Undue Privilege Costs Cash and Undercuts Security

March 29, 2017

Few managers would throw their employee the keys to a big rig with two loaded trailers to pick up a pint of milk from a nearby convenience store. Apart from the problem of parking, the vehicle is massively over-specced for the job at hand, which creates unnecessary safety risks, both to the driver and to other road users. However, this is essentially what occurs each day in businesses around the world as employees are given access to privileged computer accounts that massively exceed the needs of their jobs. The result is often devastating in terms of corporate security with many major data breaches traced to weak passwords that have provided access to such over-privileged accounts.


The solution is well-known: Applying least privilege access management, as implemented in the Centrify Server Suite.

Least Privilege Access is a core security principle that effectively limits an individual’s access to systems, applications and data that they need do their job. For example, as I work in sales, there is no need for me to have access to my employer’s Payroll system, beyond employee self-service functions. Implementing Least privilege access as part of a security infrastructure ensures you can only access what you need to perform your job.

Where privileged access is a particularly significant risk is in super-user -- or root admin -- accounts that are used or shared by IT system administrators. Whether they administer Windows, Linux or UNIX systems, IT administrators are required to deal with a wide range of technology problems in a given day, which is why they often grant themselves user accounts with extensive access privileges.

While this has the benefit of convenience for the administrator, it creates a huge security risk for the organisation in which they work. Hackers need to find only one flaw -- a password shared between a hacked social media account and privileged sysadmin account -- and the keys to the kingdom are lost. When combined with the use of outsourced technology services, the result can be disastrous for an organisation’s security and reputation.

For example, it is widely reported that Edward Snowden in 2013 used relatively simple techniques and easily accessible tools to copy 1.7 million National Security Agency (NSA) files, which revealed the existence of numerous global surveillance programs. Reports claimed that Snowden, while working as a technology contractor for the NSA in Hawaii, was granted administrative access to files because one of his duties included backing up computer systems and moving information to local servers. This gave Snowden significant access to data on shared network systems for which he had administrative rights.

Applying the principle of least privilege Access may have prevented this occurring. Least privilege is not just a nice-to-have security feature: It is the foundation stone for a mature security infrastructure and, if you don’t have it, it is costing you money.

Earlier this year, Forrester Research released a Centrify-sponsored study which concluded that the 83 per cent of organisations with an immature approach to identity and access management (IAM) - which means they lack least privilege access -- suffer twice as many data breaches and also incur $5 million more in costs than organisations with a more mature IAM posture.

Learn more about how Centrify can help you implement least privilege access management.

This is written by the individual author in his/her personal capacity, and the opinions, views and/or thoughts expressed herein are solely the author’s own. They are not intended to and may not necessarily reflect the official policy or position, or the opinions or views of ThycoticCentrify or its affiliates, employees, or any other group or individual.