401 Access Denied Ep.05 | What the Heck is Least Privilege Security Anyway?

401 Access Denied Podcast Icon

Least Privilege has become a pervasive term in cyber security these days. But what does Least Privilege actually mean? How has Zero Trust transformed into building trust and adaptive security that helps employees do their jobs efficiently and securely? Join Joseph Carson, Chief Security Scientist from Thycotic and author of “Least Privilege for Dummies,” along with Mike Gruen from Cybrary as they dive into the topic of Least Privilege and how it can transform an organization with more automation.

Hosted by: Joseph Carson, Mike Gruen
Length: 28 minutes
Released on: July 1st, 2020
401 Access Denied Podcast Icon
Listen to the Audio
Enjoyed this podcast?
Share it with friends now!

In this podcast, Joseph and Mike will be discussing the concept of least privilege and what it actually means. With the attack surface area of organizations growing it has become important to control who and how accesses the environment. Everyone required to access the environment should be enabled only with enough, to be able to fulfil their job and responsibilities without being hindered. It has often been the case where it has been seen that employees have more access than required as the access controls are not implemented properly and don't distinguish employees based on their responsibilities. Such employees are a risk to an organisation and a very lucrative target for attackers. If attackers get hold of such accounts, they can move in the environment very easily and wreak havoc. Implementing least privilege access should not be seen as a road blocker rather an enabler for business, where people are very much aware of what their responsibilities are and their access can’t be abused.

There are few metaphors that have been used to illustrate how privilege access if not implemented properly can be misused. We can relate to a scenario of hotels. When we reach a hotel we are provided access cards to our room. Using that card we can access only our room and common access places like a lift. Also, we may have observed the hotel staff can access each and every gate of the hotel, be it rooms, lifts or storage. This kind of access should not be given to a person as if a staff loses his/her card or decided to go rogue may end up causing damage to the hotel and invading the privacy of the guests. If we relate the same thing to a corporate environment, an employee having a high level of access may end up opening gates for an attacker or invading the sensitive data which he/she shouldn’t have access to.

Least privilege concept is a way of check and proceeds which if implemented properly is a great way to control access to an environment. People should be encouraged to only entertain the access as required for their jobs and no more, no less. Proper training should be in place and means for an employee to reach out to for understanding what proper access looks like. The policies implemented should be very clear and comprehensible for the employees.


Joseph: Welcome to the four not one access denied podcast. My name is Joseph Carson, chief security scientist at thycotic and cohost of the show. This podcast is all about making cybersecurity easy, usable, and fun. Come back every two weeks to listen in and learn about what's the latest news, or even submit your own questions via the community.

Joseph: Hey, Mike, how you doing? Welcome to another episode here of four not one access denied tonight. So another fun topic for our audience to listen to today.

Mike: Yeah, very excited about this one.

Joseph: Yeah. And so it's one that can be quite confusing. I think a lot of people can have misinterpreted to they don't understand what it means and, and the emphasis in. And, and we're going to try and simplify it today. We're going to try and make it easy and we're going to try and make it fun as well. Cause I'd like to add a few bit of metaphors as well to try and simplify things. And the topic today is the principle of least privilege. And what, what the hell does it mean?

Mike: Yeah.

Joseph: What does people think about at least privilege means, you know? Okay, you know, do I have to keep asking permission every time it's like, every time we open the fridge door, do I have to ask him, I love to open that fridge door. And ultimately that's really what the principle of least privilege is really defining, but we can make it a little bit more, less, let's say friction, we can make it more automated.

And I think that's some of the key things here. So I mean, from you, you know, yeah, from the principle of least privilege, what's, what's your experience or definition that you've heard in the past?

Mike: So for me, my personal sort of definition is. For making sure people have exactly what they need in order to do their job effectively and efficiently, really no more no less, less is definitely, you know, I don't want security to be a blocker.

I don't want people to not be able to do a thing if you know, and so if they need that access in order to be effective, then let's make sure they're trained and understand the implications of having that access, and then I feel comfortable. And then also the right. You don't want people to have access to things that they just don't need access to if they don't have, if there's no reason for you to have an account on the system, there's no reason for you to have to come on that system.

