A mainstay of Big Business security frameworks is making sure everyone has barely enough access. This reduces the impact of two threats:
a worker wants to hurt or steal from your company
a worker gets compromised, either through stolen credentials or a virus taking over their machine.
In either case, an account will be used to do bad things to you – usually steal, but sometimes sabotage. If that account has broad access to lots of systems and capabilities, the badness could be a lot worse.
Least Privilege refers to this strategy of reducing access to minimize the possible badness from these threats.
Security frameworks usually cover this through 6 ideas, and you can probably come up with most of them yourself. Some work better than others, some are a lot of work, and as usual, many in Big Business Security have forgotten the point and care more about checking the box for each idea more than how they holistically reduce risk.
In this series, we’ll walk through the major ideas, starting with the easiest and most effective. As with anything, you do not need special systems to do these, and well-designed processes beat tools anyway. Systems that automate parts of the processes usually make sense starting with 100 desk workers. If there’s interest, we can put together demos of how to cheaply and effectively start automating them.
Central Management
Some systems don’t have a central access model that remembers and enforces who can do what. Think of an unlocked file drawer: anyone walking by can mess with what’s inside.
If you’ve got systems like this, consider replacing them or use them only for unimportant things. This usually indicates that security was not important to the designers, so the system is probably deeply vulnerable in other ways. Sometimes you can put access gates in front of these systems and limit access to people when they try to go through the gate. In almost every case, trying to protect something like this usually is more trouble than it’s worth. Just switch.
Privileged Access
Usually there’s at least one account in every system that can do everything. This is usually the account you sign up with. They can see and modify any information, change billing, sign up for new services, and manage people and their access. In the Biz, we call this a Privileged Account.
If the system is important or has scary things in it (Quickbooks, Office 365, AWS, etc.), using this account is dangerous: every time you use it is another opportunity for someone to take it over and do All the Bad Things.
For this very reason, important systems allow or even require you to set up a second account for your daily work, and only use the Privileged Account for the rare occasion when you actually need it.
This is especially true for IT you manage. Privileged access to systems via IT management accounts warrants another 10+ ideas in frameworks. Often a single IT person has privileged access to more data and systems than anyone else in the company. What happens if that person’s laptop gets compromised and their password stolen?
We won’t go into those ideas because for most medium and small businesses, the best approach is to get rid of that IT infrastructure. The good cloud services are more resilient, secure, and less work to keep healthy than anything you maintain yourself. The one exception is laptops and desktops. You’ll never be able to outsource the thing people type on.
For those, splitting privileged access off is still a great idea. You get a lot of virus protection on your devices by removing admin privileges from the people who use them – they can’t be tricked into giving control to evil junk. This does mean that you need to assign someone to maintain the health of everyone’s devices, including vetting and install new software for them.
Tune in next week, as we talk about the next few most effective ideas to deliver Least Privilege: managing Generic Accounts, Roles, and Segregation of Duties. We'll complete it the following week with everyone's favorite compliance activities: Access Reviews and Joiner, Leaver, and Mover workflows.