What Is the Principle of Least Privilege?Published March 6, 2020 • 4 min read
The principle of least privilege (POLP), an important concept in computer security, is the practice of limiting access rights for users, accounts, and computing processes to only those they need to perform their job functions. That is the least amount of privilege necessary.
Privilege refers to the authorization to bypass certain cybersecurity measures. When it’s applied to people, POLP means enforcing the minimal level of user rights that still allow users to perform their job functions. If privilege is applied to processes, applications, systems, and devices, it pertains to only having the necessary permissions to perform authorized activities.
POLP can keep an organization from suffering regulatory, reputational, and monetary damages. In addition, the principle of least privilege can reduce cybersecurity risk and prevent data breaches. In fact, Forrester Research has estimated that 80 percent of data breaches involve the abuse of privileged access.
Using POLP to strictly limit who can access critical systems and sensitive data, organizations can decrease the risk of intentional data breaches and unintentional data leaks. Using POLP can also help companies decrease the risk of malware infections, such as ransomware because users or their operating systems won’t have permission to install the malware.
For example, a service user account with the sole purpose of backing up sensitive data doesn’t need to be able to install software. Under the principle of least privilege, this user account would only have the rights to run applications that are related to backing up the sensitive data. Any other access privileges that don’t pertain to backing up sensitive data would be blocked.
POLP User Accounts
POLP relies on setting up four different types of user accounts:
- Least privileged user accounts (also known as standard user accounts): User accounts with limited access — only grants users the access they need so they can perform their normal job functions.
- Privileged user accounts: User accounts with elevated privileges. For example, while software engineers need access to GitHub for coding and development tasks, members of the sales team don’t need access to GitHub to perform their job functions.
- Shared user accounts: User accounts that are shared between individuals. In some situations, it’s acceptable to have user accounts that are shared among a group of users. For example, guest user accounts may offer bare minimum privileges for freelancers so they can perform basic tasks. Typically, shared user accounts are very limited in nature and serve a distinct function.
- Service accounts: Accounts that aren’t used by people but require privileged access.
No matter the type of POLP user account, organizations should still enforce certain security standards on passwords and monitor for leaked credentials.
Benefits of POLP
The benefits of implementing the principle of least privilege include:
- Data security: Many data breaches happen because bad actors gain access to privileged credentials and then use that access to move through the business with an eye toward gaining administrators’ rights. This type of data breach is known as privilege escalation. Companies that enforce the principle of least privilege can decrease the security risk of privilege escalation.
- System security: If applications have limited access to system-wide actions, cybercriminals can’t exploit the vulnerabilities in one application to gain access to other parts of the system, install malware, install malicious code, or spread computer worms.
- Reduced attack surface: By restricting the privileges of employees to just the access they need to perform their job functions, organizations can mitigate the cybersecurity risks posed by insider threats and other attack vectors that could compromise network security, IT security, data security, information security, or cybersecurity.
- Improved information security: Data classification is a key part of information security. As such, POLP can help companies understand what data they have, where it resides, and who has access to it. This can help with digital forensics after a data leak or data breach.
- Better regulatory compliance: Organizations can create more audit-friendly environments by restricting the activities that users can perform to just what they need to perform their job functions. Many regulations, e.g., the Health Insurance Portability and Accountability Act of 1996 and the Payment Card Industry Data Security Standard, require that organizations apply the principle of least privilege cybersecurity policies to improve data security.
- Reduced third-party risk: The principle of least privilege should also apply to organizations’ third-party vendors as they can introduce significant cybersecurity risks into the business. Companies should ask to see third-party vendors’ SOC 2 reports and information security policies.
- Better incident response planning: The principle of least privilege helps organizations understand who has access to what information and when they last accessed it, which can help with incident response.
- Simplified change and configuration management: Whenever a user with admin privileges uses a computer, there’s potential that the user could change the system’s configuration, either intentionally or accidentally. The principle of least privilege minimizes this risk by controlling who can change settings or configurations.
POLP and NIST Compliance
Many regulations and standards require the principle of least privilege as part of their objectives. Notably, becoming NIST 800-171 compliant can be a multi-phase and multi-year process for organizations that handle controlled unclassified information for federal agencies. To become NIST compliant a company may need to invest in new software products, reconfigure existing systems, implement stronger physical security controls and develop new internal processes. Specifically, one section in NIST SP 800-171 requires organizations to limit system access to only those who need it to perform their job functions and to ensure they adhere to the principle of least privilege.