As the cybersecurity landscape grows more complex, we are inundated with stories of bad actors, ransomware attacks, and breaches, suggesting that the threat of a cybersecurity event is imminent. Considering such an event is not an “if”, but a “when” proposition, ensuring that your attack surface is as small as possible and your most critical assets are safeguarded, is paramount.
In an industry full of buzzwords, the Principle of Least Privilege (PoLP)¹ is a foundational concept that gets thrown around but rarely adopted in a complete way. However, as new threats continue to emerge and old threats (such as USB drive drops) are rebooted in creative new ways, it is essential to pause and reflect: Do you know if your organization is truly practicing least privilege in a comprehensive fashion?
Why Should I Adopt the Principle of Least Privilege?
In case you are not aware of the cybersecurity attacks happening around the world, there are plenty of reasons why large organizations should be paying attention to their least privileged approach. By NOT implementing least privilege in a meaningful way, organizations expose themselves to significant risks:
- Increased attack surface: Access to more resources means more potential harm.
- Insider threat: Excessive access to critical or sensitive resources increases both the likelihood and potential damage of intentional or accidental insider activity.
- Malware propagation: If an account with excessive privilege becomes compromised, the propagation of malware is more rapid. Utilizing the PoLP can limit potential malware damage by substantially reducing the blast radius.
- Data breaches: Excessive access to resources means that when an account gets “pwned”, malicious actors have access to steal, destroy, or modify sensitive data (including Personally Identifiable Information or “PII”).
- Elevated regulatory scrutiny: Regulatory bodies who provide oversight are keenly in tune with the need for PoLP, if you aren’t practicing PoLP then you can’t demonstrate how you are protecting your customers.
- Compliance violations: Standards such as HIPAA, GDPR, PCI DSS, CPPA, etc., explicitly call for controls to limit access to customer and employee PII. By neglecting these mandates, your organization could be exposed to heavy fines and/or major business disruptions.
The Benefits of Adopting the Principle of Least Privilege
This article isn’t all “doom and gloom,” organizations that operationalize least privilege (and security in general) may realize real business benefits. Applying streamlined security principles to business processes often makes them work better.
- Maintenance of an Identity and Access Management (IAM) program becomes exponentially more difficult when permissions are made ambiguous through multiple layers of group nesting, circular nesting, excessive membership, excessive access, etc.
- Systems can become overwhelmed by needlessly complex permission structures, to the point where it can impact directory services and application performance, especially when implementing Zero-Trust Architecture (ZTA).²
- Annual attestations (audit and regulation) become either burdensome or meaningless if you do not truly know what access you are granting your employees and contractors by way of complex group memberships.
- Incident response and attribution can be more complicated and difficult to resolve if group memberships are too large, or permissions are too nested, as differentiating suspicious activity from legitimate access can lead to a needle-in-a-haystack scenario for investigators and responders.
How to Properly Implement Least Privilege
Understand Ownership
The critical first step to properly implementing least privilege is understanding ownership. Most organizations have countless Microsoft Active Directory (AD) groups which were created by employees who have moved on to other roles or projects or even by contractors. In most cases, these groups were never thoughtfully reassigned to their logical successors or are poorly understood. While attempting to inventory and identify the owner of every local resource and AD account can be daunting, it is mission-critical to properly implement least privilege.
Retire and Flatten Empty Groups
The next step is identifying the deadweight: empty groups. This refers to AD groups with no members. You may wonder what harm can come from leaving a mosaic of empty groups across your environment. Consider the advantage empty groups give to a bad actor, whether it’s a trusted insider or a malicious actor who has gained a foothold in your network. By enumerating empty groups, a sophisticated actor can add themselves as a member, and inherit the rights and permissions of that group, usually without detection, since an empty group typically has no owner. These groups need to be flattened and retired as much as possible unless there is a specific purpose for an empty group (i.e., some processes that require temporary elevation of permissions).
Deal with Stale Membership
While there might be the occasional good reason why a group’s membership has not changed in five years, it is more often an oversight where an application or resource has been deprecated or abandoned. Ensure that group and resource owners are accountable partners in your least privilege journey and properly retire any groups, data shares, and applications which no longer serve a purpose.
Clean Up Excessive Membership
Groups with excessive membership can be more dangerous than ones with stale or no membership, because it often means that resources have been overprovisioned. When most people think of least privilege, this is their first (and maybe only) thought. However, it is important to validate that each member of a group has a need to be there. This can be a tedious and daunting task, but it is vital and necessary.
Get Visibility and Control Over Nested Groups
Nesting is the next item on our “to-do” list. There are times when a sensitive resource or data-store might only be accessible by a handful of groups, but the way groups are “nested” might mean that those few groups each have a few groups of their own. This can continue down a line of nested groups until you reach a group with excessive membership, or a group granting access to the wrong people. Layers of HR data, customer data, or intellectual property may now be a couple of clicks away for every employee, contractor, and consultant who has an account in your company.
Nesting is often the most difficult issue to unpack due to its intertwined and complex nature. Occasionally, a parent group in the nesting chain is added to one of its child groups (or one of their children), leading to what is called a “circular nest”. Now every member of that circle is a member of every group within it; not only leading to violation of least privilege, but also to system performance issues as an infinite loop now exists for authentication of systems which call this resource. While its best practice to have some shallow nesting, heavy nesting can be a logistical challenge that few want to take on, as it is tedious, time-consuming, and requires meticulous understanding of each resource in the chain and unwavering attention to detail.
Does this Seem Like a Lot?
If this seems like a lot, it’s because implementing the Principle of Least Privilege can indeed be a heavy lift.
Each of these tasks requires its own allotment of time and resources, with some (like cleaning up nested groups) proving to be extremely demanding projects. One of the best ways to effectively address these issues is to deploy an automated identity hygiene solution that can showcase the full inventory of accounts, groups and their members, and privileged access that doesn’t meet security policy. Look to implement processes to identify and fix problematic Active Directory (AD) groups, prune access, and drive standardization of access controls. Also, provide mechanisms to certify and understand how changes impact critical systems and enable teams to prioritize and remediate policy violations.
Once you manage to get your environment unraveled, you’ll want to put processes in place to ensure you can routinely recertify ownership and membership, so you won’t have to untangle another huge mess in the future.
¹ https://csrc.nist.gov/glossary/term/least_privilege
² https://www.nist.gov/publications/zero-trust-architecture
SPHERE staff contributors include Ronald Read, Chris Nicol, and James Wilde.
