Identity-related data breaches are on the rise; 79% of organizations have experienced one within the last two years. In almost all cases, these breaches are believed to be entirely preventable.
With a remote workforce, organizations are at an increased risk of being breached. Reducing or eliminating high-impact data identity-related breaches requires the proper management of user privileges, creating a healthy balance between system usability and security.
Least Privilege Reduces Breach Impact
The principle of least privilege says that user accounts should be provisioned with the minimum level of permissions required to complete job responsibilities. The majority of an organization’s employees do not require administrator-level access, and providing this unnecessarily increases the potential impact of a data breach. Users that do require this level of access, such as system and network administrators, should use an account with restricted permissions for everyday tasks such as checking email, and only use administrator-level access for tasks where it is absolutely necessary.
By limiting privilege levels on user accounts, an organization minimizes the potential impact of a data breach; 74% of data breaches involve a privileged account. By reducing the probability that a privileged account will become compromised via phishing, credential stuffing, or similar attacks, an organization forces a potential attacker to use privilege escalation tools to gain the level of access required to achieve their objectives. These techniques can be more easily detected, enabling the organization to respond before a breach occurs.
Enabling Secure Telework with Privilege Management
As organizations consider extended or permanent support for telework programs in the wake of COVID-19, proper management of privileges for user accounts is more important than ever. Teleworkers are exposed to a number of risks that do not exist for on-site employees and are more likely to unintentionally enable a data breach.
For example, a teleworker is more likely to download sensitive data to their computer in order to avoid delays associated with the virtual private network (VPN) infrastructure. This downloaded data is no longer protected by an organization’s deployed security solutions and is subsequently more vulnerable to exfiltration.
With a remote workforce, an organization needs to balance system usability with system security. If teleworkers cannot perform core job functions, the productivity of the business suffers. On the other hand, a breach of sensitive and protected user data can cause both a loss of productivity and significant costs associated with remediation efforts and legal and regulatory penalties.
By implementing least privilege for user accounts, an organization can balance the need for usability and security. For daily, non-risky activities, an organization can configure user accounts to have high usability, including support for extended sessions and easy reauthentication. However, for more risky activities, such as database access or anything requiring administrator-level access, additional security controls can be put in place, such as faster idle session timeouts and stricter authentication requirements. By doing so, an organization can decrease the probability that an account is compromised and limit the window in which an attacker can perform malicious activities.
How MorganFranklin Can Help
Properly implementing least privilege in a corporate environment requires deploying security solutions to implement and enforce new policies. MorganFranklin has experience with a wide range of identity and access management (IAM) solutions and can assist with selection, deployment, and configuration of the tools best suited to an organization’s unique security needs and network environment.