What is the principle of least privilege? And how does it work?

What is the principle of least privilege? And how does it work?

Megan Barker by Megan Barker on

You’ve probably seen the term “principle of least privilege” (or “PoLP”) around the interwebs, or perhaps you’ve heard it from your own security consultant.

Contents

I’m sure you’ve surmised it’s dubbed a “principle” for a reason (i.e. it’s a good thing). It’s another one of the (myriad) phrases tossed around when people talk about organizational security and – I get it – how can one know each of these phrases in depth unless security is their sole responsibility? It’s just not realistic.

That’s why we’re here with our From the Security Desk series, and why I’m here to tell you all about the principle of least privilege and how it can strengthen your company’s security.

What does the principle of least privilege (PoLP) mean?

The principle of least privilege is a security practice that restricts users to the minimum levels of access necessary to perform their work.

When I first entered the field of security, the principle of least privilege was difficult for me to wrap my head around. As an ardent people-pleaser (I’m Canadian, I’m sorry), I didn’t want to take away someone’s access to something they might need someday; to cause them trouble or create extra work.

But lesson one in Security 101 is Think About Everything Backwards. I discovered I could no longer think about what might be inconvenient for coworkers, I had to consider what was convenient for attackers, and security vulnerabilities in general.

Why does the principle of least privilege (PoLP) matter?

Let’s approach this from my naĂŻve, yet very common and completely understandable, perspective.

Suppose I don’t practice the principle within my company. I grant the whole darn team access to every system we have, just in case they need it; I don’t want to worry about seniority or questions of trust. I only need to create accounts for a new hire once, and I don’t need to keep track of anything else.

My problem is forward thinking (also a little laziness from the sounds of it). As I think about the route with the least friction, potential attackers think backwards.

Attackers like Bill, who plans to run a competitive startup. He wants all the dirt on my company and, with my structure, he really doesn’t have to do much to get it. He could be simply hired as an entry-level employee and have immediate, full access to everything.

Oops.

How does the principle of least privilege (PoLP) work?

It’s important people understand that we’re just that – people. We make mistakes. We slip up, talk out of turn, make typos. These things are inevitable. When we limit access to secrets, we limit the damage they can cause.

When fewer people have access to information, there are fewer people who might share it, commit errors with it, or delete it. And, ideally, the workplace culture you create with PoLP is one wherein elevated access isn’t equivalent to “we trust you” or “you have more power than the rest of these plebes!”

What the principle really boils down to is this: You can’t abuse, misuse, or lose something you don’t have. Coincidentally, this is the idea on which 1Password was built.

How does the principle of least privilege (PoLP) look?

A perfect example of the PoLP in action, 1Password is private by design. The information you store in 1Password is end-to-end encrypted, at rest and in transit, and you are the only one who has the keys to decrypt it: your Master Password and Secret Key. Your account is so secure, in fact, there is no way to recover or reset a lost Master Password or Secret Key because we don’t receive them. Frankly, we don’t want them.

There’s another (big) reason we chose to follow the principle of least privilege in our security design: It makes us less subject to attack. We may host blobs of encrypted data, but those are utterly useless without the keys that never leave your devices. We simply don’t have what the bad guys want. And we like it that way.

How is the principle of least privilege (PoLP) used?

How the principle of least privilege manifests will differ from business to business. At 1Password, new hires don’t receive access to any internal systems until they’ve completed security training, and signed related documents and non-disclosure agreements. At that point, they’re granted bare minimum access to the systems needed for their job type. We go a few steps further and heavily restrict the information displayed in those systems based on staff members’ specific roles.

If I need access to a new system throughout the course of my work, I need to explain why I need it before permission is granted. Requests for access are important to us for a few reasons. The requests create an audit trail, so we always know when and why a person was granted access to a system. We also find that, when people are asked to really examine their need for information, sometimes they discover it’s not a need after all.

The bottom line

When I think of the principle of least privilege, I remember a conversation I had with our Privacy Officer, Pilar Garcia. She was to be granted access to perform a task in our Back Office but plans changed. She happily said, “It’s perfect. It means there’s less I can potentially screw up”.

Self-deprecation aside, she’s right. And that’s what it’s all about. She’s our Privacy Officer. We trust her with everything. Yet she doesn’t have access to everything by default simply because she doesn’t need it. And she’s okay with that.

Because there are fewer things to screw up. And that, my friends, is the PoLP.

Security Scribbler

Megan Barker - Security Scribbler Megan Barker - Security Scribbler

Tweet about this post