Access Governance Best Practices: Least Privilege and Zero Trust

There’s no doubt that the world of data security is becoming increasingly more complex, as IT environments become more distributed, and attack vectors become more sophisticated.

Organizations that store large amounts of sensitive data have so many things to think about. They need to make sure that they have a tried and tested incident response plan (IRP) in place.

They need to know what data they have, where it is located, and who has access to the data. They need to ensure that employees are sufficiently trained, and that all software is patched and up-to-date.

They need to implement a wide range of policies that cover access controls (including remote access), device management, backups, on-boarding and off-boarding, and have a profound understanding of the data privacy laws that are relevant to their industry.

I think it’s fair to say, doing what needs to be done to keep our data and systems secure is a bit of a nightmare.

Since providing a comprehensive list of all of the data protection and access best practices is clearly beyond the scope of this article, I will focus on two key areas of data security, namely; the Principal of Least Privilege (PoLP) and the Zero-Trust security model.

The Principal of Least Privilege (PoLP)

The principle of least privilege is perhaps one of the simplest ideas relating to the way we protect our data, yet, it’s also one of the most important.

According to an article posted on Forbes.com, 74% Of data breaches start with privileged credential abuse.

The general idea behind PoLP is that users, processes and applications should be granted the least privileges they need to be able to carry out their role. For example, the web designer doesn’t need access to financial records, and an individual who is responsible for updating the product listings, doesn’t need admin rights.

Adhering to PoLP will make it a lot harder for an attacker to gain access to sensitive data by compromising a low-level user account. In addition to minimizing the attack surface, PoLP can help to limit the propagation of malware, prevent accidental changes from affecting other parts of the system, and make it easier to audit changes that take place across the network.

Adhering to PoLP is also a requirement of most data privacy regulations, such as the GDPR.

How to Implement PoLP

The first step toward implementing PoLP would be to carry out a privilege audit. This involves compiling and list of all privileged accounts and checking each one to make sure the privileges they have are necessary. This may involve interviewing the account owners to find out what privileges they need, and for how long. Naturally, all new accounts should be assigned the least privileges possible, by default.

It’s also a good idea to adhere to the just-in-time (JIT) access methodology. JIT is where access privileges are adjusted in real-time to allow for more granular control over how long a user, process or application is allowed access to a given resource.

There are various ways that JIT can be implemented. For example, an organization may choose to keep a timetable and manually grant/revoke access accordingly, or they might use an automated system which revokes access to a resource after a given time-frame.

In some cases, accounts are created on-the-fly for a specific purpose. Such accounts can only be used once and are immediately disabled or deleted after use.

Ensuring that all access rights have been hardened is a good start, but you also need to continuously monitor your privileged accounts for any changes that take place.

Zero-Trust Security

The Zero-Trust model takes a holistic approach to network security, by ensuring that each and every user trying to access a resource on the network verifies its identity before access to the resource is granted.

Zero-Trust is not a technology, but a methodology that ensures that no one is trusted by default, regardless of who they are or where they are located. The Zero-Trust security model often utilizes micro-segmentation, whereby the network is broken up into zones, with each zone containing resources that can only be accessed by users who are logged in to that zone.

How to Implement Zero-Trust Security

The first step toward establishing a Zero-Trust security model is making sure that you understand your network architecture.

This includes, keeping an inventory of all users, devices and services. You will also need to know the health of your devices and services, which involves making sure that they are up-to-date and properly configured.

You will need to make sure that you are using a robust authentication protocol, such as Multi-Factor Authentication (MFA).

Unlike the traditional username and password system, MFA requires additional factors, such as something you have, and/or something you are. In some cases, “something you have” could be as simple as a code that is sent to your mobile phone, which you will be required to enter in order to login to the network.

Some services may require more complex solutions, such as a dongle, card reader or key fob. In terms of “something you are”, this can include a face, fingerprint or retina scan, or some other type of biometric verification.

Okay, so you have a basic understanding of both PoLP and Zero-Trust. However, it’s worth noting that both approaches are closely related.

The principal of least privilege is a core part of the Zero-Trust model however, the Zero-Trust model is more comprehensive, and is essentially more stringent. For example, with Zero-Trust, the general motto is, “never trust, always verify”.

This makes the Zero-Trust approach more secure.

However, there are some downsides. The Zero-Trust approach is inevitably more complicated and will thus require more time and effort to implement.

You will need to reorganize your policies to reflect the new model and ensure that the transition from your existing access control framework to Zero-Trust goes smoothly, which will take some planning.

With Zero-Trust there will be more users and devices to manage, and a wider variety of access points. You will also need policies for each type of group. Essentially, to determine whether it is worth the additional resources, you will need to carry out a rigorous cost/benefit analysis.

If you’d like to see how the Lepide Data Security Platform can help you implement least privilege or zero trust through data classification, access governance and user behavior analytics – schedule a demo with one of our engineers today.