In the Identity Defined Security Alliance’s (IDSA) 2024 Trends in Identity Security report, granting privileged access in line with the principle of least privilege came second, only behind multi-factor authentication, as the security outcome that surveyed leaders are most engaged in. Least privilege, as a paradigm in security, aims to reduce access privileges across the organization to the minimal amount needed to get work done. This approach is accepted as a best practice for security teams in any industry.
The ISDA report found that 41% of respondents have implemented some kind of system for granting privileged access in line with least privilege, while another 40% say that they are currently in the process.
While this had been a major focus for security leaders, now with the rise in prominent access privilege-related breaches, the C-suite has no choice but to take this issue seriously. The action here is vital, but unfortunately implementing effective practices, policies and processes aimed at achieving least privilege can be a significant challenge.
The Five Biggest Challenges to Implementing Just-in-Time, Just Enough Privilege
Through our work with leading enterprises, we have found five key challenges security teams face when implementing least privilege:
- Existing privileges are unknown – despite security and IT teams’ best efforts in periodic access reviews, the fact is that many access privileges simply are not being monitored and are therefore unknown.
- Too many identities, resources, and privileges in the cloud – the number of identities continues to grow and is made more complicated by the volume of cloud applications and third-party services, each of which has its own set of credentials and access privileges to manage.
- Risky privileges can have unforeseen consequences – due to the interconnectedness of different cloud services, users can quickly find themselves able to reach resources that may not be listed as available, leading to a wider-than-expected blast radius for malicious insiders to exploit. Organizations assume greater risk when maintaining unneeded access paths, which in worse cases can lead to rapid privilege escalation from threat actors.
- Excessive Privilege Provisioning– there is a common tendency to over-provision access privileges to users who never end up using most of them. Industry estimates put privilege usage somewhere in the 5% range of those provisioned, meaning that most users don’t end up using 95% of what they have.
- User needs are dynamic – users need to be able to quickly gain access to resources depending on business needs, resources, and, of course, user contexts. Updating these policies at a pace that makes them workable is extremely difficult to manage manually.
Planning an Effective Rollout to Overcoming Challenges
It benefits security leaders to adhere to a set of principles when implementing least privilege access within their organizations. The goal is to develop processes that are flexible enough to handle all necessary access without creating dozens of policies, aiming to be dynamic enough to utilize context from users, resources, and other elements so that policies can adapt to access needs. Security teams that are in the process of implementing least privilege should consider the following framework:
- Discover and Understand your Resources– security teams should establish a continuous process of discovery. Cloud resources are always changing, and these changes will impact what is available to users. Continuous discovery allows for cloud resource changes to be smoothly and quickly updated within the organization’s policies.
- Shut off existing access – as noted, discovering all existing access paths to any resource can be exceedingly difficult. So the best and safest way to eliminate backdoors is to start from a blank slate. This doesn’t have to be dramatic, cutting off all access to everyone at once. While this can sound alarming, rolling out this change team-by-team can help to minimize disruption. Additionally, teams should provide a conscientious approach to these changes by working closely with all employees and giving a grace period as they get up to speed on new procedures.
- Implement Zero-Standing Privileges – from the starting point, security teams can roll out access privileges that are scoped and time-based. During this rollout, and considering risk tiering, security teams should define which buckets of resources will not require access requests. For all other resources that will require just-in-time access, teams should process requests based on the following factors:
- Who needs the access?
- When they need it
- For how long
- How fast do they need to receive it
From here security teams should make the most material require a human to manually approve them, while lower-risk access to frequently used resources is automatically approved for users who match the policy requirements. Additionally, these teams should make sure to consider how they will handle incident response scenarios where sensitive access is required quickly to meet SLA requirements.
While the exact set of obstacles may differ from company to company when rolling out least privilege within their organization, this framework will help overcome the most common difficulties. Even though the path to least privilege can seem daunting given the sheer scale of the challenge, it is a journey worth undertaking for an organization’s security. Embracing a just-in-time and just-enough privilege approach that harnesses context and automation can remove the tension between security and productivity, enabling teams to run faster without compromising on security standards.
Recent Articles By Author