Principle of Least Privilege

What is The Principle of Least Privilege?

The Principle of Least Privilege (PoLP) is an important an security concept. It is also known as the principle of minimal privilege or principle of least authority. It promotes restricting permissions to only the minimum level necessary for any given user in a system.

An administrator following least privilege grants users only the minimum level of access that is necessary to perform specific, legitimate and necessary tasks. In addition to user accounts in computer systems, least privilege applies to people, processes and devices in the real world as well.

When properly implemented, least privilege avoids risk and reduces exposure in the event that a user account (or process or device) is compromised or misused.

Example Scenarios of Least Privilege

Least Privilege success example:

Tom is a Senior Manager at a large financial services firm. He is experienced and well-respected strategist in his field but is a self-confessed novice when it comes to technology. The IT department configures Tom’s user account to put useful reports and statistics for his projects and teams on a dashboard, so that he can track the details and oversee his teams. However, they restrict Tom’s ability to directly read and write specific, sensitive customer information (even though, as a senior manager, he could request those details). Tom’s user account does not have direct access to the database server, even though it contains data for projects that he oversees.

One day, the firm’s IDS system identifies strange behavior being logged to Tom’s user account. An external IP address has used Tom’s credentials to log in to the system and was attempted to access read sensitive user data and to perform data dumps on the database server. The system denied Tom’s account access to these functions and temporarily suspended the account after repeated attempts to perform actions outside of privileges.

IT contacts Tom about the activity and Tom confirms that he did not take the actions. He did, however, use his login information on a new website after he received an email asking that he verify his account. The IT department assists Tom with changing his credentials, conducts an analysis of all recent actions and out-of-pattern activity taken with his credentials, and provides Tom with one-on-one training for avoiding phishing emails in the future.

In this scenario, sensitive customer information was not compromised and the database was not breached because the principle of least privilege was successfully applied.

Least Privilege failure example:

Garth is the new CEO of a healthcare services company. As the IT department sets up his accounts and credentials, Garth insists that no restrictions be placed on his account. Garth firmly and confidently asserts that he is a computer expert, that he never falls for phishing schemes and the he needs flexibility to install software, access all resources, and make any changes he wishes anywhere in the company’s infrastructure. Expedience is important to Garth and moving fast is the way he does business. He does not have time to make requests to IT. He insists that any policies that limit his actions conflict with this approach and must be changed immediately.

The IT department accedes to Garth’s wishes. He is, after all, the CEO and access to all data at the company is within his purview.

After a short while, an IT analyst in the company’s IT department notices a high volume of traffic, both within the corporate network and on the perimeter, sending data out of the network. The traffic is coming from many directions within the network. Key database servers are running large batch processes and several other systems are running odd requests. Much of this activity is running using Garth’s unrestricted account credentials.

An investigation finds that, in the name of expedience, Garth had used the same password at work that he has elsewhere. Garth had also reversed a policy requiring two-factor identification, since it slowed him down when logging in from home at night. True to his word, Garth did not fall for any phishing scheme. However, hackers learned Garth’s password as part of a recent, massive Adobe.com breach that revealed the credentials of more than 20 million users.

In the end, the company is able to execute its disaster recovery plan, but the company incurs several weeks of severely impacted productivity and has to report a massive breach of its own, including many thousands of medical records. Sales are severely impacted and the company is facing legal challenges from patients, clients and several industry and government oversight bodies for the breach of Personal Health Information protected under HIPAA.

In this scenario, the principle of least privilege was disregarded, with some severe consequences. Even the best security teams can’t fully avoid risk (in this case, an external breach created an opportunity for attackers) but insisting on best practices like the principle of least privilege greatly reduces exposure when the unexpected happens.

Synonyms / Acronyms

  • Least Privilege
  • PoLP / POLP
  • [Principle of] Minimal Privilege
  • [Principle of] Lease Authority

Additional References

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.