Article

Principle of least privilege (PoLP)

Privileged AccountsZero Trust
Time to read: 19 minutes

What is the principle of least privilege (PoLP)?

The principle of least privilege, sometimes referred to as PoLP, is a cybersecurity strategy and practice that is used to control access to organizations’ data, networks, applications, and other resources by closely monitoring and controlling access privileges granted to users. Extending beyond human users, the principle of least privilege also applies to non-human users, such as applications, systems, and connected devices that require privileges or permissions to perform a required task. Users are provided the minimum level of access necessary to perform the tasks necessary to do their jobs, and nothing more.

Examples of the principle of least privilege in practice include:

  • An employee whose job entails processing invoices would only have access to that specific function in an accounting application rather than access to other areas, such as accounts receivable or payroll processing.
  • A salesperson would have read and write privileges for a customer database, but not download or copy privileges.
  • Government workers would only have access to information based on their security clearance levels and only be able to access information relevant to their job (e.g., an FDA (Food and Drug Administration) employee could not access defense-related information).
  • A software user interface designer would not have access to source code.

The principle of least privilege is widely considered one of the most effective cybersecurity practices, because of its efficacy in restricting lateral movement and unauthorized access, minimizing attack surfaces, and reducing the spread of malware. It is an effective strategy for meeting the goals of the CIA triad (confidentiality, integrity, and availability) as well as a foundational part of zero trust security frameworks.

How the principle of least privilege works

The principle of least privilege works by restricting and monitoring access to data, networks, applications, and other resources. In a zero trust security environment, the principle of least privilege can help identify the specific access granted to these human and non-human users, regardless of the IP (internet protocol) address, protocol, or port an application uses (e.g., communication and collaboration applications that use dynamic ports).

Core elements of the principle of least privilege

The principle of least privilege incorporates three core elements in its controls—user identity authentication, device security posture, and user-to-application segmentation.

User identity authentication
The first step to enforcing the principle of least privilege is to validate the identity of human and non-human users.

Device security posture
Effective use of the principle of least privilege involves monitoring usage to identify and stop a compromised human or non-human user.

User-to-application segmentation
The principle of least privilege uses a zero trust network access solution to prevent unauthorized lateral movement by segmenting networks and restricting access based on need.

Principle of least privilege account types

To implement the principle of least privilege, different account types are used, each with varying levels of privileges related to user requirements. The types of accounts that are used include the following.

Non-privileged accounts
There are two main types of non-privileged accounts:

  1. Least-privileged user accounts (LPUs) give users as little access as possible to allow them to perform their duties. This level of account is assigned to most users.
  2. Guest user accounts are assigned to external users (e.g., third party partners, contractors, contingent workers, etc.) who require minimal access. Guest user accounts, generally, have fewer privileges than LPUs. Following the principle of least privilege, guest user accounts should be turned off as soon as access is no longer required.

Privileged accounts
Also referred to as superuser or admin accounts, privileged accounts have the highest level of access.

Privileged accounts that are commonly used include:

  • Application accounts used by applications to provide access to other applications, access databases, or run batch jobs or scripts.
  • Domain administrative accounts have administrative access across workstations and servers within the domain.
  • Domain service or Active Directory accounts have the authority to enable password changes to accounts and manage and store information about resources.
  • Emergency accounts, also called break glass or firecall accounts, are used by non-privileged users with administrative access to secure systems in the case of an emergency.
  • Local administrative accounts provide administrative access to the local host or instance only.
  • Service accounts, also called privileged local or domain accounts, are used by an application or service to interact with the operating system.

With the principle of least privilege, usually only administrators have access to privileged accounts. This is because they are considered to be the most trusted and require elevated access privileges to perform their duties. Among the tasks that a privileged account holder can perform are:

  • Activating or deactivating other user accounts, including privileged accounts
  • Adjusting network settings
  • Installing and updating applications
  • Monitoring users and systems
  • Removing data

Service accounts
Service accounts are assigned to non-human users that require a dedicated account. According to the principle of least privilege, access requirements should be determined; then, access is limited to the bare minimum needed to execute authorized tasks.

Shared accounts
Also called generic accounts, shared accounts are shared among a group of users. Shared accounts should be used judiciously, as it is a principle of least privilege best practice for each individual user to be assigned their own account.

