The Principle of Least Privilege | What & How to manage, control and monitor it ?

by mrahier96

The Principle of Least Privilege | What & How to manage, control and monitor it ?

by mrahier96

by mrahier96

Today’s Context about Covid and Teleworking. How is it going ?

Remote working is here to stay, requiring companies to maintain their efforts to combat cyber-attacks. Companies are now requesting security solutions to accommodate this new level of flexibility. To adapt to a changing world, some are embracing to hybrid work, while others are opting for full-time telecommuting. The goal is the same: to transparently improve workers’ working conditions regardless of their location.

If having unrestricted access to a customer’s IT assets is an integral part of a service provider’s business, it leaves them vulnerable. By offering comprehensive PAM solutions, distributors will be able to secure, manage and monitor access to their own and their customers’ privileged accounts, keeping their network’s most valuable keys safe.

If a service provider’s business relies on having unrestricted access to a customer’s IT assets, they are vulnerable. Distributors will be able to secure, manage, and monitor access to their own and their customers’ privileged accounts by providing comprehensive PAM solutions, keeping their network’s most valuable keys safe.

By definition, access to the corporate network from the Internet zone increases the level of threat to the company: identity validation, protection of high-privilege access, etc.

This makes it increasingly difficult to validate the identity of the connecting resource, and reliable mechanisms must be in place to protect high-privileged access to critical resources.

By 2024, 50 percent of organizations which use a privilege access model that eliminates undefined privileges will have avoided 80 percent of security breaches when compared to those that do not use PAM.

The Cloud Trend is gaining Momentum.

Cloud providers are increasingly being used by companies to host their data, services, and applications. Our administrators have privilege accounts to manage these new infrastructures.

But, does not the loss of responsibility for the physical management of these infrastructures, which are now exposed on the Internet, make them more vulnerable?

This new operating mode, which results in a proliferation of privilege accounts, increases the attack surface both internally and externally. As a result, poorly thought-out people have a larger attack perimeter to penetrate information systems.

Because the entire business of a current company is based on its information system through the continuity of its services, data confidentiality and integrity, our companies of all sizes must now manage and supervise these privileged accounts.

Due to a lack of visibility regarding privileged users, accounts, and assets, teams frequently lose track of who still has access to what. Over the last year, the rapid pace of digital transformation and the widespread adoption of cloud computing has exacerbated these security risks. Former employees may still have access to sensitive information in some cases, increasing the company’s overall risk exposure. Organizations are vulnerable to attack if they do not have the ability to track these privileges.

As a result, it’s critical that any user, program, or process has only the privileges required to carry out its function: This is the principle of least privilege, which means minimizing the impact in the event of identity compromise.

Access management is more important than ever

Access Management is more important than ever

Figure 1 – Access Management is more important than ever

What is the least privilege principle ?

The principle of least privilege (PoLP), also known as the principle of minimal privilege or the principle of least authority in information security, states to help you protect your assets from malicious actors, including those from within. In addition to financial loss and impact on your company’s image, malicious actors can install ransomware, disrupt operations, and use stolen personal data for extortion. Limiting access to only those resources every module (such as a process, a user, or a program, depending on the subject) really needs reduces the extent of damage that can be done.

How to Manage Your Privileges Accounts

All privileged users have a single point of access and administration with an access management platform. As job responsibilities change, “superadministrators” can quickly add and remove users, as well as change access and permissions to systems. This authority is crucial for administrators to be able to enforce the principle of least privilege (i.e., users have access to only the privileges required to perform their tasks). When these privileges are no longer required, they are immediately withdrawn).

You must first perform a privilege audit to determine which privileged accounts and credentials are active, taking into account user accounts and local accounts, and determining the best methodology to do so. Governance is critical at this crucial stage.

The governance team’s mission is to define the global scope as well as the model for implementing it within the company. Then there’s exception management (it’s not easy to fully deploy a model in reality). The service can also advise on manual implantation within the company or whether a solution is better suited to the company’s needs.

The ultimate goal is to complete the automation challenge in order to avoid unnecessary questions and time waste. Once automation is possible, it indicates that the model definition is correct and mature.

The governance team’s other mission is to conduct a privilege audit. It’s divided into two sections:

    • Review of coherence:
      • Is the current model still relevant for the organization?
    • Effective review:
      • Which privileges do the users actually have, and are they in accordance with the define model?

These reviews are typically performed once a year.

The governance service at Excellium recommends to our customers that they follow some model of applying the “least privilege principle.” The first is called “Role Based Access Control.” The privileges in this model are setup based on the position and function. This allows uniform and standardization of permissions and, as a result, a good transcription of the model in an Active Directory.

The ORBAC (Organization Based Access Control) model adds a context idea: a user can have multiple roles. This is to be more in accordance with reality; a user can be linked to multiple services and therefore have multiple roles.

Furthermore, the ABAC (Attribute-based access control) model is intriguing. It consists of a set of rules that define a dictionary of document and user attributes. It’s more dynamic, and it’s better suited to companies with multiple entities.

The segregation of duties is also important; it consists in the separation of tasks and rights in order to avoid conflicts.

The first step is to define the model that will be used within the company.

Finally, access rights can be set up in detail using an IAM process and solution.

New technology is being used in the process: AWS privilege management at Netflix.

