EPISODE SUMMARY
Subscribe or listen now: 
Joseph Carson:
Welcome to the 401 Access Denied podcast. My name is Joseph Carson, chief security scientist of Thycotic and cohost of the show. This podcast is all about making cybersecurity easy, usable, and fun. Come back every two weeks to listen in and learn about what's the latest news, or even submit your own questions on via the community.
Hey, Mike. How are you doing? Welcome. Another episode here of 401 Access Denied, so another fun topic for our audience to listen to today.
Mike Gruen:
Yeah, very excited about this one.
Joseph Carson:
Yeah. It's one that can be quite confusing. I think a lot of people, they misinterpret it, they don't understand what it means and the emphasis. And we're going to try and simplify it today. We're going to try and make it easy and we're going to try and make it fun as well, because I'd like to add a few bit of metaphors in as well to try and simplify things. And the topic today is the principle of least privilege and what the hell does it mean.
Mike Gruen:
Yeah.
Joseph Carson:
What does people think about least privileged? Its means, okay, do I have to keep asking permission every time? Every time I open the fridge door, do I have to ask, am I allowed to open that fridge door? And ultimately, that's really what the principle of least privilege is really defining, but we can make it a little bit more less, let's say, friction. We can make it more automated. I think that's some of the key things here. From you, from the principle of least privilege, what's your experience or definition that you've heard in the past?
Mike Gruen:
For me, my personal definition is making sure people have exactly what they need in order to do their job effectively and efficiently, really no more, no less. Less is definitely ... I don't want security to be a blocker. I don't want people to not be able to do a thing if ... And so, if they need that access in order to be effective, then let's make sure they're trained and understand the implications of having that access. And then I feel comfortable. And then also, you don't want people to have access to things that they just don't need access to if there's no reason for you to have an account on the system, there's no reason for you to have an account on that system. And so it's really about minimizing people's role, minimizing security or privileges to the person's role, their job function, and what do they need to do to be effective.
Joseph Carson:
I understand that.
Mike Gruen:
I look at it really as an enabler more than as a blocker, right? I sort of start from a zero perspective. You have zero access and I'll give you everything you need in order to get you what you need, rather than taking things away.
Joseph Carson:
Absolutely. The way I see it as well is that least privilege, or the principle of least privilege is really that enabler or the enforcer of things like, as you mentioned, zero trust, where people really start off with zero privilege. The first time you see something on the network or the first time you get an authentication request or the first time you're getting somebody's VPing in or opening up an application, really is that person verified? Are they approved and authorized to do that? What authority do they have? And this really consists … zero trust … I'm not a big fan of the term zero trust because we always get into insecurity. We're sometimes known as the negative, the no sayer, we say no, no to everything. But if it's a security risk, no. Can I connect my BOYOD device? No.
Mike Gruen:
No.
Joseph Carson:
I don't want to be confused with the nos. And zero trust is another one of those negative perceptions that we get in the security industry. And we need to change in this industry. We need to be more positive. We need to be able to be enablers of security, how to make it fun, how to make employees gain access without pain or without taking longer, without getting access denied. How do we enable authorized, approved access easy and simplified? And zero trust isn't a way of doing that, but I think many people see it as this continuous verification and it will create friction in the current approach. We definitely need to make it where I see it as it's about building trust. It's about enabling the access. It's about some adaptive security, where security becomes breathable.
Security doesn't always have to be static. It's a living organism, it's always moving, it's evolving. And that's what we have to get to, is that it focuses around ease of use, it focuses around the positivity and it focuses around employees getting the access they need on demand when they need it. And least privilege is a starting point, but you have to make sure that you enable and you look at the right, let's say, metrics are right security controls that satisfy the risk. Because ultimately, at the end of the day, I really like Gartner's model because Forester can introduce zero trust, and really the principle of least privilege was revolved around that because it really started off at a time when you had a lot of devices which were getting viruses. And then companies come up with network segmentation. So you would take that device, quarantine it off into another… or some part of the network where it didn't have access to anything. And it wouldn't get back on the network until that device had cleared up and the virus was gone and it was cleaned or restored and so forth.
And then, of course, we introduced things like the BYOD model, bringing device. And this really can get into, well where's the perimeter? The perimeter is disappearing in cloud digital transformation and people are bringing on their devices and should we allow them on the same network or not? So really, when you get into the principle of least privilege, I always like to use metaphors, and to trying to explain it. And I did write a book called Least Privilege Cybersecurity for Dummies. Not just for dummies, it's a book for smart people. The dummies format is that it's a quick read and simple to consume. That's the purpose of it.