Three principle of least privilege implementation best practices

  1. Create and maintain an inventory of all privileged accounts, including user and local accounts, application and service accounts, database accounts, cloud and social media accounts, SSH (secure shell) keys, default and hard-coded passwords, and other privileged credentials (e.g., those used by partners or vendors). The inventory should also include platforms, directories, and hardware.
  2. Enforce the principle of least privilege over end users, endpoints, accounts, applications, services, systems, and devices. This can be done by:
  3. Establish a comprehensive principle of least privilege rules to govern how accounts, especially privileged accounts, are provisioned and deprovisioned as well as how privileged identities and accounts are monitored and managed.
  • Banning password sharing
  • Eliminating unnecessary privileges from applications, processes, devices, tools, and other resources
  • Implementing segregation of duties policies
  • Minimizing the rights granted to each privileged account based on need
  • Removing hard-coded credentials
  • Removing admin rights on endpoints and servers
  • Requiring the use of strong passwords and multi-factor authentication
  • Restricting the assignment of privileged accounts
  • Segmenting systems and networks as much as possible
  • Using standing privileges only when necessary

Why the principle of least privilege is important

The principle of least privilege is important because it addresses security challenges related to growing hybrid environments in a way that balances usability and security while enhancing performance and reducing the impact of human error.

Using the principle of least privilege as a foundational element in security strategies helps protect organizations from the fallout from unauthorized access to resources and data. This includes financial and reputational losses from data breaches, ransomware attacks, and other malicious activities.

Another reason why the principle of least privilege is important is that it reduces the enterprise’s attack surfaces. Not only does this minimize risk and vulnerability, but it also saves valuable IT and security teams’ time and money. In addition, it cuts down the threats that need to be addressed to defend against attackers who seek to gain access to critical systems and sensitive data by compromising a low-level account.

Applying the principle of least privilege can also stop the spread of malware by enforcing least privilege on endpoints. This stops malware attacks from using elevated privileges to increase access and move laterally, infecting other systems.

The principle of least privilege also keeps unauthorized inside users from accessing sensitive information and systems. This increases overall data security, addresses regulatory compliance requirements, and decreases instances of malicious insider activity.

Benefits of the principle of least privilege

Audit readiness
The monitoring, logging, and reporting capabilities that come with implementing the principle of least privilege provide much of the information needed for audits. This streamlines the audit process and ensures compliance with regulations’ security requirements.

Better data classification
The principle of least privilege requires network managers to keep an inventory of who has access to what at any given time, which helps keep networks secure and healthy.

Enhanced visibility
Implementing the principle of least privilege requires increased visibility for users’ activities. This helps expedite the identification and mitigation of cyber attacks and malicious insider activities.

Improved data security
Using the principle of least privilege in security strategies can prevent the catastrophic effects of data breaches by limiting the amount of information that a person can access to only what they need to do their jobs. Since most users only require minimal data, the risk of damage from a breach is significantly reduced.

Increased protection for IT assets
Principle of least privilege security benefits extend beyond protections from cybercriminals. PoLP protects data, systems, networks, and other resources from the negative impact of human error on data, systems, and networks, resulting from mistakes, malice, or negligence, by limiting users’ access to only resources that they need to complete their tasks.

Minimized attack surface
The principle of least privilege minimizes the attack surface. It reduces the paths that cybercriminals can use to access sensitive data or carry out an attack by confining them to the minimal resources that the user is authorized to access.

Operational efficiency and performance
The PoLP enhances operational efficiency and performance with reductions in system downtime that might otherwise occur as a result of a breach, malware spread, or unsanctioned applications.

Stunted malware propagation
The principle of least privilege limits the spread of malware across networks by preventing the lateral movement that can be used to launch an attack against other connected devices. It also prevents users from installing unauthorized applications and enforcing privilege separation.

Implementing the principle of least privilege

Following are several steps that an organization can take to implement the principles of least privilege.

Conduct an audit of privileged accounts
Regular reviews of privileged user accounts are an important function of the principle of least privilege, including checking identities and rights to the network, systems, software applications, processes, and programs.

Disable unnecessary resource access
A security program following the principle of least privilege will deactivate default privileges and reinstate those that are needed based on actual requirements.

Elevate privileges on a case-by-case basis
To maintain the efficacy of an implementation of the principle of least privilege, users should be granted elevated privileges on a situational basis, and the access should be temporary.

