The Barbarians Are Inside the Gate: Least Privilege and Zero Trust

This is the second article in a continuing series exploring the meaning and real-world impacts of the three tenets of the Zero Trust security model. The first is here.

The threat of malicious insiders is a problem that companies continue to have to deal with.  As an example, on September 1, 2017, law enforcement officials discovered that a former employee with a  Coca-Cola subsidiary was in possession of a hard drive that contained employee data. The information of 8,000 individuals employed with the enterprise Coca-Cola were affected by this data breach.

In that incident, the compromised data included names, Social Security numbers, addresses, ethnicity, credit card data, financial data and other information linked to employees, suppliers, and contractors.

In another example, in 2018, a former Chicago Public Schools (CPS) employee was charged with stealing personal information from 70,000 CPS employees. The employee was a temporary IT-worker who stole the information — names, employee ID numbers, phone numbers, addresses, birth dates, criminal histories, and any records associating individuals with the Department of Children and Family services — in retaliation for being fired.

So, is there any solution to prevent these types of attacks? Yes, and it underscores the importance of the second tenet of the Zero Trust security model: enforcing least privilege.

Enforcing Least Privilege Access

The focal point of the Zero Trust model is that enterprise data needs to be protected at all costs. There are three pillars to this security model:

• Secure access: No one or nothing gains access to the network without authorization. (Read the first article of this series about this tenet here.)
• Least privilege: Grant access only in the most limited way possible and restrict that access to only what that user requested and is explicitly authorized.
• Log everything: All network traffic must be continually logged and inspected to ensure that only the authorized access is ever allowed to proceed.

In principle, the second tenet, granting least privilege access, boils down to ensuring that a user is only given just enough privileges to be able to do their job, and not granted access to the whole network.

Enforcing zero trust-based access principles is even more important now as the network perimeter becomes increasingly meaningless in a borderless network landscape. And in the post-pandemic, “new normal”, the perimeter is unlikely to ever come back. Indeed, according to Gartner, almost three quarters of companies expect to shift five percent or more of their workforce to remote work on a permanent basis.

More than ever, it’s clear that the business perimeter needs to be defined around the user and data rather than around offices and machines.

Traditionally, verification of users was a one-time check. Users authenticated to the network through a virtual private network (VPN). But once authorized, they were not monitored and free to access any application. 

The modern approach, embodied by zero trust, is to continuously establish and re-establish the trust of the user. It requires, and only grants access to other applications after verifying the user’s privilege for that access through multiple contextual and environmental variables.

The second tenet of Zero Trust ensures that only securely authenticated users and devices have access to target applications with the view to keep your most critical data protected. It determines the user’s continuing access by persistently asking the following questions for each and every single attempt to access something new:

• Who is requesting access?
• What is the context of the request?
• What is the risk of the access environment?

If you’re not monitoring and continually assessing who is coming into your network and who has access to certain files, the possibility of an insider attack becomes just a matter of time. Adopting a comprehensive Zero Trust approach and applying it's vitally important second tenet of enforcing least privilege is a step in the right direction to securing your most important assets.

Get Your Data in Order

But that’s not the whole of it. A clear understanding of your organization’s data assets and having granular visibility of data access across your entire network estate is critical for a successful implementation of a Zero Trust architecture. And while there is no single technology that will provide organizations with a complete Zero Trust state, a suite of products such as those provided by Symantec provide the technologies that will protect enterprises and ensure that the next “Insider Threat Headline” doesn’t happen to your organization.