I used a lot of metaphors. And one that I used frequently is always about a bank. You need to go in the bank vault, you get access to the big bank door, you open up the door, you go in, and you might have many deposit boxes in there that all have their own keys and all locked. And that's what basically the principle of least privilege is, is that I might have the ability to get through one door, but when I get through that door and I have multiple doors that I, unless I have the key to those specific deposit boxes, I can't access it. So that's when you look at the difference between authentication and authorization. I have authentication, which gives me access to the bank from an identity and it gets me through the door of the vault, but now I can't access the valuables until actually I do enter the verification that I should have access to that.
And it's the same thing. You can take that bank vault and you can replicate that metaphor into, for example, a jewelry store. You get through the door of the jewelry store and you have all of the valuables things. You might have some things as less valuable or common that are out and you can directly touch them, but the more valuable stuff is in these closed glasses and more security is applied to them. So that, again, is taking that principle of least privilege, is that, in order to get access to it, you have to ask and the person has to give you permission. And of course that could be automated.
Mike Gruen:
Yeah, definitely. And I think one of the things I think about least privilege a lot in terms of people, but the beauty of DevSecOps and infrastructure as code, is that it's becoming more and more easy to really apply it to the infrastructure to the actual code, the machines, what does this actual server have to talk to that server and making sure the network connections are there, what ports, and really applying at that level. And I think it's the metaphor of the bank vault and the jewelry store ring true in conceptually and understanding it from a person perspective, but then also how do you then apply it beyond just people and to systems as well.
Joseph Carson:
Absolutely. One of the things when I started off in this industry, I've been 25 years now, so a long time, from things like health service and ambulance service. But there was one company that I was working for in Australia, it was called my, my role, job responsibility, was called infrastructure tools specialist. And it meant that basically, fancy titles…. So, really what it meant is that anything that went in the data center, I was responsible for. So any tool, any hardware that went in the data center, I had to sign it off, make sure when it was licensed that all the security things and configurations was hardened. And a lot of the clients in the data center were companies like banks, mineral companies, food, television networks, logistics companies, were all having their own different cages within the data center. And I had domain rights. I had full AD domain rights that I could access all, every single one of those.
Now, the physical security, you can get through the door and you get your big furry coat and your muffs. You get into the cage. And I used to remember, one thing I used to do was open the CD tray. I knew which server I was meant to be working on in the cage. And then it got really confusing because you may have two people working in that cage or three people at once, and you all went in at the same time and everyone's looking as like you've got two D trays opened. Which one was the one I was meant to be working on? And then we got into the blinking lights.
Mike Gruen:
Yeah, I was going to say, when I went into the cage there was always the blinking light and I had somebody remote who was blinking the light of the machine I needed to take a look at or whatever with my furry coat. I also remember being ... So the first time I went into the cage, it didn't occur to me right away why were all of the machines were further away from the edge. It's like, yeah, so that people who don't have access to the cage can't just plug something in. I was like, "Oh, that makes sense."
Joseph Carson:
You can't just put your arm through the cell, as the company seems like a jail cells. We got to the point where at the end we started playing our favorite songs with the internal speakers, playing their favorite. So it was a lot of fun. Those were the days where you did what you did to get your job done, and you made it fun as much as you possibly can. Even we had a lot of fun doing things like the blue screen screensaver, was a lot of fun. You disconnected the mouse and the keyboard, so when people came in and they were doing their work and were like, "It's just the blue screensaver, nothing's working. The keyboard's not working, the mouse is not working." And all it was was a blue screensaver in the background. So it was a lot of fun those times. But one of the things I quickly realized when I was working in those cages, that the physical security didn't really, when you looked at it, I was basically going home idol laptop, VPN access, I remote directly in, just like I was doing, open the CD trays and playing the music. I had full access to everything. And it really got me.
That was a moment between my transition because I was a network specialist, infrastructure tools for deploying operating systems, deploying hardware. I was heavily involved in things like… and track controllers. If we remember Compaq Insight Manager, that was another one of the solutions I worked in. One of the things I realized as I moved out of those roles and I was transitioning into more of a security focus, I realized that that should never happen. What access I had was too much privilege to access. And I needed to get into where I would have the least amount of privileges. And even in my home machines, they're all standard users. So that when I click in something that's requesting some type of installing an application or a browser extension, I know what type of access it's requesting. Is always prompting me for more credentials. And that's for me to make sure that I don't click on something or a family member doesn't click on something that could accidentally be a ransomware or be a malicious link. So always running that least privilege allows you to make sure you've got more visibility into what elevated requests are happening.
