![]() It’s only by monitoring account use (once a state of least privilege has been instituted) that you truly see least privilege reach its potential. And, even if security remains static, the necessity exists to make sure certain user credentials aren’t misused by insiders and external attackers alike. Security is an ever-changing target as the organization’s needs change, so does the current state of security. Higher-risk users may require user activity or session monitoring, but all users should have a base level of monitoring for use, such as logon monitoring, to look for leading indicators of compromise, such as inappropriate or irregular logon attempts by otherwise normal users.Īs you’ve walked through the 4 possible answers to the question of ‘then what?’, it should become a bit clearer that you can’t simply stop with the limiting of privileges today. So, it should be evident that if you’re going to take the route of monitoring privileged accounts, you need some level of monitoring use even for the accounts that represent a lower risk to the organization (like the sales user). Certainly, nowhere near as privileged as the Administrator account in AD, but, nonetheless, they do have privileged access that users outside of sales do not. If you start with the data, applications and systems you deem critical (that is, you wouldn’t want them compromised, exfiltrated, etc.) and work back to your users, you quickly realize that even the low-level sales person who has access to at least a subset of your customer database is, by definition privileged. Is it just accounts with admin rights in Active Directory? Those with administrative rights to enterprise applications? Those with admin rights to endpoints? Servers? More than that? If you’ve drawn a line somewhere in the proverbial sand, delineating a particular level of privileges and above that should be monitored, least privilege is about validating that the state of privilege is not misused.ĭelineating the ‘privileged’ from the ‘low’ level user can be somewhat short-sighted. One of the challenges in this particular answer is that you need to decide which user accounts are “privileged”. ![]() This can be as simple as monitoring all logons, leveraging a password vault where privileged accounts must be checked out, or can be as complex as monitoring user activity through session recording. ![]() With monitoring in the mix, you acknowledge that least privilege isn’t really about the privilege it’s about the use of privileges. Those organizations in this camp definitely have a bit more of a mature viewpoint on the implementation of least privilege. Having periodic attestation around privileges required, permissions assignments and group memberships is a solid way to ensure control over what would otherwise become an entropic mess of ‘over-permissioning’ with no visibility into the privileges assigned.įor your organization, least privilege is about maintaining a continual state of least privilege.ģ. Those of you with this response are definitely more in the “maintaining a state of Least Privilege” mindset – which is good. If you subscribe to the thinking that once the permissions have been limited, you’re done, then for you, least privilege is definitely about the current state of privilege. Once you’ve established that everyone’s privileges are minimized down to the core necessity only to enable them to do their job, there is a bit of logic that says there’s nothing more to do here. There are a few ways to answer the question “then what?” Setting up users with the least amount of privileges possible is the idea (the clue is in the name), but then what? The way you answer this question determines what least privilege is really all about within your organization it reflects what’s important to you when establishing security around this principle, as well as the scope and duration the principle needs to be in effect. It seems organizations may see the point of least privilege as being different things. What to Do with the Principle of Least Privilege? CyberList – Our Weekly Selection of Innovation Leaders.– Global Search Engine Cyber Startups & Scaleups (8k+).Cyber Security Leaders – Video Interviews.Cyber Security Leaders – Executive Interviews.The Cyber Security Observatory – Our Global Industry Analysis. ![]() The Observatory Program for Enterprises.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |