Least Privilege in Practice

a year ago
Written by
Fouad Matin
Dan Gillespie

At Indent, we’re committed to helping you get to a state of actual Least Privilege, not just faking it. The "principle of least privilege" is not a monolith or a checkbox, and describing it this way is a disservice to organizations who are trying to adopt it.

You can agree with it in principle, but in practice it tends to fall apart.

Here’s what Least Privilege is not:

  • Creating two groups “Admins” and “Users” then adding everyone to “Admins” anyway
  • Every engineer can open production Rails console whenever they want
  • Whenever someone has an analytics question, they query the production database
  • Anyone can open 1Password to find all the social media account passwords

But we get it, doing the right thing is hard. And getting others to do the right thing is practically impossible if it’s slower and more inconvenient than doing it the easy way. That’s why the secure process has to be the easiest, fastest way to get things done.

The Indent Platform is shaped by principles that can help teams put Least Privilege in practice:

1. Everyone’s access should default to zero

Everytime you change someone’s access, you should think of it as running a migration on your access and security state. This becomes very difficult to do when it’s impossible to tell what access people need, why they have it, and who granted it.

It’s more secure to default everyones’ access to zero, and have them request on-demand access to what they need in the moment.

In practice with Indent:

  • During onboarding grant indefinite access to only high frequency, low risk apps
  • Have people request auto-expiring access to everything else
  • No executive or admin exceptions since they usually pose an even greater threat if compromised

2. Minimum viable access

Right-sized access is a valuable guardrail against resource misuse and attacks. This means making sure that people only have enough permissions to accomplish the task they are currently working on and only for the length of time that they’re working on it.

In practice with Indent:

  • Create groups in your identity or single-sign on provider (Google, Okta, etc) that map to a specific set of permissions for a given role
  • Give people an easy way to request membership of those groups
  • Automate moving people in and out of groups based on their access grant duration

3. Don’t keep people waiting if they should have access

Context switching, hunting down and following up with approvers, and uncertainty around the status of the request all incentivize “access hoarding” - holding onto permissions indefinitely because they were hard to get the first time. To avoid this, access should be easy to request and be granted in urgent situations.

In practice with Indent:

  • Set auto-approvals for critical moments like if someone is on-call
  • Make reviews simple for approvers - collect all the info they need to make a decision up front and provision changes quickly
  • Don’t require approvers to context-switch to approve access

4. Changes should be logged

The back and forth that comes with getting access not only slows teams down, it also makes security and compliance more complicated. When all access doesn’t flow through a system like Indent, you’re not centralizing the relevant data behind each access attempt, making it difficult to understand what access is necessary.

In practice with Indent:

  • Have all access flow through a centralized system
  • Collect who (requester and approver), what (resource), why, and how long behind each access attempt — and when it got revoked
  • Have that access data logged in a queryable and exportable way

5. Minimize exceptions

The more exceptions and alternative ways there are of requesting access, the less your access solution works as a single source of truth. This is most important when doing security reviews of access, and when complying with regulatory demands.

In practice with Indent:

  • Have that central access control system integrate with the services you already rely on
  • Adopt an extensible system that you can add more services to, if needed
  • Regularly test your access solution for auditability, and whether the logs give enough information for a thorough review

6. Automate the boring stuff

To implement all of this, every time someone needs access, you need automation. When going through the proper processes takes too much time, people start taking shortcuts that open teams up to major security risks.

In practice with Indent:

  • Access requests automatically route to the correct approvers
  • Provisioning is triggered by the final approval
  • After the approver designated access duration, the access automatically expires. Manual revocation is a waste of resources.
  • Access data is automatically logged in a centralized place

If you agree with these principles, but haven’t found the time to make it happen yet or worried if it’ll add friction for your team, you’re probably closer than you think. If done correctly, your team will get the access they need to ship faster without the risk of breaking production.

We've built everything in the "in-practice" sections into Indent, making it an out-of-the-box solution for getting to a place of real least-privilege.

At Indent, our mission is to prevent avoidable security incidents. We view ending the era of "Fake Least Privilege" as a critical first step in the journey.

When organizations have fewer (ideally zero) users with long-lived admin roles, there's a lower risk from credential compromise. One compromised user doesn't have to lead to a catastrophic company-wide incident.

This is our vision of the Least Privilege in Practice. If we’ve missed something, tell us about it! Let us know on Twitter or talk to our team.

Try Indent for free.