Shared Assessments’ Insurance Vertical Strategy Group came together for its quarterly meeting last week. Conversation was engaging and covered the widening scope of assessments, the multitude of third party types and the need for re-risking vendors in light of the current economy and threatscape. One of the more compelling discussions that arose was around the Principle of Least Privilege.
Through simple examples, benefits and best practices, this blogpost explores the Principle of Least Privilege defined by NIST as “the principle that users and programs should only have the necessary privileges to complete their tasks.” (In our Shared Assessments Glossary we define related terms including “Privileged Access” as “Companies need users with specialized levels of technical access, which is required to give these users legitimate access to source code, file systems and other assets to allow them to upgrade the systems or make other technical changes.”)
Let’s start with a pedestrian application of Principle of Least Privilege (PoLP) based on a model offered by Viega and McGraw in their book Guiding Principles for Software Security. Vacation sounds great to me right now. When I leave, my children’s pet rabbit will need to be fed in the backyard and I will need my mail collected. I will ask my neighbors’ 15-year-old daughter to feed and water the rabbit and pick up the mail while I am gone. Should I give this pet sitter a key to the backdoor or should I not?
The Principle of Least Privilege – the notion that a person in a role should be granted the bare minimum privileges that are necessary to perform their function – says DO NOT relinquish the key. The house sitter really does not need the key to complete her job. Not sharing the key minimizes and in many cases eliminates the risk. The risks in this case are a teenaged house party or the key being copied. PoLP dictates “keep such windows of vulnerability as short as possible, in order to minimize your risks.” (Viega and McGraw “Guiding Principles for Software Security”)
BENEFITS
Primary benefits of Principle of Least Privilege as they pertain to Third Party Risk, as outlined by Digital Guardian, are:
BEST PRACTICES
A participant in the Insurance Vertical Strategy Group meeting asked when dealing with a government agency, how do you know that that regulatory agency will protect your data, assessment provided by your third parties, planned control remediation activities? You don’t! And you need to ensure that they follow PoLP! Look no further than data breaches across our many government agencies.
Accordingly, in its “IT Security Principles,” NIST recommends that with all third parties you “…provide no more authorizations than necessary to perform required functions…to reduce risk by limiting number of people with access to critical system security controls.” NIST also notes that “consideration should be given to implementing role-based access controls for various aspects of system use, not only administration. The system security policy can identify and define the various roles of users or processes. Each role is assigned those permissions needed to perform its functions.”
There are several best practices that organizations should consider to integrate least privilege access into their TPRM practices: