Rule of three: Patching, training and least privilege (Part 3)


This is the final post in our “Rule of three” series. Today’s topic is least privilege.

Least privilege is a principle of access control that says no user should be granted any higher privileges than those required for the user to perform necessary tasks.

It’s a common-sense principle, but the reality is many organizations don’t hold to it. For reasons ranging from corporate culture to office politics, there are many IT infrastructures where users have privileged access whether it’s required for their jobs or not.

If this is your situation and you want to influence your company’s leadership to adopt the principle of least privilege, point out that it’s not about expressing distrust of users or taking a “perk” away from an employee. Rather, the principle’s intent is to protect the employee, as well as the business.

The scenario in which a disgruntled or rogue employee sabotages your company’s network is not the primary danger you’re trying to guard against. While insider attacks may be a risk, the bigger threat is from outside. For cyber criminals, privileged or admin-level accounts are extremely high-value targets. This is why they need to be assigned and protected with appropriate access control.