When the level of complicity is too high, Netflix, for example, has decided to develop its own tools:

RepoKid & Aardvark.

This solution appears to be very interesting and describes how Netflix manages employee privileges using its two tools “Aardvark and Repokid.”

AWS hosts the majority of Netflix servers. It seemed obvious to manage AWS’s 2500 possible roles or authorizations and create a tool to manage the principle of least privilege.

Aardvark connects to AWS Advisor to determine the current status of a user’s permissions on the platform, as well as what he uses or does not use.
To achieve the principle of least privilege, Repokid will act to remove roles that the user is not using.

DynamoDB stores all actions and statuses.

These tools, which take the form of machine learning and are linked to a database, control which rights the user has used or not used, and every 90 days, the administrator will remove the rights that have not been used.
In the event of an error, it is possible to restore the rights that existed prior to the removal.

Since 2017, these two tools have been available on GitHub.

The solution appears to be very interesting and allows individuals to avoid human errors such as forgetting or mismanaging the IAM part in the AWS cloud.

Even you have a strong IAM process or solution deployed to manage access given to an identity, how could you challenge your critical assets from an identity compromission?

Control your privileged accounts: how to do it?

In recent years, cyberattacks have increased, making phishing the most preferred threat vector for criminals to harvest sensitive credentials. A well-crafted phishing campaign can be a relatively simple entry point for cybercriminals and is frequently the first step in a larger attack.

Once successful, criminals can progress to the next stage, which often involves stealing credentials that allow them to access privileged user accounts. According to industry experts, up to 80% of security breaches involve the compromise of privileged accounts.

What is a PAM ?

A PAM solution must seek to manage privilege accounts in order to avoid compromise and privilege escalation. To accomplish this, a PAM grants access only to the privilege accounts required by the user, ideally without revealing the user’s password. The solution can also rotate passwords. In this manner, the user only has access to what he requires, and passwords are not compromised.

PAM is one of the fastest growing sectors in cybersecurity today, with a market value expected to double from $2.2 billion to $5.4 billion by 2025. (src: Privileged Access Management for DevOps | KuppingerCole).

Example of a PAM technology: CyberArk

CyberArk is an example of a PAM technology.

CyberArk is the global leader in PAM solutions. The main goal is resumed on this CyberArk schema:

Cyberark goal

It protects the Escalate Privileges part of the attach chain from internal and external threats. There are three major components to accomplishing this:

  • Proactive protected
  • Targeted detection
  • Real-time response

To complete those parts, CyberArk provides Discover and Manage credentials to ensure regular password rotation. This is followed by the isolation of Credentials and Sessions. When a user attempts to access a privilege account with CyberArk, he does not know the password and the account is accessed via a separate session.

The scope of action is therefore limited, and activity can be monitored. Privilege activities are easier to monitor because a session is opened for each usage. All sessions are tracked, encrypted, and saved. It is also essential to combine CyberArk with SIEM technologies to generate alerts for SOC or IT administrators, resulting in more efficient monitoring.

Finally, it enables the detection and remediation of risky behavior, such as the ability to automatically rotate credentials when a risky event is detected. It is also possible to suspend or end a session based on suspicious behavior.

Monitor your privilege accounts: How to do it?

It’s pretty much inevitable. The vast majority of security threats eventually target privileged accounts.

Each user in every organization has different permissions, and some users have high privileges. When privileged accounts are compromised, data confidentiality, integrity, and security are jeopardized.

Because these accounts control sensitive parts of your IT operations, it’s critical to keep an eye on them and have a clear view of what’s happening on with your IT.

This is where security information and event management (SIEM) software plays its role.

Main features of a SIEM

SIEM Monitors and Alerts on Privileged Account Activity

Comprehensive monitoring of privileged accounts can be challenging because you must monitor administrators, users with root access, and users who have access to firewalls, databases, services, automated processes, and so on.

Monitoring account activity becomes more difficult with each additional user, group, and policy. In addition to monitoring, once an attacker has acquired credentials, it can be difficult to detect their network activity.

Monitoring for suspicious activity, such as failed logins or permission escalation attempts, is one of the most effective ways to detect compromised credentials.

SIEM can monitor user behavior in real-time, as well as access to various groups, such as when users are added to domain admin, local admin, and so on, and can identify account usage to determine necessary privilege. You can see if common employees are accessing critical files or if an admin account is making changes to your environment that are unnecessary.

A SOC can implement detection rules that monitor privileged account logins: To give a simple example, we can monitor any authentication of a privileged account on an asset as the change of a person from an active directory group to a sensitive group via Windows security logs.

It can also be interesting to monitor connections on a set of critical machines outside of time slots (for example, Outside Business Hours). A SOC can assist you in being proactive and detecting potentially malicious behavior.


The least privilege must be a responsibility and a routine that companies must adopt.

The principle of “least privilege” implies restricting a specific user’s access rights in the company so that he/she only has access to those that are required to do his/her job.

To avoid compromising privileged information, every process, device, and application in the system must be given the least amount of authority possible.

The idea is to give everyone as little access as possible in order to reduce the “attack surface” and, as a result, the risks incurred by the company.

Even if the least privilege is a good model of using, it is also necessary to challenge the identity exploiting privileged accesses and have specific monitoring in place for your high privileged access.


Antoine PERRY