The General Data Protection Regulation of the European Union (EU GDPR) has been in force since May 2018 and presents every company with new and increased data protection requirements.
The processing of personal data, whether from customers, business partners or even the company’s own employees, must be protected by appropriate measures to prevent misuse. Non-compliance with the GDPR threatens not only severe fines but also a loss of face, because every incident must be reported and all affected persons must be informed about it.
The Principle of Least Privilege can be a means of protecting the personal data processed in the company without disrupting operations.
What is Principle of Least Privilege (PoLP)?
The Principle of Least Privilege (PoLP) is a concept that serves data and information security. It is based on the principle that a user (or a system) is only given as many permissions to certain data as he needs to perform his tasks in the company – and no more.
The original formulation of this principle came from Jerome Saltzer, a U.S. computer scientist at MIT, and first appeared in the journal “Communications of the ACM”:
PoLP is based on the fundamental assumption that an employee cannot do his or her job if he or she does not have minimum access rights in the company.
This principle is still an important component of a professional identity and access management strategy today.
Download our Whitepaper!
In it, you will learn all the necessary steps to successfully implement an IAM system.
PoLP and the Reality
Historically, the reality in many companies is that so-called “privilege creep” continues to be practiced. This is understood to mean the collection of permissions and accesses by an employee throughout his or her entire user lifecycle. But how does this collection flood come about? An example.
At the beginning of his job, the new employee is given the fewest permissions because the onboarding process requires it. Then the user only gets his account, a mailbox, a home directory and access to folders of his department and those that are accessible to everyone. So far, so good.
However, it often happens that permissions of an existing or former employee are copied to the new employee due to time constraints – without checking them beforehand.
Then the employee gets his first projects and his accesses are extended.
The same applies to ad hoc orders. These are to be fulfilled as quickly as possible, and permissions are also quickly assigned past the approval process.
A change of department on the part of the employee is also connected with new permissions and accesses.
The trend towards home offices in the last two years also does its part to extend an employee’s access (e.g., through VPN access or access to web applications that he should/must use from the home office).
All the scenarios described above are not uncommon and occur very often in companies. The real problem is that the old or no longer necessary permissions are not removed from the employee during his lifecycle (and often beyond). Thus, the employee diligently collects accesses in the company and becomes a “privilege creeper”.
Why is the Least Privilege Principle important?
The Least Privilege principle, as a component of endpoint security, can help prevent malware, Trojans and Ramsonware from spreading uncontrollably in systems and infrastructure. By means of controlled privilege management, you restrict the movement of malware directly from your gateway (phishing emails, zero-day exploits, software security bugs, …). In this context, special attention should be paid to administrator and superuser accounts (e.g. database, network and system administrators). Since these types of accounts usually have few but far-reaching permissions, they are a welcome target for attacks.
Another use for PoLP is to prevent data misuse. Of course, you don’t assume that an employee will steal company data. Nevertheless, one does well to limit the assignment of permissions for an employee to the minimum. Often, employees are offered to work from home via VPN and forget to think about “data loss prevention”.
In this context, former employees should not be ignored. If they still have active access rights, which may have been overlooked during manual offboarding, they also pose a threat to data security.
The IT department often assigns permissions to department heads, for example, so that they can control the permissions to a system or area themselves. In this way, the IT department delegates the control of access rights to the business department and also saves time, since there is one less task to be completed. Actually a good approach – but with a flaw.
Without the use of an IAM solution in which the PoLP and the approval regulations are implemented, IT is no longer able to track and evaluate all the permissions and accesses assigned to employees. The original time savings are gone by the time of the next internal audit, because the IT department then has to involve every department in order to collect all the reports required for the audit.
By using PoLP in data protection concepts, it is possible to adhere to compliance requirements and optimize internal audits. In addition to the guidelines of the GDPR, the requirements of the BSI (Federal Office for Information Security) are also relevant for companies in Germany. In the BSI’s ORP.4 module, it is written that “access to an institution’s resources worthy of protection must be restricted to authorized users and authorized IT components”. In addition, all authorized user IDs, groups and rights profiles must be fully documented.
Are you looking for professional advice?
Do you need support with the introduction of an IAM system? Feel free to contact us!
Effective Use of PoLP
The basic prerequisite for effective use of PoLP is the implementation of an identity and access management system (short: IAM system) that offers functionalities for compliant data protection, as well as regulated permission management for all systems used in the company and the infrastructure. The concept must include both an “inventory” of all permissions in the company as well as cleaning up superfluous and incorrect ones and optimizing existing permission structures.
Once this is done, the least privilege principle can be applied by creating permission packages and integrating them into the IAM. Such a package always contains all the necessary permissions for a group of people (e.g. departments) or a task (e.g. system administrator CRM). Thus one has clearly delimited permission levels, which can be assigned to appropriate employees. In addition, such packages facilitate the documentation and traceability of assigned permissions.
The permission packages described can also be compared well with Role Based Access Control (RBAC). This concept provides for access rights to be assigned not according to individual users, but on the basis of defined roles, which are derived, for example, from the department, function, location and cost center of an employee in the organization.
Modern IAM systems offer the possibility of mapping these permission packages and also distributing them to employees automatically and in an audit-proof manner. In doing so, the system relies on a set of rules that checks an employee’s personal master data or technical accounts regularly or in the event of changes and assigns or withdraws the packages accordingly.
In this way, it can be ensured that an employee receives a basic set of rights during onboarding, which are automatically adjusted to the employee in the context of changes and are also completely withdrawn again during offboarding.
In summary, the least privilege principle is a good approach to increasing data security in a company and implementing the legal requirements of the DSGVO and the BSI. Regardless of whether an SME manages the permissions manually using the defined concept or automates them by using an IAM system.