And so it's really about minimizing people's role, you know minimizing security or privileges to the person's role, their job function and what they need to do to be effective. I look at it really as an enabler, more than as a blocker, right. I sort of start from a zero perspective. You have zero access and I'll give you everything you need in order to get you what you need rather than taking things away.

Joseph: Absolutely the way I see it as well as at least privilege. So the principle of least privilege is really that kind of an enabler or the enforcer or things like, you know, as you mentioned, zero trust.

Mike: Right.

Joseph: Where people really start off with zero privilege is the first time you see something on the network or the first time you get an authentication request or the first time you're getting, you know, somebody who's VPN in or opening up an application, really what, you know, what is it there is that person verified? Are they approved and authorized to do that? What authority do they have? And this is really consistent. Trust me, I'm not a big fan of the term zero trust because we always get into in security, we are sometimes known as you know, the negative.

Mike: Right

Joseph: The, no, sorry. We say no, no to everything. But is it a security risk, no, no. Can I connect my BYOD device? No.

Mike: No.

Joseph: And I don't want to be confused with the no’s. I know when we have two and zero trust is another one of those negative perceptions that we get in the security industry, and we need to change. We need to change, you know, in this industry, we need to be more positive.

We need to be able to be enablers of security, how to make it fun? how to make employees can access without pain or whether they're taking longer without, you know, getting access denied. How do we, how enabled authorized, approved access, easy and simplified. Zero trust is a way of doing that. But I think, you know, many people see it as this continuous verification and it'll create friction and the current kind of approach we definitely need to make it were I see it as it's about building trust. It's about enabling the access. It's about, some adaptive security. It becomes reasonable security doesn't you always have to be static.

Mike: Right.

Joseph: It's a living organism. So it is moving. It's evolving. And that's what we have to get to, that it focuses around the ease of use, it focus around the positivity and it focus around employees, getting the access to on demand when they need it. And least privilege is a starting point, but you have to make sure that, you enable and you look at the right, let's say metrics are right, security controls that satisfy the risk. Cause ultimately at the end of the day, I really like Gartner's model, cause Forester can introduce the zero trust and really can the principle of least privilege was of the role to run that, because it really started off at a time when you had a lot of devices which were getting viruses and then companies come up with network segmentation. So you'd take that device, quarantine it off into another VLAN or so, you know, part of the network or didn't have access to anything. And it wouldn't get back on the network until that device had cleared up and the virus was gone and it was cleaned or restored and so forth. And that was really that kind of, and then of course we introduced them like the BYOD model, bringing device and this really kind of get into, well where's the perimeter of the perimeter is disappearing in cloud digital transformation and people are bringing on their devices and should be of them on the same network or not. So really we get into the principle of least privilege, I like the use of metaphors, to try to explain it . So when I did write a book called least privileged cybersecurity for dummies, not just for dummies, it's a book for smart people. The dummies format is that it's a quick read and simple to consume

Mike: Right

Joseph: It's the purpose of it. But I used a lot of metaphors and one of the metaphors, one, one that I use frequently, it is about a bank. You can go into the bank vault, you get access to the big bank door, you open up the door and you go in and you might have many deposit boxes in there that all have their own keys and all locked. And that's what basically the Prince of least privilege is, is that I might have the ability to get through one door. But when I get through that door and I have multiple doors that I, unless I have the keys, those specific deposit boxes, I can’t access it.

Mike: Right.

Joseph: That's when you kind of look at the difference between, you know, authentication and authorization. I have authentication, which gives me access to the bank from an identity and it gets me through the door of the vault, but now I can't access the valuables until actually I do verification that I should have access to. It is the same thing, you can take that bank vault and you can replicate that metaphor into for example a jewelry store. You get through the door of the jewelry store and you have all kinds of valuable things. You might have some things as less valuable or common that are out, you know, you can directly touch them, but the more valuable stuff is in these clothes, glasses, the more security is applied to them. So that again is taking that principle of least privilege is that in order to get access to it you have to ask and the person has to give you permission. And of course, that could be automated.

