How can the principle of least privilege protect your company?

The principle of least privilege is widely used in IT security. It can go a long way to reduce the damage an attacker can do if you do have a security incident at your company. Here is an analogy to help you understand.
When you go to a hotel and you get your room key card, it only gives you access to your room and any amenities that you need access to, like the breakfast room, the exercise room, the pool, and so on. However, a hotel cleaning staff member who works on floor five has a key that gives them access to all the rooms on floor five, but their key does not give them access to your room on floor 3. A maintenance worker who works on all floors may have a key with access to all rooms on every floor. Each person in that analogy has the least amount of access that they need to do their job. For some, like the maintenance worker, that access is more than others. In its simplest form, the principle of least privilege is a methodology or a mindset around granting access to a system.

 

Every person or program is given only the minimum access they need to do their job and nothing more. Typically, access is granted based on the function of the entity rather than basing it on just the seniority of that person within a company. Just because someone is a vice president, does not mean they need complete access to everything in the company to do their job.
In fact, senior business leaders should have as little access as possible, and here is why. They are often targeted by bad actors, limiting the access they have means that even if an attacker were to compromise their account, the attacker would not have the keys to the kingdom.

 

Least privilege does not just apply to files and data, it encompasses the entire business. You want to restrict access so that you can limit what a hacker would have access to when an account does get hacked. If you implement the principle of least privilege, you will reduce the fallout of a cybersecurity incident.