What is the Principle of Least Privilege?
The principle of least privilege (PoLP) refers to an information security concept in which a user is given the minimum levels of access – or permissions – needed to perform their job functions. It is widely considered to be a cybersecurity best practice and is a fundamental step in protecting privileged access to high-value data and assets. Least privilege extends beyond human access. The model can be applied to applications, systems or connected devices that require privileges or permissions to perform a required task. Effective least privilege enforcement allows us to balance cybersecurity and compliance requirements with operational and end-user needs.
What is Privilege Creep?
When privileges are granted, they are not always revoked, and over time, organizations can end up with many of their users holding administrator rights and access where it is no longer needed. This “privilege creep” widens the security loophole associated with excessive administrative rights and makes organizations more vulnerable to threats. By maintaining comprehensive least privilege access controls as part of our on-boarding and off-boarding procedures, we can help curb “privilege creep” and ensure users at Coast Mountain College have the levels of access required.
Why is the Principle of Least Privilege Important?
- Reduction of cyber attack surface. Most advanced attacks today rely on the exploitation of privileged credentials. By limiting super-user and administrator privileges (that provide IT administrators will unfettered access to target systems), least privilege enforcement helps to reduce the overall cyber attack surface.
- Prevention of malware spread. By enforcing least privilege on endpoints, malware attacks (such as SQL injection attacks) are unable to use elevated privileges to increase access and move laterally in order to install or execute malware or damage the machine.
- Streamline compliance and audits. Many policies and regulations require organizations to implement the principle of least privilege on privileged accounts to prevent malicious or unintentional damage to critical systems. Least privilege enforcement helps organizations demonstrate compliance with a full audit trail on privileged activities.