The principle of least privilege, an essential aspect of IT security, is one of the most important security policies an enterprise needs to enforce. Following this principle, and avoiding privilege creep, ensures that users don't have more access to systems and data than they need to perform their jobs. For example, Tom in the sales department needs access to the client database but shouldn't be able to access the company's payroll database. Julie in HR, on the other hand, needs access to the payroll database but not the client database. Assigning employees the correct privileges not only prevents genuine mistakes from occurring, but it also stops potentially malicious employees from accessing data or systems outside of their area of responsibility. And if an attacker manages to steal the credentials of an employee and impersonate them, they only gain the privileges of that employee, not system-wide access.
The dangers at the software development stage
Most attacks and data breaches involve some form of privilege creep and account abuse. Obtaining a privileged user's credentials is a prime objective for attackers, as these provide an easy route to email, data, databases, files, system configurations and applications. If a hacker can access a system using a privileged account, they don't need to break through firewalls or sidestep intrusion prevention systems because these defenses assume they are a valid privileged user.
Avoiding privilege creep means being sure groups of users in an enterprise environment are assigned appropriate privileges. This is best done using a privileged access management tool to efficiently control who can do what. However, there is one group of employees where privileges are often purposefully over-assigned -- the software development team. Developers are usually under a great deal of time pressure to create, update or fix software applications. Authentication checks are often removed or code is run with elevated privileges so that security controls don't slow down testing by requiring the code to include authentication requests. Developers may also be given elevated privileges to databases and other resources during the development phase to perform functionality tests and checks. This can give them access rights to monetizable data like financial account information, personally identifiable information, payment cards, medical records and so on.
Developer accounts are therefore even more attractive to would-be attackers because they can provide unfettered access to core enterprise resources. Exacerbating the situation is that developers are often freelancers or third-party contractors and tend to be geographically spread out, creating a diverse group of users whose accounts in no way follow the principle of least privilege. Granting unlimited privileges to make developers' lives a little easier introduces huge security risks, particularly when these privileges aren't removed or accounts aren't closed once an application goes live and developers move on to a different project or leave altogether. Verizon's 2016 Data Breach Investigations Report shows that 14% of breaches involving insider and privilege misuse were carried out by those with elevated access privileges such as system administrators or developers. These breaches are among the most difficult to detect, the majority taking months or longer to discover because the attacker has valid access rights.
The risk of ex-employees abusing former privileges is so great that the FBI and Department of Homeland Security issued a public service announcement, saying the "increase in insider threat cases … from disgruntled and/or former employees poses a significant cyber threat to U.S. businesses due to their authorized access to sensitive information and the networks businesses rely on." According to research by Intermedia and Osterman Research, 89% of employees leave their jobs with a valid login and password to at least one business application belonging to their former employers, and 49% admitted to logging in to an account after leaving the company.
Following the least privilege principle
Least privilege is not just about removing privileges from those users who don't need them, but managing and monitoring access for those who do, like software developers. Security teams should use a privileged access management tool to audit the development environment for signs of privilege creep. Teams should also monitor how and when developer accounts are used so that security information and event management tools can spot irregular activity straight away. Don't be distracted by job titles: It's the level of access a user has that should dictate how carefully their account and actions are monitored.
Offboarding procedures for developers also need to be followed meticulously to ensure all accounts are deactivated to avoid the risk of them abusing their former positions. Again, a privileged access management tool can make this task more efficient and thorough. Managing and monitoring privileged accounts is key to improving overall security. Software development is certainly an activity that needs to be more closely controlled to ensure privilege creep or abuse don't put sensitive resources at risk.
Learn how cloud affects privileged user management.
Is a forced password-reset the answer to cutting down on breaches due to credential theft?
Think you understand privilege management? Take our quiz to test your knowledge.