You can get into really, the one that I've used in most example, especially in the metaphors, is most of us have all stayed in hotels. If you've traveled, you've stayed in a hotel. And you go into the hotel, when you get into the reception desk, you'll get a key card, and that key card will go and open up the elevator and it might give you access to a specific floor. But the problem is, is that what we ended up having is over-privilege. A lot of people will get that hotel card, for example, maintenance staff or the cleaners, and their cards open every single door. They open all the doors and all access. And that's what basically attackers are trying to do, is they might use my key card to get one foot in the door, but their really after and trying to basically influence those others, the cleaners or the maintenance staff or the hotel workers, to get their elevated, get their keys to the kingdom for their card, and clone and copy those so they can move throughout the network. And that becomes a serious problem for many companies.
Mike Gruen:
Yeah. And actually, it's funny you bring up the cleaners, because one of the other aspects of least privilege in my mind is time. So, for example, our cleaning staff has access to our office, but we are able to control when their key card works and when it doesn't so that, again, we minimize if somebody were to compromise that card, we don't have to worry about somebody going in at 2:00 AM. And so there's not just the what do you need access to, but for how long, and when do you need it? That was another aspect of least privilege that I think is sometimes overlooked.
Joseph Carson:
Absolutely. It's all about basically time-based. Security controls, are you satisfying the security controls before you get access? So it really gets into one of the things I would look at, there was a good article that came out. I was actually US-CERT and Department of Homeland Security. I was one … and not patchy. And all of the major ransomwares were creating havoc in the industry that they came out with this article about best practices, how to mitigate. And within that, it was about controlling local administrator rights. So no one should be local administrator in their systems. And it was also using things like application controls to make sure that you're separating colonel level tasks and user context tasks, so that when an application … you can determine, basically, is that an application no one. And of course you can look at things like whether it being integration … total, has this file hash ever been seen before?
This is really where you combine all of those pieces together. And we have to remember, least privilege, it's not just about being a local accountant in a system and doing these granular elevation controls and time-based on demand and all these verification checks, but it also gets into going into microservices, into web applications and into SAS based applications. So you might look at least privilege from all aspects of connectivity, of applications, of data access, and trying to get down to the granular level, that every time you click on something, every time you open up a menu option or click on a piece of data, is that every of those background checks, it checks am I authorized and verified to do that. And that gets into is that you might go through ... And that's what I talked about earlier about building trust.
It's all about trust frameworks and building trust and saying that if my security control is satisfied me to be at this, let's say, level of trust, then anything at that same level I don't need to go on and reauthenticate and redo again, unless my risk changes. But if I need to level up for and get into next level that has more sensitivity, I always prefer to do it in my background and being data centers. You have the data center of classification. I like to see us moving into an evolution of risk classification. The higher level of risk, the more sensitivity. I might be looking at one record of a patient, if you're a doctor, and that risk is now minimal to that one record. But am I looking at the entire database, that's a whole different level of risk.
It should be risk classification, and it should be always about making sure that, if you need to level up a privilege or increase the risk, then you need to satisfy more security controls. Whether it being multifactor authentication, VPN access, accessing from a specific machine, time-based, monitoring and recording all my activities and keystrokes, to having my colleague approve me in the access to that database.
Mike Gruen:
Right. Actually the colleague approval is an interesting one because one of the things that we do with multifactor is make it such that we actually require two people in order to do some of the really high level administrative things where one person sort of ... My last job, we were able to do this where we put the multifactor authentication device inside a safe. I did have the code to the safe, but one of the administrators had the password that was necessary. So the two of us always had to work together and check and balance to make sure that what we're about to do. And that was for the highest risk systems and for that stuff with the most potential loss.
Joseph Carson:
Segregation of duties.
Mike Gruen:
Exactly.
Joseph Carson:
That's exactly what it is. It's to make sure that one person can't occlude by themselves. When I worked in the data centers in those cages, we would have a rotation. So one month I would be assigned to cage A, and the next month I'd go to cage B or C. And then there's another team who came behind you and basically audited your work.
Mike Gruen:
Oh, wow.
Joseph Carson:
Legally, in your contract, we weren't allowed to mingle socially.
Mike Gruen:
Right.
