Shared Assessments’ Insurance Vertical Strategy Group came together for its quarterly meeting last week. Conversation was engaging and covered the widening scope of assessments, the multitude of third party types and the need for re-risking vendors in light of the current economy and threatscape. One of the more compelling discussions that arose was around the Principle of Least Privilege.
Through simple examples, benefits and best practices, this blogpost explores the Principle of Least Privilege defined by NIST as “the principle that users and programs should only have the necessary privileges to complete their tasks.” (In our Shared Assessments Glossary we define related terms including “Privileged Access” as “Companies need users with specialized levels of technical access, which is required to give these users legitimate access to source code, file systems and other assets to allow them to upgrade the systems or make other technical changes.”)
Let’s start with a pedestrian application of Principle of Least Privilege (PoLP) based on a model offered by Viega and McGraw in their book Guiding Principles for Software Security. Vacation sounds great to me right now. When I leave, my children’s pet rabbit will need to be fed in the backyard and I will need my mail collected. I will ask my neighbors’ 15-year-old daughter to feed and water the rabbit and pick up the mail while I am gone. Should I give this pet sitter a key to the backdoor or should I not?
The Principle of Least Privilege – the notion that a person in a role should be granted the bare minimum privileges that are necessary to perform their function – says DO NOT relinquish the key. The house sitter really does not need the key to complete her job. Not sharing the key minimizes and in many cases eliminates the risk. The risks in this case are a teenaged house party or the key being copied. PoLP dictates “keep such windows of vulnerability as short as possible, in order to minimize your risks.” (Viega and McGraw “Guiding Principles for Software Security”)
Primary benefits of Principle of Least Privilege as they pertain to Third Party Risk, as outlined by Digital Guardian, are:
- Minimized attack surface – Famously, hackers accessed 70 million Target customer accounts by way of an HVAC contractor who had excessive permissions. By not following POLP, Target broadened their attack surface and exposed them to additional vulnerabilities.
- Better security: Although Edward Snowden’s highest-level task was creating database backups, he was able to leak NSA files using his assigned admin privileges. Since the Snowden leaks, the NSA has applied PoLP to over 90% of its employees.
- Improved audit readiness: The scope of an audit is reduced when the system being audited is built on the principle of least privilege. Many common regulatory and organizational control requirements call for PoLP implementation as a compliance requirement.
A participant in the Insurance Vertical Strategy Group meeting asked when dealing with a government agency, how do you know that that regulatory agency will protect your data, assessment provided by your third parties, planned control remediation activities? You don’t! And you need to ensure that they follow PoLP! Look no further than data breaches across our many government agencies.
Accordingly, in its “IT Security Principles,” NIST recommends that with all third parties you “…provide no more authorizations than necessary to perform required functions…to reduce risk by limiting number of people with access to critical system security controls.” NIST also notes that “consideration should be given to implementing role-based access controls for various aspects of system use, not only administration. The system security policy can identify and define the various roles of users or processes. Each role is assigned those permissions needed to perform its functions.”
There are several best practices that organizations should consider to integrate least privilege access into their TPRM practices:
- Make Principle of Least Privilege the default
- Audit privilege regularly – check accounts, processes and programs to be sure third parties only have access/permissions to the data they need
- Elevate privileges on a situational and for limited timeframes basis only
- Monitor and track all activity –ensure individual actions are logged, reviewed and issues found are corrected quickly