Protect Data with the Principle of Least Privilege

Posted by: Today's Tip Contributor on December 29, 2010

Malicious insiders account for nearly 50 percent of all data breaches and pose a significant threat to sensitive enterprise information. This data ranges from proprietary research information, corporate best practices, Social Security and credit-card numbers, and other confidential, personally identifiable information.

For any organization, it’s imperative that sensitive information remains secure. Meeting the regulatory requirements to safeguard valuable information is critical, and meeting the compliance mandates to do so can be challenging. By leveraging the principle of least privilege, organizations can develop better internal controls and best practices for accessing sensitive information and enforcing separation of duties—granting the minimum privileges necessary for employees to perform their specific tasks—and nothing more. These controls manage conflicts of interest and ensure that employees do not have toxic privilege combinations that can lead to theft or other business disruptions.

As attackers increasingly target large databases—and the costs associated with data breaches continue to rise—insider misuse poses a threat not just to the integrity of the data, but to the viability of the company.

Here are some steps every organization should take to implement the principle of least privilege:

Map job functions to privileges on IT assets. Determine and document the access to IT resources required for each job function across the organization in a least-privilege policy. Build a process to ensure all employees are assigned the documented privileges required to complete their daily job activities and nothing more.

Never assign privileges directly to guest accounts or public. Restrict privileges to the specific roles and accounts that need them. Granting privileges to guest accounts or anonymous groups almost always leads to violations of the principal of least privilege.

Untangle the web of user entitlements. Whether it’s done by hand or by using software, organizations should continuously assess user entitlements to understand exactly what privileges each employee has. Having a detailed, accurate inventory of privileges is a prerequisite to implementing your least-privilege policy and weeding out toxic combinations of privileges that may have been inherited over time.

Implement compensating controls for what you can’t fix. Monitor user privileges that cannot be modified or restricted to ensure that access isn’t being abused or misused, putting the greatest scrutiny on the most highly privileged users. After monitoring specific users or groups, you will likely find that you have the opportunity to make adjustments to your least-privilege policy. You might also identify users who are abusing their privileges by stealing data, manipulating information, or even inadvertently mishandling information. That’s a trigger you can use to kick off incident response and potentially pursue additional actions such as termination or prosecution.

Josh Shaul
Vice-President of Product Management
Application Security
New York

Reader Comments

Bill Couture

December 29, 2010 4:34 PM

Several problems I see. This stuff is a good idea in medium sized and up businesses but in the really small 1) there aren't the resources to do it and 2) Everyone has to sub for everyone else's job anyway. Trying this type of stuff results either in poor service and costs customers or everyone trades passwords so that things can get done. You really have to be large enough that everyone has a backup to do good security.

Again not saying these aren't good ideas, only that a business has to be big enough to allow them to work. In a small business the best way to handle security is to get and keep trustworthy people which is also expensive.

Post a comment

 

About

Want to improve the way you run your business? Entrepreneurs, academics, and consultants from diverse industries offer practical advice on a variety of topics each business day.

To submit a tip for consideration, first check our archive of previous tips to make sure you're not repeating a tip someone has already contributed. Then send the tip to Small Business channel contributor Michelle Dammon Loyalka. Because of the volume of material she receives, she may not respond to each individual.

BW Mall - Sponsored Links

Buy a link now!