Tasks attached

Topic: Principle of least privilege

Read and respond to below student’s discussions (150 words) reflecting on your own experience, challenging assumptions, pointing out something new you learned, and offering suggestions.

#1. Posted by Himakar

Operating under the principle of least privilege, as the name implies, is based on the premise of only granting necessary and sufficient permissions to users to carry out their activities, for a limited time, and with the minimum rights required for their tasks. This practice can be implemented with respect to technology usage, with the aim of ensuring the security of information, as well as our privacy. In the area of cybersecurity, the assignment of permissions that a user may have to a system or to information is a security practice that is continuously applied. “It’s the difference between having a key that works on every door, and one that only opens certain rooms” (Ellen, 2020).

Access control is an information security mechanism to verify the authenticity of a user before gaining access to the sensitive and privilege information. Access control verifies whether a user has a given privilege to gain access to database resources.

When organizations have tried to implement PoLP in the past, the general practice was to go overboard to ensure that privilege abuse was not possible. Organizations need to take a step back and look at the problem of least privilege from a data-centric approach. Work from the inside out, not from the outside in. Locate where your most sensitive is and what exactly makes it sensitive. Then decide which of your users require access to this data and make sure that you have a way of monitoring whether those permissions change. You should also ensure that you have a way of monitoring and analyzing the behavior of your privileged users in relation to your data to spot the signs of privilege abuse or insider threats.

There are privileges to access controls like Content Access which is based on the sensitivity of the data. It is based on what the subject does, means it adds a particular aspect to its process by determining each request within its context, which also means making decisions to authorize or unauthorize permissions in a system based on host factors like the devices, locations and type of request and time of request. For instance, some employees does work from Starbucks or any coffee shops, so here the employees tries to access some sensitive data with unfamiliar wifi in non-peak hours, which is a higher risk than accessing the data at office business hours. Contextual Access takes care of these factors before authorizing access and evaluating requests based on the endpoint risk (Schneider, 2003).

We can confirm that least privilege is one of the best approaches for data security which avoids operations like inserting, deleting unnecessarily. Mainly while assigning privileges to new hires in the team we should be incredibly careful because they are unaware of the application and may do something wrong unintentionally which may result in the loss of the data.

#2. Posted by Ragini

Principle of least privilege

Today’s complex IT environments need security. The process of implementing all the necessary measures to safeguard the information is called IT Security. The principle of least privilege plays a vital role in IT Security. It basically means that granting very minimum access to the users and thereby helping them perform their tasks in a very effective way. When the privileged accounts are being compromised,  data security will be at risk.

There was an incident that happened in U.S. Edward Snowden leaked highly confidential information from U.S. National Security Agency. Even though there were many reasons, the strong factor was that he had many privileges than required in order to do his job. He was given all the administrative access rights to all the important database systems. This helped him in leaking out 1.7 million confidential files. After this. NSA had revoked all the high-level access rights from the system admins and gave limited access rights.

For instance, if a bank customer needs to have a credit card approval, the Creditors/lenders use some financial tools that they have access in order to evaluate the creditworthiness of a potential borrower. Based on those factors, they grant the approval/ rejection to its customer. However, customer need not have all these extra access. This helps in reducing security risks.

Administrators usually have unlimited access to the system like read, write or execute. They have the ability to modify the files or changing settings or maybe deleting the data/users. For the best practice, admin credentials are not being used. Instead, it is used with a sudo(“Super user do”) which has all the privileges of the administrator. This minimizes the risk of admin account from being hijacked.

Implementing POLP

Organizations implement PLOP successfully in many no. of ways. They conduct audits in a timely manner to make sure that every user is having the necessary privileges to perform their activities. They set default priorities to low for the new accounts and thereby adding the privileges as they need. Tracking the individual actions from time to time makes easier to know who accessed what information at what time which enables minimal damage.

Advantages of the principle of least privilege (POLP)

Following the principle of least privilege helps an organization in many ways. The users, even if they wanted to access any extra information, they are not able to do as they will be having very limited access to the resources. This becomes harder and they will have to compromise on that. This also helps in preventing the system downtimes or system changes which intern helps in achieving compliance.

This also helps the organizations to know what data they have, where it resides and who needs to have access to it which in turn in preventing unauthorized access.

On a final note, the principle of least privilege is not only giving the required privileges to the user but also monitoring or managing if there is anyone who needs extra access.