Principle of Least Privilege: What, Why, and Best Practices

September 12, 2019
Written by
Sam Bocetta
Opinions expressed by Twilio contributors are their own


When it comes to cybersecurity, organizations and IT teams have a series of important and strategic decisions to make in the effort to prevent fraud and network breaches. One of the most important moves is to enact an access control policy that ensures normal operation continues uninhibited while also protecting against the threat of attack.

Security experts increasingly rely on a tactic known as the Principle of Least Privilege (POLP).

The Principle of Least Privilege dictates that access should always be restricted to the lowest level possible for requirements to be met. This extends to every level of systems and infrastructure, including users, applications, and hardware.

Let’s explore the deeper aspects  of the POLP and the reasons why it has become a leading security strategy.

Security and Stability

Every piece of technology within an enterprise – along with every person using the technology – represents a security risk to the larger organization. Through phishing attacks or social engineering, hackers can gain access to internal systems. If the POLP practice regarding proper role management isn’t followed, it can result in disaster.

Take for example a user who has admin credentials to a back-end database. They might only need to run reports from the system, but an administrator decided it was easier to give them full access. If their account were compromised, it could result in hackers stealing large amounts of information in a large-scale data breach.

Conversely with a POLP strategy, that user would receive read-only access to the exact portions of the database they needed to use to print their reports. All other requests for access would have to be submitted with a rationale.

The POLP when under attack

POLP proves its value in a time of crisis. When a computer or server is infected with a virus, the first thing a hacker will typically try to do is to spread the malware across the network to other devices.

This strategy is especially common with ransomware, which often arrives via a preventable phishing scam and tries to extort cash payments in exchange for removing viruses. If systems only have the minimum access needed, it makes it easier for disaster recovery teams to isolate the malware and stop the spread.

The POLP protects against bad internal actors

IT security teams within an organization spend much of their time studying and preparing for external attacks from cybercriminals. But in reality, internal threats are just as serious and often even more damaging. Internal incidents may be executed on purpose and may even occur by complete accident.

POLP ensures that internal users are restricted in what sort of changes they can make, which boosts the overall security of the organization.

Classification and Auditing

One risk for many companies is presence of more devices— and data— on their network than they realize. This can happen both in large enterprises and small businesses because of the effort required to track and maintain equipment. POLP can partner with a strong asset management policy to keep things running smoothly.

The POLP approach helps IT leaders identify and classify all of the resources within their organization, including people, software, tools, data, and equipment. Every element should be tagged with an appropriate naming convention and then have its current access levels documented. Any changes to access should be reviewed by IT leadership and only authorized when necessary.

Balancing risks and resources

It might seem like a lot of work to maintain eyes over every piece of your network and infrastructure, but in fact it can save you time and money in the long run when compared to the fallout from a data breach or malware infestation. Balancing time spent in maintenance of existing access control systems against time spent responding to active incidents can be a challenge, but this is where POLP has its greatest advantage.

By only granting increased access rights when a specific request is made, the access granted to individual users and teams will automatically be at the lowest level of privilege required to perform basic functions. As a result, implementing a POLP system reduces time spent in frequent audits of access levels. In some senses, POLP systems are self-regulating, since teams and users are encouraged to request extra access when it is required. This means that, most of the time, IT staff can rest assured that access levels are sufficiently restricted.

And, if (or when) a cybersecurity incident does occur, requests for heightened access can (temporarily) be put on hold. This gives IT teams time to respond to incidents without having to worry about teams having high-level access to the systems under attack.

All this said, regular audits should also be performed in order to stay compliant with international standards. All companies should conduct periodic internal internal audits and be open to external auditors as well. By maintaining access classifications in a POLP system, this task can be made much more painless, since access will be at the lowest level that is practical for each team to perform their assigned tasks.

Best Practices for POLP

Believing in the POLP strategy is easy but actually integrating it into your organization can be a challenge. That goes especially if you have a large amount of legacy data and systems with disparate access settings.

However, cybersecurity professionals have recommended a number of best practices have to get started.

1. Communication is key

When rolling out a POLP system, it's important to distribute information about the strategy to the wider organization. Scheduling training sessions can be very effective in helping individual users understand the value in the principle.

If communication around policy changes is poor, people can resent the changes and even try to circumvent security policies.

2. Favor one-time access elevation

The organization needs to be prepared for instances where one-off access elevations are required.

For example, during an emergency outage certain users may need higher rights. In cases like these, the IT security team should issue the permission change at the exact moment needed and be ready to revoke access as soon as possible.

3. Plan for a Brave New Password world

In addition to auditing access levels, you should track individual actions on systems as well – including logins and logouts. If you still allow network users to create and manage their own passwords, stop.

The best way to generate the kind of complex login barrier to withstand modern hacker methods is with strong password management software that operates on the Advanced Encryption Standard (AES) in Galois Counter Mode (GCM) with 256 bit randomly generated keys.

4. Promptly revoke permissions and access.

One place where many companies get into trouble is by not revoking user permissions as soon as an individual leaves the organization.

Your company needs to initiate off-boarding processes at the appropriate time and pass them to your IT team to reduce the risk of a former employee causing damage.

Final Thoughts on the Principle of Least Privilege

In order to run a successful enterprise, individual users need to be able to access the data, networks, and systems that are part of their job. However, giving people too much access can be severely damaging.

The concept of POLP reduces the risk by limiting access to the lowest level necessary.

As a final thought, in 2017 Thycotic ran a survey among known hackers and discovered that targeting administrative accounts is the best way to launch a larger attack. Leaving an organization exposed to threat threat is irresponsible at best and is likely to lead to trust issues with customers. POLP is now critical to modern cybersecurity.

Sam Bocetta is a freelance journalist specializing in U.S. diplomacy and national security, with emphasis on technology trends in cyberwarfare, cyberdefense, and cryptography. He can be reached here on LinkedIn.