Mike: Yeah, definitely. And I think, one of the things I think about least privilege, a lot in terms of people, but the beauty of DevSecOps and infrastructure's code is that it's becoming more and more easy to really apply it. To the infrastructure within an order, you know, to the actual code, the machines, what does this actual server have to talk to that server and making sure the network connections are there, what ports, and really applying at that level. And I think it's the metaphor of the bank vault and the jewelry store is true, you know, in sort of conceptually and understanding it from a person perspective, but then also, how do you then apply it beyond just people and into systems as well?

Joseph: Absolutely. I mean, I've got one of the things when I started off, you know, can I in this industry, I mean, I've been 25 years now. So a long time from things like health service and ambulance service, but there was one company when I was working for in Australia and I was a, it was called my, my role job responsibility was called infrastructure tools specialist. And it meant that basically, you know, fancy titles. So really what it meant is that anything that went into the data center, I was responsible for any hardware that went into the data center. I had to sign it off, make sure when it was licensed that you know, all the security things and configurations, it was hardened. And you know, a lot of the clients in the data center were, you know, companies like banks, mineral companies, food, television networks, logistics companies. They were all having their own different cages within the data center. And I have domain rights. I had full AD domain rights that I can access all every single one of those. I have the physical security to get through the door and you get your big furry coat and your muffler and you get into the cage. And I used to remember one thing I used to do was, you know, open the CD tray. I knew what server I was meant to be working on and the case. Okay. And then it got really confusing because you may have two people working in that cage. There's three people at once and you all went in at the same time and everyone's looking, it was like you've got TV trays opened. So which, which one was the one I was meant to be working on?So now we get into the blinking lights.

Mike: When I went into the cage, I had always the blinking light and I had somebody remote who turned the blinking light of the machine I needed to take a look at or whatever with my furry coat. I'm going to have to remember. So the first time I went into the cage, it didn't occur to me right away like why were some of the machine, all the machines were further away from the edge. It's like, yeah. So the people who don't have access to the cage, can't just plug something. And I was like, Oh, that makes sense.

Joseph: Yep. You can just pick your arms through that. So we got to the point where at the end we started playing our favorite songs, with the internal speakers playing. So it was a lot of fun, I mean, that, those were the days, where you know, you did what you did to get your job done and you made, you made it fun as much as you possibly can, even though we had a lot of fun doing things like the blue screen screensaver. A lot of fun when you're disconnected. So when people come in and they were doing the work, okay. Oh, the blue screen saver, nothing is working like the keyboard's not working, the mouse isn’t working and all it was was the blue screen saver in the background. So it was a lot of fun those times, but one of the things I quickly realized when I was working in those cages that the physical security didn't really kind of work, when you looked at it. I was basically going home. I have a laptop, VPN access, I get remote directly. And just like I was doing open the CD trays and playing the music. I had full access to everything and it really got me. That was a moment between my transition. Cause I was a network specialist, infrastructure tools for deploying operating systems, deploying hardware. I was heavily involved in things like rip boards and, direct controllers. And, if remember Compaq insight manager, that was another one of the solutions I worked in. And so one of the things I realized that, you know, as I moved out of those roles and I've just been transitioning into more of a security focus, I realized that shouldn't ever happen. What access I had was too much privileged access and I needed to get into, or I would have the least amount of privileges. And even in my home machines, there are all standard users. So when I click on something, that's requesting some type of installing an application or a browser extension, I know what type of access is requesting is always prompting me for more credentials. And that's for me to make sure that, you know, I don't click on something or a family member doesn't click on something that could accidentally be a ransomware or be a malicious link. So all those running in that least privilege allows you to make sure you've got more visibility into what elevated requests are happening and you can get into really, you know, the one that I've used, the most example, especially in the metaphor is most of us have all stayed in hotels. If you've traveled, you've stayed in the hotel and you go into the hotel. When you get into the reception desk, you'd get a key card. And that key card will go and open up the elevator and it might give you access to a specific floor. But the problem is that, you know, what we end up having is over privilege. A lot of people would get hotel cards, for example, maintenance staff, or the cleaners and their cards open every single door. They open all the doors and all access. And that's what basically attackers are trying to do. They might use my key card to get one foot in the door, but they're really after and trying to basically influence those others, the cleaners or the maintenance staff, or the hotel workers to get their elevator key, their keys to the kingdom and clone and copy those so they can move throughout the network and that becomes a serious problem for many companies.

