Today we’re reviewing the Least Privilege NIST control that is part of the Access Control Family.
Least Privilege is put in place to limit the amount of information an individual has access to, to only what is needed to perform their job. It also limits user’s ability to do things like disable or alter safeguards in a system. This would mean there should be formal definitions in place as to the minimum access necessary required by each department or position.
Formal definitions and approval processes for each role in the organization will help ensure consistent execution of least privilege.
Here is an example of what a process might look like when granting access using the principle of least privilege:
- Manager requests a standard account for a new employee in nursing
- HR confirms the need for the account creation and hands it off to IT
- IT can reference the needed access definitions for the nursing department and create the account
- A year later, the Manager requests elevated access for the same employee due to added responsibilities or promotion
- HR confirms the need for elevated access and hands it off to IT
- IT can then assess the access the employee currently has and add the access that is formally defined for the new responsibilities the employee has been given
On top of using a similar process to the one above, it is important to retain the paper trail and audit periodically to keep everyone accountable for adhering to Least Privilege standards.
It is also important to remember that Least Privilege also applies to those who have privileged access but may not need that level of access for every job function. For example, there might be a team member that is responsible for administering accounts but their normal day to day does not require that level of access. In this case, the team member should have a separate account for the elevated responsibilities and only use that account when accessing security functions.