Mastering Least Privilege: Cutting Unused Access
Published 05/30/2024
Written by StrongDM.
It’s an irrefutable fact: You can't defend your total attack surface without visibility into privileged access. The Principle of Least Privilege emphasizes that individuals within your environment should only have the necessary access and permissions essential for their roles. This approach safeguards against credential misuse, which contributes to 61% of breaches.
An in-depth analysis of access management across 225 companies reveals alarming trends:
Unused Elevated Privileges: A High Stakes Game
85% of credentials with elevated privileges remain untouched in the last 90 days.
Privileges present a significant risk factor for all organizations. Users or identities with elevated privileges often become targets for various cyber threats, such as credential theft, credential stuffing, or ransomware attacks. It's concerning to note that credentials play a role in nearly two-thirds of all security breaches.
More alarmingly, research indicates that 85% of privileged credentials have not been utilized in the last 90 days. These unused and available privileges are prime targets for malicious actors, prompting a critical question: if these privileges remain unused for such extended periods, are they necessary at all? Removing these unused privileged credentials offers a vital chance for security teams to minimize their organization’s attack surface significantly.
The concept of least privilege mandates that credentials should only possess the minimum privileges necessary for users to perform their duties effectively. Yet, the fact that 85% of these privileges remain unused suggests a lack of visibility into how privileges are employed across the entire infrastructure. This absence of insight hampers security teams from implementing corrective measures and truly adopting a least privilege strategy. Without clear visibility, it’s nearly impossible for security teams and administrators to ascertain which permissions are essential. Enhancing visibility can enable a more data-driven approach to permission management, based on actual usage patterns.
Over Provisioning Users: Complexity Breeds Risk
Nearly 1 in 3 users have access to systems they haven't utilized in the last 90 days.
It's not only privileges that are underutilized; often, the intricacies involved in granting access on an identity-based level lead to users being over-provisioned with unnecessary access rights.
Analysis reveals that nearly one in three users have access to systems they haven't used in the last 90 days. The diverse and complex nature of modern technology stacks makes it challenging for security teams to monitor which credentials are active, which systems are being accessed, and by whom. This lack of transparency leads to perpetual, unused access rights, thus increasing security risks unnecessarily.
Such unnecessary access contradicts the principle of least privilege and represents a significant opportunity for security teams. By auditing access usage across teams and deprovisioning access that is no longer needed, organizations can tighten their security and reduce their exposure to potential threats.
Unused Resources: Identifying Hidden Risks
15% of resources, including databases and cloud resources, remain untouched in the last 90 days.
Gaining visibility into access and usage goes beyond merely mitigating risk. Analysis indicates that 15% of resources within the technological stack—such as databases, servers, and cloud resources—haven't been accessed in the last 90 days.
These unused resources pose not only security risks but also represent potential cost-saving opportunities. Systems that remain idle might be candidates for deprovisioning or transitioning to more cost-effective services, thereby freeing up budget for other priorities. This raises a critical question: "If these resources haven't been utilized in 90 days, are they truly necessary?"
In the context of the principle of least privilege, the concern extends beyond just credentials; it includes the systems those credentials can access. By gaining insight into how systems are used, security teams can not only reduce their risk profile but also identify opportunities to decrease costs by eliminating or reallocating unused resources.
The Power of Visibility in Least Privilege
Visibility is the linchpin for successful implementation of the principle of least privilege. While the challenges of gaining insight into access, privilege, and resource usage are substantial, the benefits are immense:
- Lowering risk by removing unnecessary privileges.
- Reducing the attack surface by right-sizing user access.
- Cost savings and risk reduction through identification and removal of unused resources.
The primary objective in implementing the principle of least privilege is to achieve complete minimization: eliminating all unused privileges, eradicating over-provisioning, and having no resources left unused. In other words, Zero Trust is the ultimate goal.
Additionally, aiming for zero exposure of credentials to both end-users and their systems is crucial. This precaution ensures that, even in cases of over-provisioned or unnecessarily accessed credentials, the human element of risk is mitigated.
Related Articles:
Establishing an Always-Ready State with Continuous Controls Monitoring
Published: 11/21/2024
The Lost Art of Visibility, in the World of Clouds
Published: 11/20/2024
Why Application-Specific Passwords are a Security Risk in Google Workspace
Published: 11/19/2024
Managing AI Risk: Three Essential Frameworks to Secure Your AI Systems
Published: 11/19/2024