Eliminate unused accounts
The principle of least privilege also includes no privilege. If a user no longer has a requirement for access to all or part of a set of resources, their privileges should be revoked immediately. Systems should be in place to regularly assess usage to ensure optimal access control.

Monitor endpoints
Implement the principle of least privilege by continuously monitoring, logging, and auditing all activity on endpoints as well as maintaining an endpoint inventory.

Review logs regularly
The principle of least privilege includes monitoring and logging usage. An ongoing scheduled review of logs is critical. Without reviewing logs, unauthorized access could go undetected.

Reevaluate accounts and privileges
To optimize the efficacy of a principle of least privilege implementation, access rights should be reviewed on a monthly basis or quarterly at a minimum. If excessive privileges are identified, they should be revoked immediately. Any dormant accounts should also be evaluated to determine if they should remain active.

Separate users
Separating users into groups with higher and lower access levels and subgroups based on their roles or locations is also necessary when implementing the principle of least privilege.

Set user access to minimal privileges
When implementing the principle of least privilege, minimal privilege should be used as the default setting. If a user needs additional privileges to perform a task that requires additional access, it should be revoked when it is no longer needed to prevent privilege creep.

Use privilege bracketing
Privilege bracketing enforces the principle of least privilege by granting only the amount of time a user needs to complete their task.

What are the principles of need to know and least privilege?

The terms need to know and least privilege are often confused. The main difference between the principle of least privilege and the principle of need to know is the scope of application. At a high level, the principle of need to know is about when the user has a legitimate reason to access a resource, and least privilege is about implementing appropriate access control to grant specific permission based on role or job function.

The principle of least privilege is focused on technical access controls and actions that can be performed. For example, if a user is granted read access to a folder, they only read files in that folder and do not perform other actions to any of the files (e.g., edit, print, or share).

The principle of the need to know covers the broader topic of which users can see confidential or secret information in specific files. This access is not necessarily tied to roles or functions as it usually is with the principle of least privilege.

According to the need-to-know principle, security clearance or other approvals do not dictate access privileges. It is only accessible if it is needed to do their jobs. It is usually based on a business justification for why a group or individual needs to access this information. This is determined by a system’s owner, the requestor’s manager, project leadership, or another source of authority.

The principle of need to know and the principle of least privilege differences

Ways to differentiate the principles of least privilege and need to know include:

  • Access controls— Least privilege is often enforced with role-based access controls, while need to know usually involves more granular levels of access controls, such as mandatory access control (MAC) and discretionary access control (DAC).
  • Cyber attack prevention—Least privilege access plays a key role in reducing the risk of cyber attacks from external threat actors, such as data breaches, ransomware, and malware. The principle of need to know is more about reducing risks from insider threats.
  • Focus— Need to know is primarily focused on safeguarding sensitive information. The principle of least privilege generally applies to permissions and access controls across apps, endpoints, and systems.

An example of how the principle of need to know and the principle of least privilege work together

A sales administrator requests access to customer data to create a report for the vice president of sales. This user has a legitimate reason to access this information—a need to know. If least privilege access controls are used, the access permissions granted to the sales administrator will dictate the terms of access. Controls, driven by the principle of least privilege, would dictate the kind of access the sales administrator has, such as read-only, copy, print, edit, or share.

Terms and Concepts Related to the Principle of Least Privilege

Privilege creep
Privilege creep happens when users are granted additional access rights over a period of time. Often, privilege creep occurs when a person is given new access rights when they change positions or take on new responsibilities, but existing privileges that are no longer needed are not revoked. The result is an accumulation of access rights or privilege escalation that go beyond what is actually required.

Applying the principle of least privilege deters privilege creep by regularly reviewing and updating access permissions.

Privilege bracketing
Privilege bracketing is the practice of increasing access permissions just before it is required, then revoking it as soon as the related task has been completed. This allows privilege levels to be elevated for the shortest period of time.

Privilege separation
With privilege separation, the functionality of a system is divided into separate parts. Users are assigned access to specific parts based on requirements, thereby limiting exposure and reducing the attack surface.

Privilege escalation
Privilege escalation is a type of cyber attack where an attacker gains unauthorized access to elevated rights or privileges. By applying the principle of least privilege at endpoints, privilege escalation attacks are stunted, because the attacker is not able to use elevated privileges to increase access and move laterally to execute malware or other nefarious activities.

