Phone Number +1-202-802-9399 (US)
The Lockdown

Thycotic’s Cyber Security Blog

What is Least Privilege? Why you need it and how to get started

Written by Joseph Carson

November 20th, 2018

Updated April 14, 2020

Implementing least privilege means granting only the minimum permissions required by an end-user, application, service, task or system to perform the jobs they have been assigned.

Least privilege is intended to prevent “over-privileged access” by users, applications, or services to help reduce the risk of exploitation without impacting productivity or involving the IT help desk.

It may help to think of least privilege by its other name—least authority—as it provides only enough authority for an entity to complete the job at hand. The least privilege model can also help curtail costs and increase efficiency.

If you’re an IT professional, over-privileged users are probably posing a challenge for you.
See what other IT security folk are saying about least privilege in our survey report.

Why has the least privilege model become central to cyber security best practices?

  1. Least privilege harnesses technology to reduce risks caused by cyber fatigue

Globally, organizations are being challenged by an ever-growing cyber threat landscape and are experiencing serious cyber fatigue. Their employees are dealing with constant information overload about cyber-attacks, ransomware, identity theft and phishing scams.  They reuse previous passwords (under pressure to constantly change passwords every time there’s news of a data breach), which increases both cyber risks and cyber fatigue.

Least privilege access control enforces safer practices

Cyber fatigue is occurring at all levels of the organization, from the CISO looking for metrics on the company’s exposure to cyber-attacks to the IT Security team trying to force employees to be more secure. The organization must meet compliance, and employees need to perform their daily tasks, but nobody knows if the next email is the one that contains malware or might attempt to steal their identity or their credentials.

Least privilege access control enforces safer practices and reduces the likelihood of your organization experiencing cyber fatigue-induced errors.

  1. Least privilege reduces the burden of responsibility on employees

For years, employees across all departments in most organizations have routinely practiced risky behavior, usually unintentionally and unknowingly. They do this by clicking on attachments or links within emails not knowing what might happen next; by logging into internet services using the same password they use for their Facebook account, corporate email and bank account; or by simply plugging in a USB stick they got for free at the last conference they attended.

Despite efforts to raise cyber security awareness and train users on secure behavior, 25% of your employees will open phishing emails, and more than one in ten will click on an attachment that contains malware. (The employee behavior stats on this infographic are cause for alarm.) These types of successful social engineering attacks are just one reason why employee workstations and personal devices are the most vulnerable part of your IT systems.

By implementing privileged access control, you relieve employees of some of the responsibility for your organization’s security and simultaneously reduce your risk level.

  1. Least privilege is your best defense against third-party data breaches

In the past few years, bad actors and cyber-criminals have been focusing on compromising privileged accounts associated with access by third party vendors. Instead of just targeting one enterprise, cyber-criminals are paying more attention to vendors that have multiple clients such as cloud services, and payment platforms.

In one dramatic example, American Medical Collection Agency, (AMCA) served as a third-party provider of billing services for large healthcare companies such as Quest Diagnostics, LabCorp and others.  A data breach at AMCA that started in August 2018 and carried through until March 30, 2019 resulted in compromising the private information of 20 million Americans, including name, date of birth, provider and balance information.

The breach resulted in AMCA losing its largest clients, numerous class action lawsuits and huge penalties for noncompliance with HIPAA regulations. AMCA eventually filed for bankruptcy while its clients suffered damage to their reputations as well as their bottom line.

Unfortunately, many organizations do not have a defined process or program to help manage the risks associated with giving third party access.  According to a Protiviti 2019 Vendor Risk Management Benchmark Study, only 40 percent of companies have a fully mature vendor risk management process in place. A third of the organizations surveyed, said they had only an ad hoc risk management process for vendors or no program at all.

Putting in place a least privilege management program aided by purpose-built least privilege software enables your organization to restrict access by third-party vendors to only what is relevant for completing their assigned tasks. The key of course, is to manage the least privilege access control process so that productivity can be maintained while monitoring access for any unusual or suspicious activity.

Privilege Manager

Implementing least privilege needn't be hard.

Privilege Manager makes least privilege adoption easy for users and reduces the workload for IT/desktop support.

Software solutions: security vs. ease of use

The right balance is critical to your security outcome

IT Security tries to balance the needs of the business while at the same time securing and protecting your organization’s most valuable assets. To secure the organization, IT Security usually attempts to limit access to limit access to overprivileged users and privileged accounts. However, this can create conflict between IT Security and the rest of the employees as they attempt to complete their tasks with reduced access.

Privileged accounts exist everywhere in your IT environment. In many cases, users may not even realize the type of access they possess. They only know that when access is denied, they can’t get their work done. Hackers and cyber-criminals target these privileged accounts because once compromised, they provide the ability to move across your systems and networks undetected. And all it takes is one compromised user with local administrative privileges to gain full control or steal your most sensitive information.

One of the keys to finding balance between productivity and security lies in your choice of least privilege management software—when it’s easy to use you’re more likely to deploy all the features and craft a productivity/security balance that’s perfect for your organization.

Too many over-privileged users increase the business’s cyber risks

Organizations today typically face major challenges when implementing a least privilege policy because built-in limits on access can impact employee productivity. One thing is clear: when an employee has too many privileges you typically do not hear from them, but when privileges are limited or restricted and the employee is unable to access an account, launch an application or connect to a printer, the IT help desk will surely be the first to know.

Unhappy employees are quick to call the help desk when they are unable to perform their jobs. This usually results in the IT help desk making the user over-privileged, and while they can now perform their job it is at the increased risk of turning a simple incident into a major catastrophe. Should the over-privileged employee fall victim to a cyber-attack, the attack could easily escalate to the entire organization.

