Implementing Least Privilege

Thursday, March 15, 2012

Ben Rothke

3e35900ae6facc6c146a85c435c71d82

Preventing Good People from Doing Bad Things: Implementing Least Privilege

For anyone who ever had to prepare for the CISSP exam, the principle of least privilege is often ingrained in their short-term memory. 

The bigger problem is that given the importance of least privilege, it is often forgotten at the enterprise level, and frequently least implemented correctly.

Specifically, least privilege is the notion that in a particular abstraction layer of a computing environment, every module (such as a process, a user or a program depending on the subject) must be able to access only the information and resources that are necessary for its legitimate purpose.

Much has been written about the topic, but not about what to do to implement it.   In Preventing Good People From Doing Bad Things: Implementing Least Privilege, the authors note that many companies have spent huge amounts of money on information security hardware and software, but don’t make allowances to deal with what is often the weakest link in the organization, end-users.

In 11 easy to read chapters containing fewer than 200 pages, the book provides a good high-level overview of the concepts of least privilege.  The book does not get into the details of access control on various operating systems, as that would triple the books length. Rather it details what happens when user rights are not adequately limited, and gives stories of the effects of unlimited administrator level rights.

While for the most operating system agnostic, the book does provide ways in which to living Active Directory rights in chapter 4, and touches similar concepts in Unix and Linux, as well as virtualization in chapter 6.

The title of chapter 2 pretty much sums up the entire book and concept – Misuse of privilege is the new corporate landmine.  The authors quote Mark Diodati of Gartner that “organization continues to struggle with excess user privileges as it remains the primary attack point for data breaches and unauthorized transactions”.

Another crucial topic us databases, discussed in chapter 8.  Far too many DBA’s have unfettered and unmonitored access across terabytes of data that can often lead to serious breaches.

The book concludes with some good ideas on how to break bad habits within IT.  These pragmatic suggestions include (obvious) suggestions such as: stop allowing employees access to rook, not letting desktop users run as administrator, that hat just because a firm is using access control, that they are immune to data breaches, and more.

For those looking to get a handle on the topic, they will find Preventing Good People From Doing Bad Things: Implementing Least Privilege an excellent resource.

Cross-posted from RSA

Possibly Related Articles:
15366
Network Access Control
Information Security
CISSP Authentication Insider Threats Access Control Data Loss Prevention Book Review Privilege Escalation Database Activity Monitoring SysAdmin
Post Rating I Like this!
Default-avatar
Derek Melber This book is a valuable resource for all things least privilege. As one of only a few Microsoft MVPs that talk about privilege management, I can without a doubt that this resource, BeyondTrust as as company, and PowerBroker as a product are as good a resource and solution available on the market today. You can get PowerBroker Desktops evaluation at www.beyondtrust.com.

Derek Melber, MVP
1337188438
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.