Preventing Good People from Doing Bad Things: Implementing Least Privilege
For anyone who ever had to prepare for the CISSP exam, the principle of least privilege is often ingrained in their short-term memory.
The bigger problem is that given the importance of least privilege, it is often forgotten at the enterprise level, and frequently least implemented correctly.
Specifically, least privilege is the notion that in a particular abstraction layer of a computing environment, every module (such as a process, a user or a program depending on the subject) must be able to access only the information and resources that are necessary for its legitimate purpose.
Much has been written about the topic, but not about what to do to implement it. In Preventing Good People From Doing Bad Things: Implementing Least Privilege, the authors note that many companies have spent huge amounts of money on information security hardware and software, but don’t make allowances to deal with what is often the weakest link in the organization, end-users.
In 11 easy to read chapters containing fewer than 200 pages, the book provides a good high-level overview of the concepts of least privilege. The book does not get into the details of access control on various operating systems, as that would triple the books length. Rather it details what happens when user rights are not adequately limited, and gives stories of the effects of unlimited administrator level rights.
While for the most operating system agnostic, the book does provide ways in which to living Active Directory rights in chapter 4, and touches similar concepts in Unix and Linux, as well as virtualization in chapter 6.
The title of chapter 2 pretty much sums up the entire book and concept – Misuse of privilege is the new corporate landmine. The authors quote Mark Diodati of Gartner that “organization continues to struggle with excess user privileges as it remains the primary attack point for data breaches and unauthorized transactions”.
Another crucial topic us databases, discussed in chapter 8. Far too many DBA’s have unfettered and unmonitored access across terabytes of data that can often lead to serious breaches.
The book concludes with some good ideas on how to break bad habits within IT. These pragmatic suggestions include (obvious) suggestions such as: stop allowing employees access to rook, not letting desktop users run as administrator, that hat just because a firm is using access control, that they are immune to data breaches, and more.
For those looking to get a handle on the topic, they will find Preventing Good People From Doing Bad Things: Implementing Least Privilege an excellent resource.
Cross-posted from RSA