Skip Links

Privilege management could cut breaches -- if it were used

Verizon report recommends 'least privilege management,' a decades old concept. Problem is, it's still not mainstream.

By Taylor Armerding, CSO
January 16, 2013 07:50 AM ET

CSO - It is well established that human error, ignorance and/or malice are more of a threat to online enterprise security than flaws in technology. An employee who falls victim to phishing or puts an infected USB drive into a workstation can let an attacker easily defeat the best security system.

15 of the worst data breaches

But experts say technology can at least partially trump those human weaknesses. It just has to be deployed, and deployed properly.

And deployment is apparently part of the problem with "least privilege management" (LPM) -- sort of the cyber equivalent of security clearances in government. Not only do you have to be cleared at a certain level, you also have to have a "need to know" something before you are allowed access to it.

LPM basically grants privileges to applications instead of users, with the goal that only those who need access will get it. While it obviously would not entirely eliminate the risk of human error, it would reduce it.

The concept has been around for decades. J. Wolfgang Goerlich, information systems and information security manager for a Michigan-based financial services firm, said it was, "first explicitly called out as a design goal in the Multics operating system, in a paper by Jerome Saltzer in 1974."

But, it appears that so far, it has still not gone mainstream. Verizon's 2012 Data Breach Investigations Report found that, of the breaches it surveyed, 96% were not highly difficult for attackers and 97% could have been avoided through simple or intermediate controls.

LPM falls among those simple or intermediate controls Verizon noted that could save a lot of enterprises enormous grief, Goerlich said. Neither he nor other experts say it will make a system or network bulletproof, but Goerlich said, "It raises the bar by mitigating some attacks and raising the complexity of other attacks."

Bob Rudis, director of enterprise information security and risk management at Liberty Mutual, said it doesn't guarantee security -- but improves it. "It's nigh impossible to account for all types of user interaction with a system," he said. "[But] in applications that are fairly small or focused, properly implemented least privilege would be a solid and nigh unusurpable control."

[See related: Security threats explained: Internal excessive privilege]

Danny Lieberman, CTO of Software Associates, is a bit less confident in LPM, noting that an employee can work around LPM. "If an employee wants to access data, she can always social-engineer it out of a coworker," he said. "The main threat is not unwitting employees but malicious attackers."

The Verizon report does say that 98% of data breaches in 2011 came from external agents, but it also suggests that the success of those attacks were enabled in part by human error or ignorance. And it said: "We highly encourage organizations to run systems in a least-privilege mode."

Another problem with LPM, however, is that it is not always simple to decide who should have access to certain applications or areas.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News