What is least-privileged access?
As cyberattacks and the exposed attack surface have increased, the need to enable zero trust, based on the principle of least-privileged access, has become a priority for many organizations. But what does least-privileged access really mean?
Least-privileged access is the idea that any given user should be granted the minimum level of access necessary to perform their assigned function. Least-privileged access may be known by a few names such as the principle of minimal privilege (POMP) or the principle of least authority (POLA), but what is consistent across all the terms is that the organization attempts to reduce exposure by ensuring lateral movement or unauthorized access between business applications or resources is restricted.
In order to achieve least-privileged access, three areas must be considered: Identity authentication, device posture, and network segmentation.
How modern least-privileged access works
While there are many approaches to enforcing least-privileged access, it’s important to take a modern approach when considering identity authentication, device posture, and user-to-app segmentation. Here’s a deeper look into these three core elements of least-privileged access:
- Least-privileged access starts at the base layer of “are your users who they say they are”.
- This is achieved through adopting an IDP service such as Okta, Azure Active Directory, Ping Identity, etc, that creates, maintains, and manages identity information while providing authentication services.
- Once you know who your users are and can verify them and grant access based on their identity information.
- It only takes one dirty device to infect the corporate network, which makes device posture critical to enabling least-privileged access.
- Device posture needs to be assessed on a continuous basis and access/privilege needs to adapt based on the risk or cleanliness of said device. The level of trust granted to a user is correlated to the current posture of their device.
- Services that help organizations monitor and control endpoint device posture are companies such as Crowdstrike, Microsoft Intune, Carbon Black and SentinelOne
- Traditionally, to limit network exposure and lateral movement an organization would perform complex network segmentation. This essentially placed internal FWs within the corporate network to restrict areas of access to certain users. While the idea is right, that lateral access should be limited on the network, the network FW approach has created mass complexity for networking teams and still doesn’t provide enough granular control for the liking of security teams.
- To adopt modern least-privilege access, organizations need to re-evaluate a FW approach to network segmentation and opt for a more granular approach that enables user-to-app segmentation.
- Technologies like zero trust network access (ZTNA) services enable this granular segmentation through IT-managed business policies versus a fleet of internal FWs.
- ZTNA gives surgical like connections from identified and verified users to authorized applications, making lateral movement impossible. This greatly reduces attack surface. ZTNA enable zero trust access both to remote users and on-premise users so access policies are universals regardless of the user’s access location. All while users never are placed on the corporate network.
These three areas come together and form a strong security posture for the business:
- Users are always verified and authenticated
- Devices are monitored and app access adapts based on security posture
- No more internal firewalls are needed for segmentation; lateral movement is minimized through app segmentation via a ZTNA service.
Implementing modern least-privileged access today
Achieving true least-privileged access doesn’t have to be as difficult as it was in the past. Enable least-privileged access in three 3 steps:
- Adopt an IDP service. Most organizations already have an IDP service, making this an easy step
- Enable a ZTNA service. Eliminate both lateral access and internal firewalls with a single technology; organizations have set up ZTNA services in as little as 48 hours
- Layer on a device posture service. For added security, adopt a device posture service, which will allow enable your organization to create a security threshold for your users' devices
Interested in learning more about least-privileged access and zero trust? Check out these additional resources: