What is least-privileged access?
- As cyber-attacks and attack surface has increased the need to enable least-privileged access and zero trust has become a priority for many organizations, but what does least-privileged access really mean?
- Least-privileged access – is the idea that any given user should be granted the minimum level of access necessary to perform their assigned function. Least-privileged access may be known by a few names such as the principle of minimal privilege (POMP) or the principle of least authority (POLA), but what is consistent across all terms is that the organization attempts to reduce exposure by ensuring lateral movement or unauthorized access between business applications or resources is restricted.
- In order to achieve least-privileged access 3 areas must be considered: Identity authentication, device posture, and network segmentation.
When we started looking at ZPA (a ZTNA service), we implemented the Azure AD authentication as part of that. So if you have an active AD account with CSM Bakery, and you launch ZPA to connect, then we authenticate you with our active directory. If you don’t have an active directory account, you can’t get in.Tony DeDiego, Director of Network Services
How modern least-privilege access works
While there are many approaches to enforcing least-privileged access, it’s important to take a modern approach when considering identity authentication, device posture, and user-to-app segmentation. Here’s a deeper look into these three core elements of least-privileged access:
- Least-privileged access starts at the base layer of “are your users who they say they are”.
- This is achieved through adopting an IDP service such as Okta, Azure Active Directory, Ping Identity, etc, that creates, maintains, and manages identity information while providing authentication services.
- Once you know who your users are and can verify them and grant access based on their identity information.
- It only takes one dirty device to infect the corporate network, which makes device posture critical to enabling least-privileged access.
- Device posture needs to be assessed on a continuous basis and access/privilege needs to adapt based on the risk or cleanliness of said device. The level of trust granted to a user is correlated to the current posture of their device.
- Services that help organizations monitor and control endpoint device posture are companies such as Crowdstrike, Microsoft Intune, Carbon Black and SentinelOne
- Traditionally, to limit network exposure and lateral movement an organization would perform complex network segmentation. This essentially placed internal FWs within the corporate network to restrict areas of access to certain users. While the idea is right, that lateral access should be limited on the network, the network FW approach has created mass complexity for networking teams and still doesn’t provide enough granular control for the liking of security teams.
- To adopt modern least-privilege access, organizations need to re-evaluate a FW approach to network segmentation and opt for a more granular approach that enables user-to-app segmentation.
- Technologies like zero trust network access (ZTNA) services enable this granular segmentation through IT-managed business policies versus a fleet of internal FWs.
- ZTNA gives surgical like connections from identified and verified users to authorized applications, making lateral movement impossible. This greatly reduces attack surface. ZTNA enable zero trust access both to remote users and on-premise users so access policies are universals regardless of the user’s access location. All while users never are placed on the corporate network.
These three areas come together and form a strong security posture for the business:
- Users are always verified and authenticated
- Devices are monitored and app access adapts based on security posture.
- No more internal FWs needed for segmentation. Lateral movement is minimized through app segmentation via a ZTNA service.
Implementing modern least-privileged access today
Achieving true least-privileged access doesn’t have to be as difficult as it was in the past. Enable least-privileged access in three 3 steps:
- Adopt an IDP service. Most people already have an IDP service making this an easy step.
- Enable a ZTNA service. Eliminate both lateral access and internal FWs with a single technology. Organizations have set up ZTNA services in as little as 48 hours.
- Layer on a device posture service. For added security, adopt a device posture service which will allow enable your organization to create a security threshold for your users devices.
Interested in learning more about least-privileged access and zero trust? Check out these additional resources: