In the world of Cybersecurity, there is one mantra (there
are probably hundreds of them) that rings true:
You never want to give out more rights, permissions, and privileges than
you absolutely have to. This holds for
not only your employees, but the C-Suite, the Board of Directors, contractors,
and even your third party suppliers.
In other words, you only want to give enough for them to get
their job done. No more and no less.
This has become technically known as the concept of “Least
Privilege”. While in theory it sounds
very plausible, in reality, it is quite different. There are numerous reasons why businesses in
Corporate America fail to adopt this principle.
It could be that the IT Security team is just too busy and
view this as a low priority, or the higher ups simply just don’t care. Well, I came across an article this morning that
cites three key factors why Least Privilege is so slow in being implemented.
Here they are:
1)
The digital world:
With the Remote Workforce of today,
everything has pretty much gone all digital.
In the end, there is no need for an On Prem infrastructure, you can now
put everything in the Cloud, like the AWS or Azure. With all of this, employees are now getting
access to more shared resources than they ever had before. It’s still a mystery how this is possible,
but because of this, the rights and permissions have not been properly
assigned. The end resultant is that many
backdoors are now left open, the attack surface has increased, and Social
Engineering threat variants are on the uptick.
If a business has moved to the Cloud, one of the first things they need
to take stock are all of the rights that have been assigned to all people that
are associated with the organization. But apart from this, whatever permissions
an employee needs has to propagate to the other services that they could be
accessing in the Cloud. In other words,
there needs to be some degree of visibility of who has what, and unfortunately,
this is lacking today. This is
illustrated in the diagram below:
1)
Too many employees:
If you are an SMB with just a
handful of employees, then implementing the concept of Least Privilege. But now just imagine if your business is a
multinational one, with literally thousands of employees and contractors around
the world? Then implementing Least Privilege
can be quite an undertaking, at least initially. But, there is no reason why this should be
such a torture down the road. I know for
a fact that Microsoft Azure has great tools that you can use to enforce Least
Privilege. For example, there is the Azure
Active Directory which lets you set up various groups, profiles, etc. From there, you can then assign the needed
rights and privileges, and then enter in the employees that belong in that profile. In other words, if you have three employees
that are starting out as administrative assistants, rather than assigning their
privileges manually (which is not only time consuming but will also lead to
more errors), you can merely enter in their names into the group they belong in. Also, Azure has great IAM tools that you make
use of to further enforce Least Privilege.
2)
How to quantify it:
Today, there is talk in the Cyber
world of trying to quantify how Least Privilege has been distributed throughout
a business. But unfortunately, it is not
a reality yet. It would really be great
to see numbers associated with how much an employee is given access to the
shared resources, and what they can do with it.
But in the meantime, all the IT Security team can use are dashboards and
visual cues to see how Least Privilege is being managed, and even misused.
My Thoughts On This:
It is important to keep in mind that the Cyberattacker of
today is not simply going after any password of any employee. Now, they are taking a much more targeted
approach, and trying to go after those employees that have privileged or “super
user” access.
These would include primarily those that have administrative
titles in both the IT department and the IT Security team. There is a way to protect these kinds of
accounts, and it is known as “Privileged Access Management”, also known as “PAM”
for short.
This will be the focal for a future series of blogs, but in
the meantime, I just published an eBook on this last week on Amazon. You can buy it here at this link:
https://www.amazon.com/dp/B0BX1QZH7G#detailBullets_feature_div
No comments:
Post a Comment