Mike: Yeah. And actually it's, it's funny you bring up the cleaners, because one of the other aspects of least privilege in my mind is time. So for example, our cleaning staff has access to our office. But we are able to control when their key card works and when it doesn't, so that it, you know, we, again minimize, you know, if somebody works at compromising that card, we don't have to worry about it. You know, going on, you know, somebody's going in at 2:00 AM. And so there's, not just the, what do you need access to, but for how long and when do you need it? That was, um, it's another aspect of, of least privilege that I think is sometimes overlooked.

Joseph: Absolutely. It's all about basically time-based and so, but you know, security controls, are you satisfying the security controls before you get access? So it really gets into one of the things I'd look at. There was a good article that came out. It was actually a US CERT and the department of Homeland security. It was when the wanna cry and not petya and all of the major ransomwares were creating havoc in the industry, that they came up with this article about best practices, how to mitigate. And within that, it was about controlling local administrator rights. So no one should be a local administrator on their systems. And it was also using things like application control to make sure that you're separating kernel level tasks and user context tasks, so that when an applicant tries you can determine basically, is that an application known. And of course you can look at things like, you know, whether it being detected in total, the file hash ever been seen before?

Mike: Right.

Joseph: So this is really where you combine all of those pieces together. And we have to remember at least privilege, you know, it's not just about, you know, being a local accountant and the system and doing these granular elevation controls, time-based, on demand and all these verification checks, but it also gets into going into microservices, into web applications and into SAAS based applications. So you might look at least privileged from all aspects of connectivity, of applications, of data access, and trying to get down to the granular level. That every time you click on something, every time you open up a menu option or clicking a piece of data is that every of those background checks, it checks all my authorized and verified to do that and I can send to you. You might go through, you know, and that's what we talked about earlier about building trust. It's all about trust frameworks and building trust and saying that if my security control satisfied me to be at this level, and lets say this level of trust, then anything at that same level, I don't need to go and reauthenticate and redo again.

Mike: Right.

Joseph: Unless my access changes, but if I need to level up floor and get it into next level, that has more sensitivity, I always prefer to do it in.My back point of being data centers. You know, you have the data center classification. I like to see us, you know, moving into evolution of risk classification is the high level of risk, the more sensitivity I might be looking at one record of a patient, if you're a doctor and that risk is now minimal, but to that one record But if I'm looking at the entire database, that is a whole different level of risk. So it should be a risk classification and it should be always about making sure that, if you need to level up, a privilege or increased the risk, then you need to satisfy more secure controls. Whether it be multifactor authentication, VPN access. Accessing from a specific machine, time-based monitoring and recording all my activities and keystrokes to having my colleague approve me and the access to that database.

Mike: Right. Actually, the colleague's approval is an interesting one. Cause we, one of the things that we do with multi factor is, make it such that we actually require two people in order to do some of the really high level administrative things where one person, you know, sort of like, my last job, we were able to do this where we put the multifactor authentication device inside a safe, I didn't have the. or rather I did have the, you know, the code to the safe, but one of the administrators had the password that was necessary. So the two of us always had to work together and check and balance to make sure that like what we're about to do. And that was for the highest risk systems.

Joseph: Segregation of duties. That's exactly what it is. It's making sure that one person can’t do it all by themselves and then end the day when I worked in the data centers in those cages, we would have a rotation. So one month I would be assigned to cage J. And then next month I go to cage B or C and we kind of rotate, and then there's another team who came behind you and basically audited your work.

Mike: Oh, wow.

Joseph: So, and legally, and you know, in your contract, we weren't allowed to mingle socially, even reduce it down because of course you work in for banks food organizations and, telcos and you come through and then want to make sure that reduction, but even to your point, having that dual access workflows or dual authentication dual requirements, I've seen that heavily used in companies like gaming or gambling machines, where you have one person who has the key to the door and the other person has the key to update the software.

Mike: right

Joseph: No one person has both, same, you know, seeing the same concept in ATM as well. Any type of, you know critical infrastructure, any types of sensitive systems,to a key approach. Any types of abuse, to make sure that, you know, they're not, you know, abusing the authentication authorization to be given. So, I recording sessions as well, does that same effect being remote access on your sessions being completely recorded that has that same type of effect like, you know.

