Why do so many businesses allow unfettered access to their networks? You’d be shocked by how often it happens. The truth is: your employees don’t need unrestricted access to all parts of our business. This is why the Principle of Least Privilege (POLP) is one of the most important, if overlooked, aspects of a data security plan. 

Appropriate privilege

When we say “least privilege”, what we actually mean is “appropriate privilege”, or need-to-know. Basically, this kind of approach assigns zero access by default, and then allows entry as needed. (This is pretty much the opposite of what many of us are taught about network access.) But by embracing this principle, you ensure that network access remains strictly controlled, even as people join the company, move into new roles, leave, etc. Obviously, you want employees to be able to do their jobs; but, by limiting initial access, you can minimize the risk of an internal breach.

If you haven’t already, now is the perfect time to take a look at your network access policies. After all, it’s about protecting your business and customers—not to mention your reputation.

Listen to the podcast: Episode 6 | Shoring Up Your Network Security with Strong Policies to learn more about implementing the Principle of Least Privilege and other network security best practices.

Navigating the difficult conversations around access control

It’s no surprise that employees enjoy taking liberties at the workplace. In fact, Microsoft reports that 67% of users utilize their own devices at work. Consequently, they may push back on POLP policies because it means giving up some freedom, like installing personal software on work computers, using their BYOD in an unauthorized fashion, or having unlimited usage of non-essential applications.

Ultimately, you need to prepare for hard conversations. For example, you’ll have to explain that the goal of Principle of Least Privilege is to provide a more secure workplace for everyone. It’s not a reflection on who your employees are or even their seniority; it’s about security. So, it’s essential for you, the MSP or IT leader, to initiate the dialogue around access control––often and early. And, at the end of the day, it’s your responsibility to implement POLP policies that protect your network.

Firewalls and antivirus aren’t enough 

There’s a common misconception in cybersecurity that the firewall and/or antivirus is all you need to stop all network threats. But they don’t protect against internal threats, such as phishing or data theft. This is where access policies are necessary to fill in the gaps.

Here’s a prime example: let’s say you have an employee whose job is data entry and they only need access to a few specific databases. If malware infects that employee’s computer or they click a phishing link, the attack is limited to those database entries. However, if that employee has root access privileges, the infection can quickly spread across all your systems.

Cyberattacks like phishingransomware, and botnets are all designed to circumvent firewalls. By following an appropriate privilege model, you can limit the number of people who can bypass your firewall and exploit security gaps in your network.

Tips to achieve least privilege

When it comes to implementing POLP in your business, here are some tips for getting started:

  • Conduct a privilege audit. Check all existing accounts, processes, and programs to ensure that they have only enough permissions to do the job.
  • Remove open access and start all accounts with low access. Only add specific higher-level access as needed.
  • Create separate admin accounts that limit access. 
    • Superuser accounts should be used for administration or specialized IT employees who need unlimited system access. 
    • Standard user accounts, sometimes called least privilege user accounts (LUA) or non-privileged accounts, should have a limited set of privileges and should be assigned to everyone else.
  • Implement expiring privileges and one-time-use credentials.
  • Create a guest network leveraging a VPN for employees and guests.
  • Develop and enforce access policies for BYOD or provide your own network-protected devices whenever possible.
  • Regularly review updated employee access controls, permissions, and privileges.
  • Upgrade your firewalls and ensure they are configured correctly.
  • Add other forms of network monitoring, like automated detection and response.
Charlie Tomeo

About the Author

Charlie Tomeo

Vice President, Channel Sales

Charlie Tomeo has deep knowledge of the endpoint and Web security spaces. He enjoys engaging with partners and end customers across the globe throughout their pre- and post-sale solution lifecycles. Charlie is currently responsible for growing the Managed Service Provider (MSP) business at Carbonite and has vast experience in the Remote Monitoring and Management (RMM) and Professional Services Automation (PSA) markets. Previously, Tomeo served as Senior Director of Worldwide Systems Engineers, Professional Services, and Training at Webroot. In recent years he was highlighted in the MSPmentor 250 “Top People in Managed Services”.

Share This