Export to PDF Get your digital version of this article

Download

The Path Towards Your Least Privilege Environment

A rethink of the practices and tools for removing excessive permissions. How are you right-sizing permissions?

Introduction

Over the course of the past decade, organizations have steadily transitioned from their legacy on-premises environments to the cloud. No longer dependent on their local services, they have benefited from the scalable flexibility that the cloud offers, making it possible to run their businesses from anywhere in the world.

All of the services that run the day-to-day operations of running a modern working environment are now available simply by logging into one’s account, allowing organizations to do more faster than ever before. Microsoft, Google, AWS, and even homegrown applications are now the tools for getting work done in the modern organization.

However, with new capabilities come new challenges.

With the work space no longer defined by the firewall, the keys to accessing the services in the cloud rely on identities and whichever privileges are granted therein. And the number of identities is growing exponentially. Every application or service creates a new identity. These identities are not only for human users. Every API, service account, bot, and even cloud instances may constitute a new identity.

The challenge for organizations has become how to manage all of these identities and define which resources each one is allowed to access, and the level of access that they should be given to ensure that they do not harm the organization’s security. It is not enough to reach the desired level of access. Maintaining that level over the long term comes with its own set of difficulties that must be overcome.

The Principle of Least Privilege (PoLP)

Every identity is a potential entry point for an adversary to penetrate the organization. With the credentials of an identity belonging to the organization, a skilled attacker can move laterally within the network to steal, disrupt, or otherwise cause harm.

Therefore, the more identities that an organization has created, the wider their attack surface and level of risk.

What limits a hacker who has gained a foothold within the organization, either on an endpoint, network, or other point inside, is their level of privilege to access resources. A given identity may have privilege to a set of specific resources, and within those assets may be further limitations defining who is a basic user, administrator, or something else in between depending on the resource type.

With widespread access to resources and high enough privileges, a malicious actor can have free reign to move about within the organization and work towards their harmful goals. In light of these threats, how should organizations think about protecting their assets?

Over the years, the security industry has developed the Principle of Least Privilege. According to the United States Government’s Cybersecurity and Infrastructure Security Agency (CISA), they define Least Privilege according to Jerome H. Saltzer and Michael D.Schroeder’s book “The Protection of Information in Computer Systems” as the following:

“Every program and every user of the system should operate using the least set of privileges necessary to complete the job.”

The concept is essentially that if every identity has their level of access and privilege limited to the most minimal of levels, then the organization has reduced the area of their attack surface to the greatest extent possible. As a security theory, it is sound thinking since an attacker cannot harm what they cannot access.

However in practice, organizations will often run into trouble when it comes to balancing the needs of their operations versus the instincts of their security professionals.

This is because restricting access and privilege too tightly will eventually lead to a disruption of productivity. Just as the hacker cannot access a given resource in an S3 bucket, neither can Sally who is leading her dev team on a business-critical project.

79% of Organizations Have Experienced an Identity-Related Security Breach in the Last Two Years
Identity Defined Security Alliance (IDSA) report
By 2023 75% of security failures will result from inadequate management of identities, access, and privileges”

Permission Sprawl

Adding to the set of challenges is that of Permission Sprawl. This term refers to the reality of how different identities like employees (or even contractors) can accumulate far more access and privileges than they really need in order to do their jobs.

What happens is that they were legitimately granted permission for access because they required it at some point in time, but it was never revoked when it was no longer necessary. Classic examples of how this occurs is when an employee changes roles within the organization and simply retains their permissions. In more extreme cases, this can happen with third parties who no longer work with the organization yet somehow still retain their access.

Along with the accumulation of excess permissions over time, another risk comes from an identity receiving blanket permissions when they come on board or move into a new role. In these cases, no real review is performed as to whether the given identity actually needs the breadth and level of permissions that they are granted. IT teams, which are often spread way to thin, will simply give this blanket set of permissions because it fits their general assumptions of what the role requires.

In most cases, these permissions for access are unused yet still exist. This then leads to a Permission Gap where there is an excessive delta between the amount of permissions that are in use and those that are unused, thus expanding the attack surface for the organization.

Managing Identities and Getting to Least Privilege

For smaller organizations with a more limited number of identities and applications, the task of managing permissions to adhere to the Principle of Least Privilege can be frustrating but still doable by manual means. But for enterprises with thousands or tens of thousands of employees, and likely even more non-human identities, this task is beyond Sisyphean. It is downright Herculean.

Thankfully, as the number of identities and complexity in managing them have increased, a new sector of the IT Security industry has come along to provide solutions. This field is known as Identity and Access Management (IAM). Their job is to help the organizations automate and manage the provision of permissions to the identities. As a part of this mission, they work with the IT team to reach their desired state of Least Privilege.

According to Accenture’s 2019 Cost of Cybercrime Study, 63% of organizations are already using some form of advanced Identity and Access Management (IAM) solution. The study also found that these organizations were saving on average a net of $1.83 million after the cost of purchasing the IAM tools.