Mike: Yeah, that was the company I worked at previously. We were doing a lot of recording, mostly in the beginning was about communications and analyzing human behavior and communication behavior. But then we started getting into ingesting endpoint data and other things to look for those. And then one of the things that, you know, I think again, back to DevSecOps, one of the cool things is that now that so much of the access can be controlled and configuration, we apply good software engineering practices and now actually requires two or three people to approve a poll request to go ahead and grant somebody access to a system. So there's no way, you know, someone can sort of sneak something and it's pretty, you know, it would be very, very difficult for someone to sort of get access to something without at least three other people knowing about it.

Joseph: So absolutely. It is for me. I think that's one of the crucial things is that it really prevents people from abusing, you know, cause when I was the domain administrator, I was known as the fix it guy.

Mike: Right.

Joseph: I think I can fix it. But for me to do that, sometimes I was sacrificing security for ease of. You know, getting things up and running quickly, and we need to, you know, move away from that is that you can have things work and get up and running quickly, but at the same time, not sacrificing security as a result of that. And I think that's what's important. Sure. The audience, hopefully for those listening in that we're really taking. Privileged and zero trusts. And, um, you know, all of those things have made it simplified into, you know, some of the metaphors were like a bank vault, a jewelry store. And one of my favorite uses of course, is the hotel one.Cause I can go into that in a lot of detail.

Mike: For me it's actually my family and whether or not like, so I have multiple accounts on every of our computers, every kid has their own account, and we sort of limit, you know, when they were younger, how much do you know how much access do they need?What apps do they need to run? And, you know, as they've gotten older, we've sort of opened it up more and more so that I'm not constantly going over to the keyboard and giving them access to stuff. And, but it's the same thing it's like, would you give your kid the, you know, your, your ATM card and pin, if they're seven and just be like, yeah, cool. You know, like it's the same thing with no with no limits. No, exactly, exactly. And no oversight, no anything.? Right. They just have access to the bank account. Like, it's the same thing. Like we do a lot of banking from our computer, so let, you know, let's make sure that that's segregated off and, and that people who don't need access to that aspect of what we do, or our taxes or any of those types of things.

Joseph: So, yeah, absolutely. At the end of the day, it's all about, you know, I think many organizations can definitely reduce a lot of risk from doing least privilege and avoid a lot of risk, but also make it usable, make it that it's not creating friction. Those security controls can be automated and done in the background. And I think that's really, you know, the direction is to make security usable, make it breathable, make it like a living organism, you know, the fence can increase and decrease as that's increasing, decreasing out there. You know, make sure your security is adaptive to your business needs.

Mike: And the other thing that I think is really important is again, on the saying yes, is understanding that nobody wants to, there's very few really bad actors, right? So, at least insiders, right? So giving someone access to a thing so that they can do their job better or more effectively or more efficiently, might just require again, I think I mentioned at the top sort of just training and making sure that they understand the implications of what they have, and I find that people will, once they have that, they treat things way more securely, you know they're conscious of it and it's on front of mind and they sort of are appreciative it. Hey, you trust me to do this thing. You've given me access to do this. I can't tell you how many times people come back to me and you know, I've given them a little bit of admin privileges and they'll come back to me and they're asking me like, Hey, can I do this? Should I do this? You know, they're careful and they treat the system very precious. And so I think that that's an important part.

Joseph: Yeah. It's like when you're giving the company credit card and you spend it, like, it's your own money?

Mike: Actually I think I spend it way more. I think the company credit card is actually not like mine.

Joseph: What I mean by that is you're a lot more conscious. You take a lot more consciousness, you know, it's not like you're spending someone else's money. They were, but the result is you actually really treat it, and you think about that, you know, what's the consequences? You plan it, your budget and you spend it wisely and you wouldn't say?

Mike: Yes

Mike: But I agree with you, you know, what you mentioned is the areas of bite. When people know, it's all about accountability and responsibility when people know that they're accountable for it and they're responsible and that you say what's allowed and what's not allowed. And you're very clear in your policies, then people will follow them.

