Using ‘Least Privilege’ to Shore Up Your Network Security
I’m going to get right to the point here: Very few (if any!) of your employees actually need full access to all parts of your business network. Why am I bringing that up? Because there are so many businesses that still give their employees unrestricted network access. If you or your clients haven’t incorporated the principle of least privilege (POLP) into your data security plan, you’re taking a pretty huge risk. Let’s go over some privilege basics.
What “Least Privilege” Really Means
“Least privilege” essentially means “need to know.” For many small and midsize businesses, the process of onboarding new employees involves giving them a login with access to everything on the network. Least privilege is the opposite. With the POLP approach, you start by assigning zero access by default, and then allow entry as needed. By embracing this principle, you ensure that network access remains strictly controlled, even as people join the company, move into new roles, leave, etc. Sure, it’s important to make sure employees have the access they need to be able to do their jobs. But, by limiting initial access, you can minimize the risk of an internal breach.
If you haven’t already done it, now would be a great opportunity to re-evaluate your network access policies. After all, the most important thing here is protecting your business and customers—as well as your reputation.
Handling Objections around Access Control
According to Microsoft, 67% of users utilize their own devices at work. This means you may encounter some resistance to POLP policies because users will have to give up a few freedoms, such as using BYOD in an unauthorized fashion, installing personal software on work computers or having unfettered access to non-essential applications.
You’ll have to prepare yourself for some tough conversations. But, ultimately, the goal of POLP isn’t to make work a zero-fun zone; rather, it’s to ensure you’re providing a more secure workplace for everyone. Be sure to stress that it has nothing to do with who your employees are, their seniority, or even a history of good or bad habits; it’s just about security.
As the MSP or IT leader, you’re responsible for implementing POLP policies to protect the network. That means it’s also up to you to start the dialog around access control––early and often.
Why You Shouldn’t Rely on Antivirus and Firewalls Alone
No doubt about it: Antivirus software and a good firewall are necessary parts of your security strategy. But there are things that they can’t really help with. For example, they don’t protect against internal threats, such as an employee falling for a phishing scam email. This is where you need access policies to fill in the gaps.
Here’s an example: Let’s pretend you have an employee whose job is data entry, so the employee needs access only to a few specific databases. If that employee clicks a phishing link and gets infected with malware, then the attack is limited to those database entries. But, if that employee had root access privileges, the infection could quickly spread across all your systems.
Cyberattacks like phishing, ransomware and botnets are all designed to get around firewalls. If you follow an appropriate privilege model, you can limit the number of people who can bypass your firewall and exploit security gaps in your network.
Pro Tips for Implementing Least Privilege
When it comes to implementing POLP in your business, here are some tips for getting started:
- Start with an audit. Check all existing accounts, processes and programs to ensure that they have only enough permissions to do the job.
- Outlaw open access and start all accounts with low access privileges. Add specific