The difficulty though is that while these identity management solutions do enable control over the privilege granting process, they are still very much dependent on manual work by IT teams to fine tune the permissions to reach the desired state. They also still require managers to manually certify the access granted to each of their employees, wasting a lot of focus and effort and leading to rubber stamping.

One of the core challenges that the approach taken by these tools is that when they initially grant excessive permissions, reverting those permissions is exceedingly difficult. This is because a given permission is usually tied within the groups to other permissions that they have been granted. Figuring out which ones are in fact necessary and which are excessive is a tough task to handle.

The way that these tools work when the IT team member uses the identity management tools to grant permissions, they are still operating according to the old practices of provisioning way too much access and privilege to the identities. Only after an identity is over permissioned do these legacy IAM tools seek out unused permissions to detect potentially excessive provisioning. Essentially, this is a case of two steps forward and one back just to get to where they should be in the first place.

This method is both inefficient in its approach and increases the risk to the organization by leaving open a window of exposure during the period between the granting of the permission and the right sizing — assuming that efforts to reach the right sizing are even undertaken during the process.

While some of these solutions are getting better and embracing new practices to limit exposure from Permission Sprawl, using methods like “Just in Time Privilege” that govern how long an identity can utilize a specific permission according to their need, the challenges of the extra steps and unnecessary risk window remain.

Recognizing the need to work with organizations to address these challenges, Authomize has developed a new strategy to improve the effectiveness of IAM.

A Scalable and Dynamic Least Privilege Strategy

Authomize shortens the path to right sizing permissions by setting them correctly the first time with data-driven recommendations.

Our AI-engine technology is capable of correlating between a wide range of identities across applications to understand the organization’s permissions structure. Not just relying on blanket assumptions based on “look alike groups”, Authomize’s proprietary SmartGroups prescriptive analytics engine is able to provide intelligent recommendations regarding the level of permissions that an identity should be provisioned.

SmartGroups look beyond the general role of the identity. It analyzes the network structure between resources, identities, entitlements and their usage to generate recommendations to reduce the organization’s attack surface in line with the Principle of Least Privilege. All without the extra steps of going too far forward at the start before walking back to the minimalist posture. Authomize’s continuous monitoring and right sizing takes into account the identity’s roles and responsibilities, understanding which permissions correspond to their needs. The AI-engine can look at how the users utilize apps, as well as their relationships and knowledge from those apps analyze how it corresponds to other users. It also draws insights from the organization’s permission hierarchy, as well as the group assignment structure the relationships within the organization. This analysis is then performed cross-application to provide the best recommendations throughout the organization.

Authomize Least Privilege Principle

This analysis powers a key capability of the SmartGroup technology that separates it from other IAM solutions by enabling it to detect when a user is granted a permission that they should not be, even if they are making regular use of it. Whereas other tools only look to identify an excessive permission when it is not being used by the given identity, SmartGroups take a different tactic.

Authomize takes a holistic view to bring in context not just from the permission structure and usage, but the roles as well to determine if a given user should actually have access to a resource that might fall outside of their role. These findings can then be given to the admins who can investigate and determine whether the permission is indeed excessive and should be revoked.

But it is not sufficient to only ensure that an identity has not been over privileged. By the same token, it is also important to prevent the identity from being under privileged.

If Sally is the team lead on the special project, then she is justifiably going to need a higher level of privilege than Tom who is a junior developer in her group. What she requires instead is a limited privilege. Using the SmartGroup technology, Authomize can analyze Sally’s identity and her usage needs to produce a series of recommendations that will help her company’s IT easily understand what they need to provision her. All without the usual ping pong that permission requests often entail.

SmartGroup technology offers organizations an alternative to their existing systems, giving them the opportunity to reach a state of Least Privilege from the start. This avoids the unnecessary and risky over privileging of identities just to then add the extra step of adjusting them to where they are supposed to be.

Assessing the Impact of SmartGroup Technology

Structure and grant permissions to employees in a way that you won’t need to “right-size permissions”

Approaching permission management from the Least Privilege perspective aims to strike the balance between productivity and security.

Authomize’s scalable SmartGroup technology enables organizations to harness their data and automatically produce actionable recommendations that significantly reduce the amount of time required to securely provision permissions. This in turn allows employees to get to work faster, having spent less time waiting for IT to track down approval for their permission request, which translates into higher productivity. At the same time, they dramatically improve their level of visibility and security, reducing the attack surface by eliminating Permission Sprawl across their organization.

About Authomize

Authomize enables organizations to manage and secure complex and vastly different applications across hybrid environments. Our Prescriptive Analytics engine helps IT and Security teams flawlessly automate operations around authorization to prevent permission sprawl, maximize productivity, simplify identity lifecycle management, and secure the IAM plane.