This is where Least Privilege Access Control comes in

Least privilege access control helps build upon a Zero Trust security model and includes a risk-based security strategy.  Zero Trust is a place where most organizations should begin, and this means that all access requested by any user or system to the network, services, applications, data or systems is verified, and trust is built but continuously challenged if the trust is changed. This requires organizations to classify users and systems into trust risks, for example, different security controls between employees, contractors, suppliers, temporary or department sensitivity.

Cyber security classifications of trust and accepted risk can be dynamic. That is, you create different policies or rules across the enterprise for identities, services, applications, data, and systems.

The more access you have or request the more security controls you must satisfy before you get access.  You have the choice of trust as always, verify, or always audit, depending on how much risk you must reduce.

Protect access to privileged accounts

Before implementing Least Privilege you will first want to do the following:

Discover all Admin and Local Admin Privileges

First, you should automatically discover all admin and local admin privileges across the environment, and this includes privileges inherited via group memberships.  It is important to know what employees, devices, software, services, applications and hardware have privileged accounts provisioned.  This will help identity where your organization is compliant with industry compliance requirements, and possible gaps that need to be secured further.

Inventory all your Devices and Software

It is critical that you know what software is deployed and how software gets deployed, so knowing where it was installed from in the first place is a good way to get to know the organization’s risks.  Was software installed from SharePoint, a USB device, downloaded from the internet, via an email or deployed using a software delivery solution?  This will help determine what applications you have, whether you are properly licensed, trusted vendors your organization depends on, suspicious applications, and the most common method chosen by users to install the software.  Depending on your organization’s IT Policy, you might want to determine at this stage your preferred method of deployment, and what should be restricted.

Monitor Privileges and Learn Usage

Before enforcing restrictions or least privilege you will want to learn about the common usage: which employees are actively using their privileges and which users are potentially over-privileged.  Now you can determine which users’ administrative privileges need to be replaced with policies to ensure that they can continue doing their job without any disruption.

Replace Privileges with Automation Policies

Once you have audited the environment you can start to remove or reduce privileges from users who no longer require them. For those who actively require them you can replace privileges with policies that allow the task to be elevated on demand without the user becoming over-privileged.

By combining both Privileged Access Management and Application Control you can control access to devices, services, applications, data and hardware, and control which actions they can perform.

What is least privilege and how does it work?

Least privilege best practice tip: combine Least Privilege with Privileged Access Management using the PAM Lifecycle illustrated below.

Thycotic's privileged access management lifecycle

Adapting the PAM Lifecyle to the Least Privilege Model

The least privilege lifecycle approach increases your odds of implementation success. Follow these key steps when working to achieve least privilege security in your organization:

  • Start with a discovery project: Determine which endpoints and local users have admin rights, what applications are in use, and whether they require admin rights to keep a record for future maintenance efforts.
  • Create a allowlist: add all the applications and processes that you trust.
  • Implement a denylist: block known bad files. Or incorporate a reputation service.
  • Create a restrictlist: Manage unknown areas with your restricted and an automated workflow to allow approved apps to run and to block malicious apps.
  • Set contextual policies that align with your risk assessment.
  • Users may change roles or departments—accommodate these changes in your least privilege plan.
  • Don’t limit yourself to domain-controlled endpoints only.
  • Remember child processes.
  • Integrate workflow into your existing tools.
  • Measure success, coverage and existing risks.
  • Enable user interactive elevation requests/workflows.

The Benefits of the Least Privilege Model

The benefits of implementing a least privilege strategy are significant for all organizations.

Compliance management: Most organizations today need to satisfy various compliance requirements and regulations.  A structured least privilege strategy will help organizations meet most compliance and regulations requirements for restricting administrator access, so look at your least privilege strategy as a fast track to meeting most of your compliance security requirements.

Time consuming patch management: Patch management is one of the most repetitive, challenging tasks that all organizations must carry out, yet they continuously fail at staying current.  As most exploits on Windows require local administrative rights, least privilege security helps reduce the risk of more than 90% of Microsoft Windows Vulnerabilities. So, you can focus on only those vulnerabilities that are exploitable without local admin rights.  This saves an organization both time and money as it becomes more effective at patching critical vulnerabilities.

Malware and Ransomware: Risks will be reduced because the user will not be able to execute untrusted applications, so an accidental click on that malicious email attachment will be prevented from infecting the system or any other system on the same network.

Third party vendors: Exposure to third party vendor risk will be properly managed with a least privilege control model that helps reduce the risk of breaches from non-compliant vendor practices.

In summary, a strong least privilege strategy will:

  1. Reduce costs: Save time and money by managing users securely.
  2. Produce empowered, happier employees: They can perform their duties without encountering roadblocks.
  3. Fast track compliance: Automate reporting will satisfy auditors.
  4. Improve security: Block cyber-criminals and malicious insiders from exploiting password compromise.

TIP: Don’t start your organization’s journey to least privilege security without downloading our free eBook “Least Privilege for Dummies.”

In this video, Thycotic’s Chief Security Scientist and author of “Least Privilege for Dummies,” Joseph Carson, explains how the Principle of Least Privilege works, and its importance in your organization’s cyber security strategy:

Watch the video to learn:

  • A simple analogy using hotel key access that helps explain the concept of privilege access and how the least privilege access model applies in the context of cyber security.
  • Why removing all access is a recipe for failure when trying to implement the least privilege access model.

Looking for examples of least privilege?
Read our illustrated post: Principle of Least Privilege Examples


Like this post?

Get our top blog posts delivered to your inbox once a month.