You’ve probably heard an employee complain about wanting admin rights to a particular system. They say they “want” access …but do they really “need” it to do their job? Does the CIO need full admin access rights to all the production servers?
Dave, the application developer, says he needs to do a low-risk, quick fix in production. With tight deadlines and an upset customer, rules sometimes bend.
The reality is that all those scenarios create unnecessary security risks making businesses vulnerable. Minimizing admin access and privileges is one of the top strategies to mitigate security threats. Users are the weakest link in security and that includes everyone from executives to an IT person. They are human just like everybody else and are not immune to malware.
Malware Isn’t the Only Type of Security Breach
In a study done by the Association of Certified Fraud Examiners (ACFE), a typical organization loses five percent of their annual revenues to fraud. These are entrusted employees or users with admin rights, who exhibit malicious behavior to defraud the company of funds.
It is important to know who has access to what and why to be able to monitor and control malicious activity. If a breach does occur by malware or a disgruntled employee, it allows IT to quickly respond and block access.
Provide Access to What is Needed
The objective is to limit the potential of a security breach. The principle of least privilege rights should apply to everyone in the organization. Employees are given access only to the systems or areas that they need to do their work. When allocating privileges, an employee’s role in the company determines their access rights.
The benefit is that it helps to minimize the spread of malware or for an attacker to get deeper into a company’s network. If an employee’s account does get compromised, the attacker is limited to what the employee has access to.
Malware or internal threats are not the only reason to implement least privilege rights. Limiting access can prevent actions such as misconfigurations in systems by employees with excessive privileges.
There are employees who will need admin rights to do their jobs. These employees are granted privilege user rights and have access to the network, company’s data or product information. These users are possibly DB Administrators, IT Auditors or application developers. Admin access should be limited to work that needs to be done.
Maintaining the principle of least privilege rights is an ongoing endeavor. Once privileges are assigned, they need to be reviewed and revised regularly to be kept up-to-date. Employees change roles or leave the company.
Conclusion
Incorporate the principle of least privilege rights as part of the security policy. Keeping employees’ privileges to what is required for them to fulfill their roles and responsibilities reduces a company’s vulnerability to being exploited. It can limit the damage should malware penetrate your systems. Implementing this principle helps to close the gaps and enhances a company’s security strategy.
Leave a Comment