Joseph Carson:
Even reduce it down. Because of course you're working for banks, you're working for food organizations and telcos and you come through. And they want to make sure the reduction. But even to your point, having that dual access workflows or dual authentication, dual requirements, I've seen that heavily used in companies like gaming or gambling machines, where you would have one person who has the key to the door and the other person has the key to update the software. And no one person has both. Seen the same concept in ATMs as well. Any types of critical infrastructure or any types of sensitive systems, that … approach type abuse, to make sure that they're not abusing the authentication authorization they've been given. Recording sessions as well does that same effect. Getting remote access on your recessions being completely recorded, that has that same type of-
Mike Gruen:
Yeah, that was the company I worked at previously. We were doing a lot of recording. Mostly in the beginning it was about communications and analyzing human behavior and communication behavior. But then we started getting into ingesting end point data and other things to look for those. And then one of the things that, I think again back to DevSecOps, one of the cool things is that now that so much of the access can be controlled in configuration, we apply good software engineering practices and now actually requires two or three people to approve a poll request to go ahead and grant somebody access to a system. So there's no way someone can sneak something. And it would be very, very difficult for someone to get access to something without at least three other people knowing about it.
Joseph Carson:
Absolutely. For me, I think that's one of the crucial things is that it really prevents people from abusing. Because when I was the domain administrator, I was known as the fix-it guy. I can fix it. But for me to do that, sometimes I was sacrificing security for ease of getting things up and running quickly. And we need to move away from that, is that you can have things work and get up and running quickly, but at the same time not sacrificing security as a result of that. And I think that's most important.
Hopefully with the audience, hopefully for those listening in that we're really taking least privilege and zero trust and all of those things and made a simplified into some of the metaphors where like a bank vault or the jewelry store, and one of my favorite uses of course is the hotel one because I can go into that in a lot of detail.
Mike Gruen:
For me, it's actually my family and whether or not I have multiple accounts on our computers, every kid has their own account, and we limit, when they were younger, how much access do they need, what apps do they need to run. And as they've gotten older, we've opened it up more and more so that I'm not constantly going over to the keyboard and giving them access to stuff. But it's the same thing, would you give your kid your ATM card and PIN if they're seven and just be like, "Yeah, cool." It's that same thing.
Joseph Carson:
With no limit.
Mike Gruen:
Exactly, exactly. And no oversight, no anything. Right? They just have access to the bank account. It's the same thing. We do a lot of banking from our computer, so let's make sure that that's segregated off and that people who don't need access to that aspect of what we do, or our taxes or any of those types of things.
Joseph Carson:
Absolutely. At the end of the day, it's all about I think many organizations can definitely reduce a lot of risk from doing least privilege and avoid a lot, but also make it usable. Make it that it's not creating friction. Those security controls can be automated and done in the background. And I think that's really the direction is to make security usable, make it breathable, make it like a living organism where the fence can increase and decrease as the security risks increase and decrease out there, make sure your security is adaptive, too, to your business needs.
Mike Gruen:
Yeah. And the other thing that I think is really important is, again, on the saying yes, is understanding that nobody wants to ... There's very few really bad actors, right? So at least insiders, right? So giving someone access to a thing so that they can do their job better or more effectively or more efficiently might just require, again, I think I mentioned at the top, just training and making sure that they understand the implications of what they have. And I find that people will, once they have that, they treat things way more securely. They're conscious of it and it's front of mind and they are appreciative of, "Hey, you trust me to do this thing, you've given me access to do this."
I can't tell you how many times people come back to me, I've given them a little bit of admin privilege, and they'll come back to me and they're asking me like, "Hey, can I do this? Should I do this?" They're very careful and they treat the system very precious. And so, I think that that's an important part.
Joseph Carson:
Yeah. It's like when you give them the company credit card. You spend it like it's your own money.
Mike Gruen:
Right. Actually I think I spend it way more. I think the company credit card is actually not like my own money.
Joseph Carson:
What I mean by that is you're a lot more conscious. You take a lot more ... It's not like you're spending it like it's someone else's money, and you don't really care about the result, is you actually really treat it and you think about what's the consequences, you plan, and your budget. You spend it wisely, is ultimately what I'm saying. But I agree with what you mentioned, is the areas about when people know it's all about accountability and responsibility. When people know that they're accountable for it and they're responsible, and that you say what's allowed and what's not allowed, and you're very clear in your policies, then people will follow them.
Mike Gruen:
Exactly.
Joseph Carson:
If your policies are very vague and very unclear, people will basically abuse it and not know they're abusing it. So it's important to make sure that, when you're doing your policies at the beginning, that you make it very, very specific and very precise. Otherwise, people don't' know that they're actually doing something wrong.
