Last weekend, Mrs. Black and I were enjoying an all too rare dinner out together. Just the two of us at a local restaurant, while the kids were happily at home in the care of their favorite sitter.
Towards the end of dinner, I got up and went to the restroom. Two minutes later, and with my legendarily poor sense of direction on full display, I attempted to exit the restroom through what turned out to be a storage closet!
It was filled to the brim with supplies: paper towels, toilet paper, cleaning products, paper straws, take-out containers of all shapes and sizes, and more. I am happy to report that I did not steal any of these items. But I certainly could have.
Because although there was a lock on the closet door, it had not been secured. In other words, while somebody at some point had decided that the supplies were worth safeguarding, in practice, they were there for the taking.
The Concept of Least Privilege
“Least Privilege” means exactly what it sounds like: giving people, both inside and outside of an organization, the least amount of access (privilege) to data, systems, and assets that are needed to get their work done.
In the case of a restaurant, customers need access to the restroom facilities — they don’t need access to the contents of the supply closet. Which is why it should be kept locked.
From a cybersecurity standpoint, this same scenario plays out in organizations every day. Many times, it’s because the systems themselves are not set up to differentiate appropriate levels of privilege between different users:
- Try setting up an admin in your Google Workspace who can administer Multi-Factor Authentication (MFA). They need to be a “Super Admin,” which gives them access to everything!
- Our payroll system has a lot of different privileges, but it always seems that we have to give higher level permissions to our accountants for them to get their work done (which does not include running payroll).
- Our old marketing system for sending emails required that the newsletter guy, who may edit this very sentence, had to have permissions for everything. Our current system has more fine-grained permissions.
Other times, even when the capability to establish fine-grained permissions exists, companies don’t take advantage of it (i.e., the “door” is left unlocked).
For example, we have seen AWS accounts where the entire engineering group has full administrative permissions to the cloud hosting environment, enabling them to push code, make changes, and download data. Other times, we go into a small company and discover that full admin access is in the hands of dozens of people, including contractors and even former contractors.
All of these examples are problematic! It takes just one bad actor who gains access to a single computer with these permissions to create absolute havoc — deleting the company’s hosted product, altering or stealing data, locking others out. In other words, really BAD stuff.
What Can Be Done?
Three simple things to keep in mind…
#1. Define who needs to accomplish what with a particular product.
For example, if you have a Slack channel or SharePoint folder regarding a sensitive topic or containing confidential customer information, does EVERYONE need access? Or maybe someone works in accounts payable and needs to know that we are being charged for X… but does not need check writing privileges!
Take the time to determine who needs what.
#2. Drive this concept through your team.
As my supply closet experience demonstrated, locks only work if people use them. The folks in your organization need to understand Least Privilege so they can make good decisions. Absent that, they will tend to violate the concept for the sake of convenience.
So help them to understand the risk — from bad actors as well as from innocent mistakes or from the accidental viewing of confidential information. What was set up by IT at the beginning needs to be practiced every day.
#3. Audit the results.
Periodically, look at your shared folders, permissions to systems, and any other places where you store important data. The quality of any safeguards put in place tends to degrade over time as responsibilities change, information evolves, and folks come and go. So make sure that the people who have access still should have access.
Stay Vigilant, or Least Privilege will fail
If all of this feels like a pain to set up and manage, I get it. It is.
But, like locking the door to your house when you leave or maintaining unique and complicated passwords for the online services you use (you’re doing that, right?), the extra effort today will help prevent a really, really bad event tomorrow!
In the meantime, I know where I’m heading when the next pandemic hits and we need to stock up on toilet paper!
Want to get great cybersecurity content delivered to your inbox? Click here to sign up for our monthly newsletter, Tales from the Click.
