How to Implement The Principle of Least Privilege in The Cloud

What is the Principle of Least Privilege?

In theory, PoLP is very straightforward. All identities – both human and non-human – must be granted the least privileges they need, for the least amount of time possible. However, there’s a big difference between the theory and the practice.

Trying to figure out what privileges each user (or group of users) should have on a centralized self-hosted network is a challenge in itself. With IT environments becoming increasingly more complex, distributed and dynamic, the challenge is becoming much greater.

These days, many IT environments are spread across multiple cloud platforms, each with their own access control mechanisms, event logs and auditing capabilities. As a result, security teams are often left scratching their heads trying to figure out what data they have, where it is located, who should have access to it, and for how long.

Restricting access rights needs to be done with a high level of precision, not just for the sake of securing sensitive data, but also to ensure that employees are able to adequately perform their role without unnecessary restrictions. It’s fair to say that your employees won’t be too impressed if they are constantly having to badger the IT department for access to the data they need, and it won’t be much fun for the IT department either.

Tips for implementing Least Privilege in the cloud

Assigning the appropriate access controls requires some initial housekeeping, which includes locating your critical assets, and removing any redundant data and accounts. When implementing the principal of least privilege in the cloud, ideally, you should use a single Identify Access Management (IAM) solution, and a single solution for monitoring permissions. Your chosen auditing solution should be able to aggregate and correlate event logs from multiple cloud platforms, as well as hybrid environments.

1. Discover & classify your sensitive data

Perhaps the best place to start would be to ensure that we know exactly what sensitive data we have, and where it is located. Most popular cloud platforms provide data classification capabilities out-of-the-box, including AWS, Azure and Google Cloud. However, for multi-cloud or hybrid environments, there are third-party solutions which will scan your local and remote repositories and automatically discover and classify sensitive data as it is found. Some solutions can also classify sensitive data at the point of creation. It’s always good practice you make sure that any redundant data is removed before attempting to implement PoLP. Establishing a profound understanding of what data you have makes the process of assigning access rights considerably easier.

2. Implement Role-Based Access Control (RBAC)

A common technique that is used to simplify the process of setting up PoLP is Role-Based Access Control (RBAC). As opposed to trying to assign access rights to specific individuals, you can define a comprehensive set of roles, each with their respective privileges, and assign users to these roles on an ad-hoc basis. While RBAC is arguably less granular than assigning access rights on a per-user basis, it is generally more secure as it is less prone to error. Most popular cloud platforms provide role-based access control, including AWS, Azure and Google Cloud.

3. Identify and remove inactive user accounts

You will need to ensure that any inactive user accounts are identified and removed before implementing PoLP. Since inactive user accounts are rarely monitored, hackers often target them as it enables them to gain persistent access to the network with less risk of getting caught.

4. Monitor privileged accounts in real-time

You will need to ensure that you have as much visibility as possible into who is already accessing what data, and when. Most real-time auditing solutions use machine learning techniques to monitor user behavior and establish usage patterns which can be tested against in order to identify anomalies. Once you have an understanding of each user’s behavioral patterns, you can use this information as a guide to determine what data each user should have access to.

5. Implement dynamic access controls and Just In Time (JIT) access

Of course, there are times when a user may need access to assets which they don’t normally need access to. For obvious reasons, we cannot simply grant access to a user just because they ask for it. There needs to be a formal process to determine the legitimacy of their request.

We also need to ensure that we trust the individual(s) who are approving the request. In some cases, especially when implementing PoLP, administrators may need to conduct a face-to-face interview with certain privileged users to gain a deeper insight into what data they need access to, and why.

All access requests, along with their approval status, must be recorded and monitored. The record should include information about the user who made the access request, as well as the user who approved/denied the request. The record should also include details about the date and time of the request/approval, the devices used, and any other relevant information.

Just In Time (JIT) access is the process that enables organizations to grant access to resources for a limited period of time. It wouldn’t be advisable to manually implement JIT as humans are prone to error, and are likely to forget to revoke access.
Instead, you should use an automated solution which will either raise an alert when the access rights are due to expire, or simply revoke access automatically. Many Data Security Platforms allow organizations to detect and respond to events that match a pre-defined threshold condition or spot anomalies in user behavior and trends – including when a user’s access is due to be revoked. For example, after a given amount of time an alert can be raised or a script can be executed which will revoke the privileges for a given user (or role).

How Lepide helps

To conclude, assigning the appropriate access rights is not a straightforward practice. It firstly requires establishing a profound understanding of your data. It requires careful consideration about how your company is structured, to help you define the role groups that you will assign users to. It requires clear visibility into how your data is accessed, and an ability to learn usage patterns to help you understand which users typically access what data. Finally, you will need processes for granting temporary access, and technologies that can automate the process of revoking access when it is no longer required.

If you’d like to see how the Lepide Data Security Platform enables you to implement least privilege through data classification, access governance and behavioral analytics, schedule a demo with one of our engineers or start your free trial today.