Zero trust security
Zero trust security is based on the concept that no device, user, workload, or system should be trusted by default, regardless of whether it is inside or outside the security perimeter. Other security models have implicitly assumed that anything inside of the network should be trusted, because it has been validated as authorized and legitimate. In a zero trust model, every access request is evaluated and authorized before access is granted.

Zero trust network access (ZTNA)
Also known as software-defined perimeter (SDP), ZTNA controls access by microsegments where valuable assets reside. ZTNA then applies the principle of least privilege to identify and stop malicious or unauthorized lateral movement.

The principle of least privilege provides maximum benefits

Effectively implemented and enforced, the principle of least privilege does yeoman’s duty for security. It helps improve cybersecurity and security controls related to human error while improving productivity and performance.

The list of benefits delivered by applying the principle of least privilege is lengthy and proven. Organizations of all sizes and in all segments are encouraged to adopt the principle of least privilege as a pillar in their security postures.

Principle of least privilege FAQ

What is the principle of least privilege law?

Least privilege is a cybersecurity practice and a fundamental principle of the zero trust cybersecurity model. The principle of least privilege is a requirement of a number of laws and standards, including the European Union’s General Data Protection Regulation (GDPR), the Health Insurance Portability and Accountability Act (HIPAA), the Sarbanes–Oxley Act (SOX), and the Payment Card Industry Security Standards Council’s Payment Card Industry Data Security Standard (PCI DSS).

What is the difference between the separation of duties and the principle of least privilege?

The principle of least privilege focuses on the access privileges that employees are granted with the objective of only granting the minimum needed for them to perform their assigned tasks. Separation of duties can also include restrictions on access, but the primary objective is to split tasks and access among multiple employees.

While the goal of the principle of least privilege is to limit the exposure of sensitive data, separation of duty limits access with the objective of restricting individuals from being able to do damage or commit crimes. For instance, the principle of least privilege would limit access to accounting systems to those who needed it for their job. From the lens of separation of duties, restricted access to accounting systems would prevent one user from both authorizing and issuing payment. In this case, one person would be responsible for authorizing a payment, and then another would review the request and, if it was legitimate, issue payment.

What are the key challenges with the principle of least privilege?

The principle of least privilege is an effective and important cybersecurity strategy and practice, but it does present challenges when it is improperly implemented or poorly managed. Following are some of the common challenges associated with the principle of least privilege.

Minimal access
Managers and administrators struggle to strike the optimal balance for access permissions. When access privileges are too restrictive, employees grow frustrated and look for ways to circumvent security controls. In addition, overly restrictive permissions negatively impact productivity as users have to take extra steps to access the resources they need.

Excessive permissions
Conversely, granting excessive permissions leaves sensitive data exposed. Often, when administrators are not sure whether or not access is needed, they will grant access and retract it later, if needed, to reduce the burden on support desk teams by users needing access and to minimize user frustration.

Excessive permissions are also an issue when all users are simply granted the same access. This lack of granular access controls increases the attack surface for external threats as well as insider threats.

Micromanagement and bottlenecks
Limiting users’ access can lead to micromanagement and the associated frustrations when lower-level users must work with senior employees to get access to the resources they need. This also creates bottlenecks as users have to wait for the access they need to perform their assigned tasks.

Evergreen access
Failing to review and update access privileges is a problem that occurs with poor access management processes. In this case, once users are granted access, their privileges never change. This can result in overprovisioning when a user no longer needs as much access as they were initially granted. It also leads to the issues that come with excessive restrictions when users’ requirements change and they need more access privileges.

Mark and Sumit

S1 : E2

Identity Matters with Sumit Dhawan, Proofpoint CEO

Join Mark McClain and Sumit Dhawan to understand the future of cybersecurity and how security teams can support CISO customers in the midst of uncertainty.

Play podcast
Mark and Ron

S1 : E1

Identity Matters with Ron Green, cybersecurity fellow at Mastercard

Join Mark McClain and Ron Green to understand the future of cybersecurity and the critical role identity security plays in safeguarding our digital world.

Play podcast
Dynamic Access Roles

Dynamic Access Roles

Build the next generation role and access model with dramatically fewer role and flexibility

View the solution brief

Get started

See what SailPoint identity security can do for your organization

Discover how our solutions enable modern enterprises today to meet the challenge of ensuring secure access to resources without compromising productivity or innovation.

Request a demoContact us