thinking: where do IT organizations today draw the line for least privilege?
It’s important to establish, implement, and enforce minimum levels of access within the organization to limit the risk associated with either insider threats or misuse of credentials by external attackers.
Doing so sets a firm security foundation, but does little to ensure that this elevated security environment isn’t subject to misappropriated use of both low level and elevated credentials.
There are a few key factors that will help determine if you’re choice of location for waging battle is correct:
You need to be able to identify the enemy
You need to see the enemy coming before they strike
You need to be able to respond to the attack immediately
There are a number of places where IT organizations “draw the line.” Let’s look at each to understand which is appropriate for ensuring the intent of least privilege is maintained within your organization in practical application.
One of the foundational elements of a solid least privilege strategy is the use of restricted permissions; providing the minimum access necessary for each user to do their job.
There are a few issues with drawing the line here.
Firstly permissions need to change over time, which means your “fight” is maintaining a constantly changing set of varying permissions for potentially massive numbers of users. It’s like shooting arrows in every direction, at varying distances, never truly certain if you’re having an impact.
Secondly, while putting up the fight here does restrict who has access, once a user logs on with their given credentials, or an attacker obtains credentials and logs on with them, in essence, it’s pretty much a free-for-all within the confines of whatever access that account has.
In short, No. None of the three criteria are met. Attackers (insider and external alike) are using approved credentials with approved permissions, making it impossible to identify the enemy and, even if you could, permission changes (specifically in a Windows environment) have no effect once an account is logged on.
Another place IT organizations feel they are making a fighting effort is through the restriction of who has access to elevated accounts and/or requiring users to use separate low level and elevated accounts. Even using privileged account management (PAM) solutions to restrict who can access elevated accounts.
The challenge with fighting here is that organizations tend to focus their restriction efforts to the highest of elevated accounts (e.g. Windows domain administrators, etc.). So, a lower-level salesperson account with access to customer data is not a priority, despite the data they have access to being valuable.
Sort of. If using a PAM solution, there is some degree of effectiveness in drawing the line here. Requests to use a high-level privileged account will draw the attention of IT, making this a great place to ensure least privilege is enforced. But, should the account in question not be considered “worthy” – such as the Accounts Payable clerk, or the aforementioned salesperson – drawing the line at accounts will be a waste of time.
This is, generally, outside the scope of least privilege — mostly because the concept of least privilege focuses on the previous two facets (accounts and privileges).
But, logons, in many ways, put least privilege to the test. If an account is compromised by an external attacker or is misused by an insider, it’s likely the usual logon patterns — time/day, frequency, endpoint used, etc. — will be broken, in light of an evildoer seeking to hide themselves from detection.
Logons meet all three criteria.
You can identify the enemy by the aforementioned logon anomalies.
Logons also represent an event that occurs before damage is done.
Lastly, with a solid logon management solution in place, you can take immediate action, such as notifying IT of abnormal logon activity, or even logging the user out and disabling the account.
'"Drawing the line" is about finding a spot in your security where you will camp your security tents, assign lookouts (to spot the coming enemy), and have a counterattack ready to strike.
Of the three mentioned parts of your security, only the Logon provides organizations with a tactical advantage — the fact that your enemy requires the ability to logon in order to be successful. Take that away and they have no ability to do anything malicious.
As Captain Picard says “The line must be drawn here! This far, no further!”