A pathway for security leaders to finally enforce least privilege

Jonathan Sander explains how to automate the process of enforcing least privilege on the files raging on your network

Least privilege is an alluring, elusive concept.

Admittedly, a common first reaction to hearing the phrase is to focus on the word “least.” Immediate push-back of “but I need this to do my job.” The key to least privilege is explaining that it means access to whatever is needed. No more, but also no less.

The challenge, of course, is how to handle all the “unstructured data.”

That’s the technical way to explain the litany of files strewn across the file system. Over the years, we’ve attempted a myriad of ways to corral and guide how files are stored and accessed. In the same timeframe, the means to access, volume of information, and demand for access exploded.

That made it hard, if not seemingly impossible, to provide least privilege to the file level.

Jonathan Sander, CTO of STEALHbits, recently shared a pathway to automating the process of providing least privilege. Part of the StealthAUDIT 8.0 launch, we talked focused on the opportunity of least privilege -- without an expensive army of consultants. STEALTHbits dubbed it ‘automated resource-based group provisioning.”

As Sander explained,  “The challenge extends to the notion of ‘human generated’ data, too. The act of someone copying a table of information out their browser which came from a well controlled application, but then pasting it into Excel to make a spreadsheet they can save anywhere, move anywhere, and send to anyone. ”

The challenge is twofold: we have more ways to translate data between systems and our primary way of restricting access is based on groups. But groups weren’t designed for the granular needs of modern access to files. It morphed into the best available way. And that came at the cost of an efficient way to enforce least privilege to the file level.

The hope of automating file-level least privilege

If you wanted to enforce least privilege to the file level, it took a consulting team, time, and patience. Sander feels that’s changed with the new release:

“Data Access Governance (DAG) points out issues the business can’t ignore, and they spend a lot paying consultants to fix these issues by playing whack a mole with users and groups. We’ve taken years of seeing how this is done and automated the analysis and group restructuring so people can get there more quickly and efficiently.”

This is the part that caught my attention: this is building on the experience of the professional services team, using the tool. It’s a growing part of a trend I like where security companies are blending products and services to the eventual improvement of the industry.

Simulate before action

While not shocking if you’ve tried your hand at least privilege, it’s reported that 86% of access to unstructured data is  over-provisioned. For a variety of reasons, people have access to more information that they need to do their jobs. It has a tendency to get us in trouble - especially when attackers rely on that to move laterally within your organization and siphon key information.

Same time, many of us got burned trying to make changes. The last thing we want to do is cut needed access. And if never comes at a good time. The ‘ole adage of ‘kick the power cord and see who screams’ was funny two decades ago, but in practice it simply didn’t work.

In this case, Sander explained the real key is to analyze the current situation and simulate changes. Explore what the group needs and test the changes before making them. The addition of the platform and information removes the guesswork. You get to see what people actually do and get a sense of confidence in the changes before you make them.

Sander expanded,  “The only way we have been able to get organizations to accept automation of security controls like this is by providing simulation at the start so they can catch mistakes before they start and rollback at the end so they can quickly jump back on some segment of changes if the users say ouch.”

A new approach for security leaders

Instead of fighting with business colleagues, the automation of enforcing least privilege allows you to change the dialogue. Offer them insight into what is actually happening. Show them the changes you want to make. And when you get the buy-in, make the changes quickly.

It’s a way to demonstrate improved protection to the business without getting bogged down.

Copyright © 2017 IDG Communications, Inc.

How to choose a SIEM solution: 11 key features and considerations