Joseph: If your policies are very vague and kind of unclear. People will basically abuse it and not know they're abusing it. So it's important to make sure that when you're doing your policies at the beginning, that you make it very, very specific and precise. Otherwise people don't know that they're actually doing something wrong.

Mike: Yeah. Also, I think “Why” is an important part of the policy, making sure that people understand why this is an important thing. I think they should, people tend to take things, understand more, or if they understand the implications of why I have to do it this way and so and so forth. And making policies really digestible, I think. It is an important part as well. I like to think through. I have like, we have our official policies that are all, you know, the stuff that we send out to customers, but then the internal one usually is a little more digestible, has some stories as some funny elements to it, just to sort of help like deliver the, like why we do the thing.

Joseph: So, now that reminds me. I did years ago in one of my former jobs that was for a major transportation company. And we were doing this, a vulnerability assessment and we ended up happening that we were failing, we were rolling out a new IT strategy and it was very aggressive security to the point where it was really, you know, creating friction with the employees. And we were using very traditional IT methods to deploy policies through email, these very long. It's like a EULA, you know, just like. Click. Yes. Okay. I'm done. But we actually bought in schoolchildren to try and find out what we were doing wrong and ultimately what they ended up showing us is that, Oh, you know, this is simple. You know, it's too much text, just make graphics, make an image storyboard. And we ended up changing the IT security policy into storyboards. And then we get into getting into, well, you know, we were sending these by email before and we weren't really getting. these traction. And the next thing was that we actually took those storyboards and we actually put them in the bathroom doors in the back of the doors and the cubicles.

And it was funny because the kids were like, you have two minutes of uninterrupted focus week. What more can you ask for? Because I know it doesn't give you that attention. And it was basically, you know, those became three months rotation storyboards about, you know, plugging in USB sticks and choosing good password management, about, you know, being careful about when you're accessing from public websites and stuff or public wifi access points. And it really kind of really made a difference in one is that it meant that everyone was actually getting attention to it. We're all human. We all need to go to the bathroom. And ultimately as well as that we didn't need to translate it. Cause it was very little texts in there. It was all about basically just the graphics. It was going back to the good old comic book of all ages. Um, and it really made me realize about some of the effective ways to communicate. And sometimes yes, we do have to bring in other experts and in that case it was children who were the experts. It really changed our ability to communicate better. I think for me, absolutely. It's making it digestible, as you mentioned, because it simplified doing it in small bites, small chunks, as well as important. Because if you know, if you throw a 300, or you know, 900 page book at someone, they're going to look at Jingo. Okay. You know, I'm not going to be able to do my job for a year until I read this. But it'd be just somebody, you know, a one A4 page, you know, graphic or storyboard about why they shouldn't do something or why they should do something in a certain way that is more consumable. That's more also measurable as well. And ultimately we need to be able to measure these because if we can't measure. What's the point.

Mike: Yep. Couldn't agree more.

Joseph: So I think, I think we'll end it there because I think it's a great place to leave it off.

Mike: Yeah, I can talk about this type of stuff. This is. Yeah, I can talk about this all day. So I think it's, I always enjoy speaking with you.

Joseph: You know, for me, who travels a lot and spend a lot of time in hotels, a lot of metaphors from hotel experiences.

Mike: There you go. That's why all my metaphors revolve around me and my family and my kids coz I don’t travel much.

Joseph: I'm sure. Yeah, you will do at some point, but what I want to do in a future show and I'll leave it at some point in time. It's funny comical stories from, you know, one is from comical stories from traveling. And also some of those comical things we did in the past, whether, you know, so something you've messed up, if something like, you know, the blue screen screensaver that I've done in the past, which was always hilarious. Mike: I have some good stories on that one as well.

Joseph: We'll keep one of those, you know, for the future shows, you know, people can have a good fun, you know, bringing the fun back into cybersecurity and making it more positive. I was thinking about the flash back. So for the audience again, thanks for spending time, you know, another episode with us. I hope this was interesting. I hope we've made least privilege, much more simplified into what it really means and what things you can do. And also how important it is to reducing risk and how important is to make it also digestible. Stay tuned, come back every two weeks for, for more episodes. Hopefully these will be fun and educational and, you know, stay connected. Look for us in social media, reach out for comments and questions and stay safe and have fun.