The ‘least-privilege’ model protects digital assets and user productivity

Presented by Nutanix

The way we work has morphed into a diverse and complex model. It’s one that opens up new cybersecurity challenges, particularly in the area of user identity.

Gone are the days when employees convened each morning in a common facility that housed all the equipment, supplies, and data necessary to do their jobs. And they no longer routinely turn off the light some eight hours later and head for home, with no need to access those data resources again until the next workday.

Instead, modern employees may be located in any number of highly distributed branch offices that cross geographies, times zones, and cultures. They might be working while on the road visiting customers or attending a conference. And as we have all become acutely aware, a disaster or pandemic may suddenly mandate prolonged remote work from a home office.

Regardless of where they are and the circumstances, workers require access to the data and applications fundamental to performing their jobs. Some even need it 24/7. It’s IT’s job to provide that access, while at the same time making sure that people can only get to the data they really need, so as to curtail growing threats associated with overprivileged access.

Diverse users, data, devices pose new challenges

Controlling access is getting trickier by the day. There’s an increasing cast of characters to support, moving beyond traditional employees to include contractors, suppliers, and business partners, each with their own set of access requirements and restrictions. These folks no longer conveniently share a single, contained local network in a common location that can be physically locked down.

Not only are today’s users now highly distributed, so are corporate data and applications, which may run across on-prem infrastructure, private-managed clouds, and public cloud services. Even the client devices are far from standard: Users are requesting access from different makes of tablets, smartphones, laptops, desktops, and workstations.

Given all these variables, the issue of identity has come under fresh scrutiny. It once made sense to group users with similar roles and provide a set of network access rights to the whole group, such as with virtual LANs (VLANs). Now, many organizations are further restricting access, down to the individual employee, contractor, supplier, or partner. And those rights might depend on what device or what access network the employee is using at the time, as some are more secure than others.

One reason for these changes is to help prevent the internal misuse of data: 34% of data beaches in 2019 involved an internal user, according to the Verizon 2019 Data Breach Investigations Report. In addition, companies don’t want overprivileged users to become targets for hackers seeking to piggyback on their access credentials to gain entry into the corporate network: Nearly a third of data breaches in 2019 (29%) involved stolen user credentials, according to Verizon.

In addition to moving to stronger user authentication methods, which might include secure cards or biometrics as well as passwords, companies are starting to embrace a “zero trust” security model. This uses the “least privilege” principle, which narrowly defines user access rights.

Embrace least privilege controls

Simply put, least privilege controls restrict access rights to the minimum each user needs to perform their job. That means no more liberally doling out Domain Admins rights in Active Directory, root-level access to operating systems, and administrator-level access to the corporate virtualization infrastructure, among other changes.

Still, achieving least-privilege access control is not as simple as you might think. It’s fairly common, for instance, for employees to move in and out of different roles within an organization. It’s critical that their access privileges adjust accordingly with each change, which can be onerous for lean or overworked IT shops.

Access privileges should be revoked and reassigned each time—and rescinded permanently when workers leave the company. If not, privileges could accumulate to the point where an individual has far greater access than appropriate. That opens the door to employee misuse, and can make users targets of hackers seeking extensive access into your corporate data.

Ways to implement

There are several ways to implement least privilege, which is really more about your internal policies than any one particular technology. First and foremost, it’s time to move away from the mindset of “keeping out the bad guys” at the network perimeter, which no longer physically exists. From there, you need to identify the most important data to protect against theft, misuse, destruction, or any combination. Once you make these decisions, you can build an architecture to set and enforce the granular least privilege policies needed to protect these assets.

Firewalls and VPNs. One approach to executing least privilege security is to put the entire corporate network outside the firewall, forcing all users to connect through a virtual private network (VPN). Using this method specifies grant/deny permissions very narrowly for any remotely accessible applications and services.

Virtual Desktop infrastructure (VDI). Another way to enforce least privilege is by using virtual desktop infrastructure, a proven technology. With VDI, data and applications reside centrally, where they’re more easily safeguarded. Remote users log in over a network using web browsers or thin clients. The desktop feels local to the user, but is actually managed and safeguarded by IT and security teams. Based on a user’s identity, desktop security controls and network policy can be configured to ensure that users can only access resources that they’re entitled to use.

Striking the right balance

It can be challenging for network administrators to determine how to create policies that don’t hinder worker productivity but still maximize protections against unauthorized access.

The most important first step is deciding what to protect, using network- and user-based access controls. The technology used to create the rules, likely some combination of Active Directory, VDI, VPNs, and firewalls, is secondary to making those decisions.

Finally, organizations have to be vigilant about enforcement. Automation combined with identity-based policy can help streamline operations and tasks like employee onboarding, role/job shifts, and other events that require user permissions to be altered. Nonetheless, it’s a best practice to avoid a “set and forget” mindset. By strictly limiting who can access critical systems and revisiting this plan regularly, you reduce the risk of unintentional or malicious data misuse and theft.

Sponsored articles are content produced by a company that is either paying for the post or has a business relationship with VentureBeat, and they’re always clearly marked. Content produced by our editorial team is never influenced by advertisers or sponsors in any way. For more information, contact [email protected]

Source: Read Full Article