3. Enforce least privilege over end users, endpoints, accounts, applications, services, systems, etc.: A key piece of a successful least privilege implementation involves wholesale elimination of privileges everywhere they exist across your environment. Then, apply rules-based technology to elevate privileges as needed to perform specific actions, revoking privileges upon completion of the privileged activity. Ensuring true least privilege is not just about enforcing constraints on the breadth of access, but also on the duration of access. In IT security terms, this means implementing controls that provide just enough access (JEA) and just-in-time (JIT) access.
Broken down to the tactical level, least privilege enforcement should encompass the following:
4. Enforce separation of privileges and separation of duties: Privilege separation measures include separating administrative account functions from standard account requirements, separating auditing/logging capabilities within the administrative accounts, and separating system functions (e.g., read, edit, write, execute, etc.).
When least privilege and separation of privilege are in place, you can enforce separation of duties. Each privileged account should have privileges finely tuned to perform only a distinct set of tasks, with little overlap between various accounts.
With these security controls enforced, although an IT worker may have access to a standard user account and several admin accounts, they should be restricted to using the standard account for all routine computing, and only have access to various admin accounts to accomplish authorized tasks that can only be performed with the elevated privileges of those accounts.
5. Segment systems and networks to broadly separate users and processes based on different levels of trust, needs, and privilege sets. Systems and networks requiring higher trust levels should implement more robust security controls. The more segmentation of networks and systems, the easier it is to contain any potential breach from spreading beyond its own segment. Also implement microsegmentation, a key zero trust strategy, to isolate resources by creating zones. Microsegmentation further restricts line-of-sight visibility and access to applications, protecting against lateral movement.
6. Enforce password security best practices:
7. Lock down infrastructure: Extend PAM principles to implement robust infrastructure access management. Access to infrastructure—whether for on-premise, cloud, or OT environments—should be proxied via VPN-less PAM technologies. This can entail implementing a privileged access workstation (PAW), which are hardened, dedicated assets use to secure all admin access. The principle of least privilege should also be applied to ensure that the range of activities and infrastructure access for any one PAW is limited.
8. Monitor and audit all privileged activity: This can be accomplished through user IDs as well as auditing and other tools. Implement privileged session management and monitoring (PSM) to detect suspicious activities and efficiently investigate risky privileged sessions in a timely manner. Privileged session management involves monitoring, recording, and controlling privileged sessions. Auditing activities should include capturing keystrokes and screens (allowing for live view and playback). PSM should cover the instances during which elevated privileges/privileged access is granted to an account, service, or process.
Privileged session monitoring and management capabilities are also essential for compliance. SOX, HIPAA, GLBA, PCI DSS, FDCC, FISMA, and other regulations require organizations to not only secure and protect data, but also be capable of proving the effectiveness of those measures.
9. Implement dynamic, context-based access: This is a key zero trust principle and entails delivering just-enough access, just-in-time—in the proper context. This is accomplished by evaluating multiple inputs (real-time vulnerability/threat data for a target asset, geolocation and temporal data, user data, etc.) to determine how much and for how long privilege can be provisioned. Apply real-time vulnerability and threat data about a user or an asset to enable dynamic risk-based access decisions. For instance, this capability can allow you to automatically restrict privileges and prevent unsafe operations when a known threat or potential compromise exists for the user, asset, or system.
10. Secure privileged task automation (PTA) workflows: Privileged task automation involves entails automating tasks and workflows—such as robotic process automation (RPA)—that leverage privileged credentials and elevated access. These complicated workflows are increasingly embedded within modern IT environments and require many moving—and sometimes ephemeral—parts that all needed to be onboarded and seamlessly managed for privileged access.
11. Implement privileged threat/user analytics: Establish baselines for privileged user behavioral activity (PUBA) and privileged access. Monitor and alert to any deviations from the baseline that meet a defined risk threshold. Also incorporate other risk data for a more three-dimensional view of privilege risks. Accumulating as much data as possible is not necessarily the answer. What is most important is that you have the data you need in a form that allows you to make prompt, precise decisions to steer your organization to optimal cybersecurity outcomes.
