Least privilege - get what you need, not what you want



I like trains. I would quite like to drive the train, but that is not on the cards as I have no training, so I sit/stand with everyone else in the passenger area - I am assuming someone is driving and it is not being done by an artificial robot train driver... yet...

My firm belief is as security people we are starting to forget the basic principles of security that help protect something important, us and the information we use. And, we forget to explain, sell, story tell them to people - we just say "well you must ensure you have least privilege", and people think "what is he/she on about...?".

One of my favourite principles is "least privilege" - so giving people access to only what they need access. This certainly seems like a very strong way to protect what is important. If people only have access to what they need and they become compromised, the bad actor (they aren't acting) can only access what you have access to.

"The principle of least privilege (POLP) is the practice of limiting access to the minimal level that will allow normal functioning. Applied to employees, the principle of least privilege translates to giving people the lowest level of user rights that they can have and still do their jobs. The principle is also applied to things other than people, including programs and processes." - taken from.http://searchsecurity.techtarget.com/definition/principle-of-least-privilege-POLP

Simple you think? Not so.

In our personal lives we at least feel like we can do anything, go anywhere, buy what we like (for those who have the money), do what we want with nobody telling us the rules. We are obviously aware of laws and what is "right" but in general we have "freedom". At work our companies strive (feeling positive) to protect us and the information we use and therefore generate policies and processes that are for work - but do leak into our personal world too.

In work we need to deliver quicker and more, we need to show progress, we need to be flexible to change and pressures. And, with Cloud software being available at a click, time to evaluate and risk assess a solution is the same time to make a cup of tea.

So there is an immediate conflict in this principle, it conflicts with our perception of freedom.

What can we do as security professionals if we think least privilege is important, in two steps?

1. DON'T tell people they must follow "best practice". Telling people what to do with no reason or context will no doubt create bad behaviour

2. DO tell stories. People remember stories and here is one from me:

The story of security professional Michelle and blue sky dashboards Cloud federation

"Hey Michelle, this is cool, with our new Cloud people directory I can point this funky app we use to create blue sky dashboards at our directory and sign in with one set of credentials. Let's do that." explains enthusiastic Dave.

"Nice, I just checked with blue sky dashboards and this means they have access to our directory, is that ok, do we trust them?" said Michelle.

"Not sure, I just bought a couple of user licenses with my credit card" replies Dave.

"Erm, okay,they have access to information they don't need, all our company directory" explains Michelle.

"Ah, I never thought that was even possible, let me think on this..." sighs Dave.


Obviously this is made up (!), but I think we can all ponder on this next time we are tempted to roll out the "follow best practice" line and maybe turn our response into a story.

Try it and let me know.

Keep well.

Adam

Comments

Post a Comment

Popular posts from this blog

Bad things happen - about going without

Image
If you plot out the timeline of your life, have bad things happened and are they likely to happen in the future? I am going to guess yes to both of these, unless you are Mary Poppins. W hy then do you get angry, disappointed, annoyed, when bad things happen? They will happen. Here is a scientific diagram that proves it!: 'Our anger and annoyance are more detrimental to us than the things themselves which anger or annoy us' - Marcus Aurelius All this in mind, what is the worst thing that can happen to you? Your toast falls face down Your credit card details get hacked Someone says something bad about you on Twitter Losing your job (bit careless) Injury Death Immortality But don't worry. The obsession right now is to protect people from all these things, to have insurance, credit card fraud cover, class actions, the crowd that stands against offense, and the ongoing halting of inevitable death (the 'fight' against death). I would argue immortal...
Read more

The end of them

I woke up early on Saturday morning, to shouting. My son, Alex, had electrocuted himself after consulting with Alexy. The recruiting process at our firm had to be accelerated, the CEO was pushing growth, growth, growth. So my mind was on other things - we needed help. My son seemed ok, so I wrote my idea down on how we could accelerate growth, starting with using outside recruitment agency StarHire. My friend, James, knew the CTO well, they seemed good. Email sent. Only two weeks later, Alf joined our development team along with 41 other recruits, wow, StarHire, and now me, really were stars! The direct access to our recruiting system paid dividends. Not enough disk space... damn... Alf cursed. Time for a clean up. The first we knew was when our daughter called to say her boyfriend, Petey, was no longer with us. Something about something falling from the sky!? Then the news reports started coming in, people injured and dying from something falling from the sky, described as very severe...
Read more

Assets - knowing where your stuff is at

Image
This is the Tower of London. I was recently passing and took a snap, but pondered "why is it surrounded by so much security?"... Well, presumably because it contains the "crown jewels", somebody has assessed the risks and put in the appropriate controls to try and stop something bad happening. Too many times I hear and read about controls, buying this and that to stop this and that. But, not much time is spent on the thing you are trying to protect, the asset. And, where that asset is, who can (needs to) access it, why you need it, how long you need to keep it, and whether it moves around. I suspect with the new General Data Protection Regulation (GDPR) you are going to be forced to answer these questions. Even if you are not in the European Union (EU). The case for the Tower of London is relatively simple as it involves a physical asset, but when you are considering electronic information it is less simple to just know where it is. Consider one email wit...
Read more