“Principle of Least Privilege” – One of the most important fundamentals in cyber security. It’s the act of giving any user, program, or process only the bare minimum privileges necessary to perform their role. Seems sensible, right? Indeed it is – but sometimes cyber security professionals take it too far. Let’s unpack that.
Cyber security professionals often take the principle of least privilege at face value and fall into the mindset of “If they don’t need it (or if I don’t think they need it), I’m going to block it”. An example is with their web filtering rules – blocking categories such as ‘Shopping’ and ‘Streaming Media’ without any direction from Human Resources departments. Many do this because of following the ‘principle of least privilege’ concept.
No doubt, it is a valuable and essential concept, but ‘privilege’ is the key word here. The ‘privileges’ we should be focused on reducing are ones that have security implications. Is watching YouTube at work a privilege with security implications? Probably not. But is there reasonable likelihood that someone will need to watch YouTube for a work-related matter? In today’s world, absolutely. Therefore, there is little security benefit for blocking YouTube, but a strong productivity impact and compromised user experience.
Remember that Cyber Security is most effective when seen as the “Protector” rather than “Enforcer” inside an organisation.
We can’t be everywhere at once, so we need to create a culture where employees want to willingly approach us for guidance. We also want them to listen to us when we say something is serious or distribute a new policy/awareness campaign. If we are blocking them on matters that aren’t security risks, we are controlling them for the sake of it, without having a positive outcome for the organisation’s security posture. If we keep blocking them for legitimate behaviour, we become the ‘boy who cried wolf’.
If a system is oppressive, users will get frustrated and work around it: like choosing to disconnect from the network, use a personal device or email data to their personal account to “get real work done”.
These workarounds essentially turn security to ‘zero’. And who can fault their actions if the systems given to them are blocking them from performing legitimate work?
Cyber security leaders should ensure they and their team have empathy around how they architect a security solution or choose to mitigate risks.
Take-home tips that leaders should look to integrate to avoid taking least privilege too far.
1. Create a team motto for
your cyber security teams
2. Take a balanced, risk-based approach to authentication
3. Form relationships with department heads
1. Create a team motto for your cyber security teams (and yourself)
This ensures that you approach business requests with a helpful, protector mindset. A good one is “We don’t say no, we say here’s a more secure way.” Instead of being the naysayer, be the ones to empower people with knowledge to help them make informed decisions. Further to that, ensure you’ve established a list of ‘team principles’ that your cyber security team lives by and regularly review them. These principles should be just as focused on how you deal with others in the business as they are on cyber security best practices.
2. Look at your policies around MFA and Authentication and take a balanced, risk-based approach to usability and security
Most of us have or are planning to increase our authentication security with things like MFA, password length, SSO and the like. Or maybe we can’t get that done for fear of the wrath of our users? Consider a carrot instead of a stick approach. A good example is – “Hi everyone, password length is increasing to 15 characters. But! No more password changes, no more complexity requirements, and one password across all systems you get to keep forever.” If you’re giving back to the users as you expect more from them, they’re going to be a lot more receptive.
3. Form relationships with department heads
In doing this, it helps you understand how they work and what they do. Remember: if we expect our people to have “Security Awareness,” then we should have “Business Awareness.” That way, you can put yourself in their shoes and make balanced decisions informed by both empathy and security. Keep asking yourself “What’s the real risk? Am I mitigating that risk precisely or am I taking a shotgun approach that compromises user experience?” It should be the former.
Customer CISO, Sekuro
Lee is an experienced Cyber Security professional with 16+ years in the technology Industry. He has previously worked in cyber security leadership and architecture roles inside multiple global organisations prior to joining Sekuro. At Sekuro, Lee helps clients with Cyber security strategy, Zero Trust, Virtual CISO, mentorship, executive advisory and security architecture. He has worked with numerous clients on cyber security strategies across industries such as health, insurance, construction, manufacturing, leisure including multiple ASX listed companies.