Least Privilege Regaining Popularity

Written by

Traditional approaches to network security are no longer sustainable in the cloud age, meaning companies have to adapt quickly. With more remote working, applications have left the secure perimeter, and many employees require reliable access to applications and a secure cloud environment in which to work. To meet the security demands of the modern world, the principle of least privilege has made a comeback – with zero trust approaches built on foundations that were laid long ago.

The concept of zero trust is based on the idea of each user starting with zero access rights to a system by default. This starting point ties in with the tried-and-tested principle of least privilege, in which users are only granted access to information and resources in response to a legitimate need. No one is automatically trusted, everything must be questioned and rights are granted in stages and validated on an ongoing basis.

Relocation of The Access Control Function

Over the past 30 years, resource allocation has changed significantly as technology has progressed. Hot on the heels of the large mainframes came the launch of the personal computer, which gave users more rights and access to their own personal systems. The emergence of the classic company network has opened doors to new opportunities. Gradually, the PC became equipped with more functions beyond simple word processing and emails, and eventually, it became possible to exchange information within a network. In recent decades, data traffic has shifted away from the network and onto the internet. However, since the emergence of the cloud, up to 90 percent of data traffic from user devices is now destined for the internet.

The concept of least privilege initially digressed into network access control (NAC), which assumes some level of trust. This is a complete contrast to the zero trust approach, which assumes nothing at all. NAC is also a relatively complex solution that is not without its limitations. The issue arises when the control function needs to separately deal with device identities and client software on one network level. The device remains dependent on the network it is connected to, which is what produces the limitation. If a device leaves the network, the NAC control function no longer works.

The Modernization of Least Privilege

It is relatively easy for cybercriminals to move laterally across an organization’s network to access sensitive data and systems. In flat network hierarchies, segmentation does not usually serve as an adequate protection mechanism. In response to this sub-par security standard, the concept of least privilege was modernized in the form of zero trust. Faced with the security challenges, the idea of minimizing the route of access between the user and their application without involving the network at all seems to be a promising prospect. With a least-privilege approach, the aim is no longer to secure access to the network but to lay comprehensive foundations for an all-new connectivity and security concept. This relies on identification technology and control mechanisms working in tandem, working across all users and entities in the entire modern construct of multi-cloud and internal data center architectures.

Zero Trust for Cloud Workloads

The zero trust approach can be deployed at the user level and help to secure cloud workloads. In this scenario, trust is not assumed in internal or external multi-cloud networks. Verification must take place before each access is granted and communication is permitted based on the applicable guidelines. By granting access to applications and workloads based on identity, companies can minimize their vulnerability to attacks while reducing the scope for cyberattacks to move around the network.

Over time, the least-privilege principle has been modified and adapted to suit a range of applications. Zero trust can be viewed as a natural evolution of the original concept of minimal access – with the added scalability required to secure modern multi-cloud environments.

What’s hot on Infosecurity Magazine?