Mike Gruen:
Yeah. Also, I think why is an important part of the policy, making sure that people understand why this is an important thing. I think people tend to understand more if they understand the implications of why I have to do it this way and so on and so forth. And making policies really digestible, I think is an important part as well. We have our official policies that are all the stuff that we send out to customers, but then the internal one usually is a little more digestible, has some stories, has some funny elements to it, just to help deliver the this is why we do the thing.
Joseph Carson:
That reminds me, I did years ago in one of my former jobs was that, it was for a major transportation company, and we were doing this vulnerability assessment. And what ended up happening was that we were failing. We were rolling out a new IT strategy and it was very aggressive security to the point where it was really creating friction with the employees. And we were using very traditional IT methods to deploying policies through email. It was very long. It's like a ULA.
Mike Gruen:
Right.
Joseph Carson:
Click yes, okay, I'm done.
Mike Gruen:
Yeah, exactly.
Joseph Carson:
We actually brought in school children to try and find out what we were doing wrong. And ultimately what they ended up showing us is that, "Oh, this is simple. It's too much text. Just make graphics. Make an image storyboard." And we ended up changing the IT security policy into storyboards. And then we got into getting into, we were sending these by email before and we weren't really getting the traction, and the next thing was is that we actually took those storyboards and we actually put them in the bathroom doors and the back of the doors in the cubicles. And it was funny because the kids were like, "You have two minutes of uninterrupted focus every single day of the week." What more can you ask for? Because email doesn't give you that attention.
Mike Gruen:
Right.
Joseph Carson:
And it was basically those became three months rotation storyboards about plugging in USB sticks and choosing good password management about being careful about when you're accessing from public websites and stuff for public wifi access points. And it really made a difference into, one is that it meant that everyone was actually going to get attention to it. We're all human. We all need to go to the bathroom. And ultimately as well is that we didn't need to translate it because it was very little text in there. It was all about basically just the graphics. It was going back to the good old comic book of all ages. And it really made me realize about some of the effective ways to communicate. And sometimes, yes, we do have to bring in other experts. And in that case it was children were the experts that really changed our ability to communicate better. I think, for me, absolutely, is making it digestible, as you mentioned, make it simplified.
Doing it in small bites, small chunks as well is important because if you throw a 300, 900 page book at someone, they're going to look at you and go, "Okay, I'm not going to be able to do my job for a year until I read this." But if you give somebody a one, a four page graphic storyboard about why they shouldn't do something or why they should do something in a certain way, that is more consumable, that's more also measurable as well. And ultimately, we need to be able to measure these, because if you can't measure, what's the point?
Mike Gruen:
Yep. Couldn't agree more.
Joseph Carson:
I think at that point, I think we'll end there, because-
Mike Gruen:
Yeah, I think it's a great place to leave it off. But, yeah, I could talk about this type of stuff. Yeah, I could talk about this all day, so I think it's a great place.
Joseph Carson:
Absolutely.
Mike Gruen:
I always enjoy speaking with you.
Joseph Carson:
Yeah, for me who travels a lot and spend a lot of time in hotels, a lot of metaphors from hotel experiences.
Mike Gruen:
There you go. That's why all of my metaphors revolve around me and my family and my kids, because I don't travel that much.
Joseph Carson:
I'm sure you will do at some point. But what I want to do in a future show, and I'll leave at some point in time, is funny comical stories. One is from comical stories from traveling, and also some of those comical things we did in the past. So something you've messed up.
Mike Gruen:
Oh, yeah.
Joseph Carson:
And something like the blue screen screensaver that I've done in the past, which was always hilarious.
Mike Gruen:
Yes. I have some good stories on that one as well.
Joseph Carson:
Well keep one of those for the future shows so people can have the good... Bringing the fun back into cybersecurity and making it more positive.
Mike Gruen:
Absolutely.
Joseph Carson:
So, for those in the audience, again, many thanks for spending another episode with us. I hope this was interesting. I hope we've made least privilege much more simplified into what it really means and what things you can do. And also how important it is to reducing risk, and how important it is to make it also digestible. Stay tuned, come back every two weeks for more episodes. Hopefully these will be fun and educational. And stay connected. Look for us in social media, reach out with their comments and questions, and stay safe and have fun.
Outro:
Learn how your team can get a free trial of Cybrary for business by going to www.cybrary.it/business. This podcast is also brought to you by Thycotic, the leader in privileged access management. To learn more, visit www.thycotic.com.
