Best practices for implementing the Principle of Least Privilege
In this Help Net Security interview, Umaimah Khan, CEO of Opal Security, shares her insights on implementing the Principle of Least Privilege (PoLP). She discusses best practices for effective integration, benefits for operational efficiency and audit readiness, and how to manage friction from access restrictions.
Additionally, she discusses the challenges of PoLP in multi-cloud environments and the potential role of AI in enhancing future enforcement.
What best practices would you recommend for an organization implementing the Principle of Least Privilege (PoLP)?
Every organization is unique, and there will be variables that require customization for effective PoLP integration. Still, there are fundamental building blocks that will help build the foundation for success.
1. Define your mission and metrics. Start with a definition of least privilege. We suggest something like, “Protect the organization by ensuring that systems and individuals have access to only the resources they need, when they need them, with only the friction necessary to protect the business.” Pick some KPIs that can be measured, even if they are imperfect or incomplete — for example, “Reduce and maintain permanent read access to the crown jewels to fewer than 20 people.”
2. Don’t go it alone. Include stakeholders from security, IT, compliance, engineering and others. Fundamentally, the goal is to achieve a technical outcome and a culture of least privilege.
3. Assess your current state against the KPIs you identified to establish your baseline.
4. Don’t boil the ocean. Identify your crown jewels, and then begin permission restrictions in phases. Focus on reducing the amount of ‘birthright’ access — access granted based on user roles — and increasing the amount of just-in-time (JIT) access.
5. Measure against your KPIs, and share on an ongoing cadence with the stakeholders and partner teams you gathered in the beginning, as well as leadership. Achieving and maintaining least privilege is not a one-time project; it’s an ongoing program. The culture-building you did at the beginning will need to be nurtured.
There’s a common theme across all these steps: don’t let perfection be the enemy of progress. It’s better to start and make incremental improvements than to spend forever defining the perfect program.
In your experience, what are the key benefits of enforcing a least privilege policy regarding operational efficiency and audit readiness?
A successful PoLP implementation will yield key benefits across the company. Security teams achieve reduced risk of breach and reduced blast radius of successful attacks. Compliance teams can simplify and shorten audits as access is managed as an ongoing process. That means less disruption at the time of audit. Engineering and operations reduce the risk of catastrophic interruptions like outages or data loss from overprovisioned engineers doing something unintended in production when they didn’t need that access. And avoiding the company-wide pain related to a newsmaking breach is a benefit everyone can recognize.
How do you address the friction that might arise from employees when their access is restricted under PoLP?
Firstly, the program should be designed to avoid or significantly reduce this friction. If done correctly, the only access removed is access that wasn’t required in the first place. Least privilege doesn’t necessarily mean less privilege — the positive side of the definition is ensuring that people do have access to what they need when they need it. The program also needs to ensure that it is fast and easy to grant access when needed in a secure manner.
It’s also a great idea to give context by showing people what access they have and what they are actually using. We have worked with several customers who have told us about teams requesting less access once they realized they had permissions they didn’t ever use. This, of course, only happens when you’ve built a culture that embraces least privilege.
Can you discuss the specific challenges concerning PoLP in cloud environments, particularly in multi-cloud setups?
The challenges come down to scale, complexity, and history. As the number of accounts grows into the hundreds and more, the number of users gets to the thousands. Managing permissions granularly becomes impossible — even in a single cloud environment. Getting down to the specific cloud resource (e.g., a specific bucket) and specific permissions (e.g., read/write) has so many permutations that keeping track of it all, let alone providing access, becomes unwieldy.
Many configured identities are service accounts, like non-human identities that humans, APIs and other systems connect to. With multi-cloud environments, the complexity increases, especially if access is being managed in each cloud provider’s native interface. In order to make sure they don’t slow down, companies tend to lean into over-provisioning and grant access in what I jokingly call a “just-in-case” access model. Gartner reports that, on average, more than 95% of infrastructure as a service (IaaS) accounts use less than 3% of the entitlements they are granted — which is definitely NOT PoLP.
What role do you think AI and machine learning will play in the future of PoLP enforcement?
I think both GenAI and ‘AI classic’ (AI/ML) have a role to play. AI can be used to detect risk by observing and highlighting irregular access patterns. That irregularity can be based on several factors, such as a user’s role, the type of access, the type of approval, etc. Like any security workflow, detecting and prioritizing potential risk is critical with least privilege, and AI/ML is an excellent tool for that.
I also believe GenAI will play a role in remediation as well as prevention. Gathering, analyzing, and summarizing contextual data and suggesting recommended actions is one area where AI can help address the challenges of scale often faced by resource-strapped security teams supporting large and complex organizations.