Privilege separation is a technique used to segregate parts of an IT environment based on its users and their roles. For example, imagine if a user downloaded a malicious program, such as a ransomware application. If that particular user was logged in as an administrator, the ransomware application would effectively have the same privileges as that user. Obviously, this could have disastrous consequences.
Privilege separation is achieved by enforcing the “principle of least privilege“, which is based on the principle that users should only have access to the resources they need to be able to adequately perform their duties. However, it should also be noted that PoLP can also be applied to applications, peripherals and system processes.
Before PoLP can be enforced, we must first establish a clear understanding of what data we have, and where that data is located. Most organizations have data scattered all over the place, and to manually sift through many years of archived data would be a slow and cumbersome task. A better approach would be to use a commercial data discovery and classification tool, which can automatically discover and classify a wide range of data types such as PII, PCI, and PHI.
Once we know where our sensitive data is located, we can begin to assign access controls to this data. There are basically two approaches we can take: Role-Based Access Control (RBAC) and Attribute-Based Access Control (ABAC). The main difference between RBAC and ABAC is that ABAC offers more granular control over who can access what. However, more often than not, Role-Based Access Control is sufficient.
There are many types of roles that can be set up, and these roles will vary from company to company. For example, they may include administrators, owners, contributors, readers, backup operators, and so on. Additionally, these roles could be linked with other categories such as department and physical location. Once we have mapped out the roles and their access rights, we can then assign users to these roles. As mentioned previously, we would need to follow the same process for applications, peripherals and system processes.
Of course, this is all well and good, but privilege separation isn’t much use if we don’t have a means of documenting changes to these privileges, and privileges can be subject to change due to a number of different reasons. Perhaps someone receives a promotion or moves to another department/branch.
Alternatively, an attacker may find their way into the system and seek to escalate their privileges in order to gain access to a company’s sensitive data. In which case, we need a way to monitor undocumented changes to privileges in real-time. To handle such eventualities, companies must use a permission change analysis and auditing solution to detect both unauthorized and unexpected changes in permissions.
Solutions such as LepideAuditor provide an intuitive dashboard where we can review current permissions, including details about when they were changed, and by whom. They can detect, alert and respond to suspicious permission changes in real-time, as well as provide customized reports, which can be used to satisfy regulatory compliance requirements. On occasions, privileges need to be revoked, such as when an employee leaves an organization. After all, if they left on bad terms, allowing them continued access to the network could be a costly mistake.