401 Access Denied Ep.05 | What the Heck is Least Privilege Security Anyway?
Least Privilege has become a pervasive term in cyber security these days. But what does Least Privilege actually mean? How has Zero Trust transformed into building trust and adaptive security that helps employees do their jobs efficiently and securely? Join Joseph Carson, Chief Security Scientist from Thycotic and author of “Least Privilege for Dummies,” along with Mike Gruen from Cybrary as they dive into the topic of Least Privilege and how it can transform an organization with more automation.
Share it with friends now!
In this podcast, Joseph and Mike will be discussing the concept of least privilege and what it actually means. With the attack surface area of organizations growing it has become important to control who and how accesses the environment. Everyone required to access the environment should be enabled only with enough, to be able to fulfil their job and responsibilities without being hindered. It has often been the case where it has been seen that employees have more access than required as the access controls are not implemented properly and don't distinguish employees based on their responsibilities. Such employees are a risk to an organisation and a very lucrative target for attackers. If attackers get hold of such accounts, they can move in the environment very easily and wreak havoc. Implementing least privilege access should not be seen as a road blocker rather an enabler for business, where people are very much aware of what their responsibilities are and their access can’t be abused.
There are few metaphors that have been used to illustrate how privilege access if not implemented properly can be misused. We can relate to a scenario of hotels. When we reach a hotel we are provided access cards to our room. Using that card we can access only our room and common access places like a lift. Also, we may have observed the hotel staff can access each and every gate of the hotel, be it rooms, lifts or storage. This kind of access should not be given to a person as if a staff loses his/her card or decided to go rogue may end up causing damage to the hotel and invading the privacy of the guests. If we relate the same thing to a corporate environment, an employee having a high level of access may end up opening gates for an attacker or invading the sensitive data which he/she shouldn’t have access to.
Least privilege concept is a way of check and proceeds which if implemented properly is a great way to control access to an environment. People should be encouraged to only entertain the access as required for their jobs and no more, no less. Proper training should be in place and means for an employee to reach out to for understanding what proper access looks like. The policies implemented should be very clear and comprehensible for the employees.