Using ‘Least Privilege’ to Shore Up Your Network Security
If you haven’t incorporated the principle of least privilege into your data security plan, you’re taking a risk. Here are the POLP basics.
January 3, 2020
Sponsored by Webroot
I’m going to get right to the point here: Very few (if any!) of your employees actually need full access to all parts of your business network. Why am I bringing that up? Because there are so many businesses that still give their employees unrestricted network access. If you or your clients haven’t incorporated the principle of least privilege (POLP) into your data security plan, you’re taking a pretty huge risk. Let’s go over some privilege basics.
What “Least Privilege” Really Means
“Least privilege” essentially means “need to know.” For many small and midsize businesses, the process of onboarding new employees involves giving them a login with access to everything on the network. Least privilege is the opposite. With the POLP approach, you start by assigning zero access by default, and then allow entry as needed. By embracing this principle, you ensure that network access remains strictly controlled, even as people join the company, move into new roles, leave, etc. Sure, it’s important to make sure employees have the access they need to be able to do their jobs. But, by limiting initial access, you can minimize the risk of an internal breach.
If you haven’t already done it, now would be a great opportunity to re-evaluate your network access policies. After all, the most important thing here is protecting your business and customers—as well as your reputation.
Handling Objections around Access Control
According to Microsoft, 67% of users utilize their own devices at work. This means you may encounter some resistance to POLP policies because users will have to give up a few freedoms, such as using BYOD in an unauthorized fashion, installing personal software on work computers or having unfettered access to non-essential applications.
You’ll have to prepare yourself for some tough conversations. But, ultimately, the goal of POLP isn’t to make work a zero-fun zone; rather, it’s to ensure you’re providing a more secure workplace for everyone. Be sure to stress that it has nothing to do with who your employees are, their seniority, or even a history of good or bad habits; it’s just about security.
As the MSP or IT leader, you’re responsible for implementing POLP policies to protect the network. That means it’s also up to you to start the dialog around access control––early and often.
Why You Shouldn’t Rely on Antivirus and Firewalls Alone
No doubt about it: Antivirus software and a good firewall are necessary parts of your security strategy. But there are things that they can’t really help with. For example, they don’t protect against internal threats, such as an employee falling for a phishing scam email. This is where you need access policies to fill in the gaps.
Here’s an example: Let’s pretend you have an employee whose job is data entry, so the employee needs access only to a few specific databases. If that employee clicks a phishing link and gets infected with malware, then the attack is limited to those database entries. But, if that employee had root access privileges, the infection could quickly spread across all your systems.
Cyberattacks like phishing, ransomware and botnets are all designed to get around firewalls. If you follow an appropriate privilege model, you can limit the number of people who can bypass your firewall and exploit security gaps in your network.
Pro Tips for Implementing Least Privilege
When it comes to implementing POLP in your business, here are some tips for getting started:
Start with an audit. Check all existing accounts, processes and programs to ensure that they have only enough permissions to do the job.
Outlaw open access and start all accounts with low access privileges. Add specific higher-level access only as necessary.
Create separate account types to help limit access.
Superuser accounts should be used only for administration or specialized IT employees who absolutely require unlimited system access.
Standard user accounts, a.k.a. “least privilege user accounts” (LUA) or “non-privileged accounts,” should have a limited set of privileges. Essentially, everyone who is not a superuser should get these. Depending on the business needs, standard user accounts may vary by department.
Add expiration dates to privileges where appropriate, as well as one-time-use credentials.
Create a separate, segregated guest WiFi network for on-site visitors, customers, contractors, etc.
Enforce VPN use for off-site employees.
Develop and enforce access policies for BYOD, or, if possible, provide your own network-protected devices.
Regularly review and update employee access controls, permissions and privileges to cover employee promotions or lateral moves within the company that might necessitate different privileges.
Upgrade your firewalls and ensure they are configured correctly.
Add other forms of network monitoring, like automated detection and response.
Next Steps
Learn more about how to lock down your business’ security in Webroot’s Lockdown Lessons series: Lockdown Lesson: Shoring Up Your Network and Security Policies
You can also start a free Webroot cybersecurity trial and see for yourself how Webroot solutions can help you prevent threats and maximize growth: Endpoint Protection | DNS Protection | Security Awareness Training.
This guest blog is part of a Channel Futures sponsorship.
Read more about:
MSPsAbout the Author
You May Also Like