Policy - Least of Privilege Permissions & Segregation Of Duties

Gone are the times where we can simply assign any permissions we need to get the work moving on with minimal disturbance and with minimal constant approval.

Unfortunately, it has lead to a huge trending problem now that one has to monitor with a microscope to ensure ONLY the needed permissions are assigned in a granular manner.

It's time to implement the Least Of Privilege Permissions and Segregation of Duties as a CyberSecurity Policy and not only as Security Controls/Best Practices & work towards to meet the compliance obligation & pass the Audit.

What is Least Of Privilege?

Very simple, you have to know precisely your tasks and responsibilities you need to perform to ensure business as usual.

If you identify or made known you have excessive permissions:

1. You will have to ask yourself, why do you need the additional permissions?

   
   

2. Can someone else assist with the particular task if it's once-off or in an ad-hoc basis or is offically assigned as the authorized individual to perform the activity?

   1. This helps to create Segregation Of Duties (SoD) as well.

In the current world, there are likely 3-man team working. Rather than assigning somone to do certain tasks, it's far more easier & convenient to assign almost all/all the permissions to one individual to get the work going on.

Oooooof, tough situation eh? How to implement such a policy? Hmmmm, let's brainstorm together.

To be honest, it's really a sad troubling situation that is faced by many companies. Moving forward, no individual must be having excessive privileges. It is a ticking-time capsule where the person account just waiting to be easily hacked by the hackers with all the permissions at the hacker's fingertips to cause major disruptions & impact to the company.

Yes, there are many IAM Tools which are able to assist on this problem. However, they focus on the 'Administrator Rights/Permissions' to ensure Least Of Privilege permissions are assigned.

From my perspective: 'Administrator Rights' are not the only privileged permissions. The mindset and the understanding of Privileged Permissions is yet to evolve further. Why?

Questions:

1. Do you know, assigning the permission that performs:

'Encrypt a Data Encryption Key (DEK) with Master Key' is considered a Privileged Permission.

'Update permissions of service principals' is considered a Privileged Permission.

2. Given the increase in demand for services/applications in cloud for quick, scalability & performance benefits, Service Principals/API tokens/Service Accounts/Role-Based Access will be heavily utilized.

   
   

3. Does the IAM Tools have such capabilities/functionalities that's able to read & analyze such permissions and mark/indicate them as Privileged Permissions automatically?
   

4. Does the IAM Tools have the ability to create an Automated Workflow with Just-In-Time Elevation Request & with Session Monitoring for those Privileged Permissions?
   

5. Of course, this will create a tangled up mess. All of a sudden, almost all the permissions seems privileged. One has to granuarly understand the scope/nature of the operations/tasks that are being carried out.

   1. Every company/organization is different.

   2. Of course, by now majority of the permissions are already declared as Privileged Permissions due to the highly sensitive operations/tasks that are carried out & being used by the attackers to perform attacks.

   3. Yet, the IAM Tools are still yet to be developed to be able to analzye & identify them.

   4. Microsoft still yet to analyse & classify the 'new' ones as Privileged Permissions to ease a little tension & worry for the paying Enterprise Customers.
      

6. How to determine what could be the Privileged Permissions?

   An example in a normal world:

   1. Once upon a time, delivery drivers leaving parcels on the doorstep wasn't a big problem. No one takes it except the receipents.

   2. Now, the current evolving threat, theives/random strangers are simply grabbing the items and running away.

   3. Once what was considered normal to leave the parcels safely at the doorstep is now considered privileged.

   4. To safeguard, security measures/controls are implemented such as CCTV, Fencing, Deposit Box at the Doorstep to drop the item in, or if it's still deem unsafe, collect the parcel from the authorized collection points.

      
      

2. In the Corporate World, it's depending on the individual's tasks & responsibilities. Let's say in the team, the individual is a Web/Application Developer.
   

   1. Usually, in testing/development environment, they are given the access to retreive data, modify when needed & delete data from database when it's redundant/duplicate.

   2. As well as retreiving the credentials/key required for the database authentication & authorization.
      

   3. However, in Production Environment:

      1. You cannot provide the same permissions such as modifying, deleting data & retrieving of credentials/key.
         

   4. These will be considered as Privileged permissions as hackers:

      1. Can spoof the account & obtain the credentials,

      2. Then, further infilitrate into the organization,

      3. To access the sensitive data,

      4. And proceed to completely delete or encrypt all the data,

         which will cause major outage or data breach to the organization.

         
         

   5. Does these permissions mention 'Administrator Right/Permissions' - NO.

      1. BUT these are sensitive tasks/functions that can be executed anytime without supervision, therefore, it's declared as Privileged permissions.
         

   6. To avoid such scenario, in Production Environment, such Privileged permissions must be identified.
      

      1. In order to modify, delete data, retrieve any credentials/key, role-base assignment is implemented to ensure the authorized personnel have access to it upon authentication with MFA configured.
         

      2. and have to be assigned as

         1. Just-In-Time Request Elevation Request

         2. with Clear Justification

         3. and proceed to perform the necessary configurations with Session Monitoring.
            

This also include users to ensure they have least of privilege permissions assigned for daily operations, management, configuration of application/technology platforms.

As a guideline, refer to NIST Cybersecurity, which provides the security controls to establish the right security practices to enforce Least Of Privilege Permissions gradually and the rollout across the entire Organization as an official CyberSecurity Policy.

NIST Cybersecurity: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf

API Integration

The most wanted & famous integration method known as API Integration.

With API Integrations, there are several permissions required to be implemented to carry out a smooth, seamless, fast, responsive API connectivity with various applications/solutions/systems.

For example some API Permissions:

1. payment-handler permission,

2. revoke permisson,

3. retrieval of credentials permisson,

4. delete credentials permisson,

5. Directory.Read.All permisson,

6. Sites.FullControl.All permisson

   are considered Privileged permissions and Security Team needs to be aware about it.

   
   

Keeping it short, similar to what is mentioned above, here is a good reference on how to create: Access Control API: Custom Permissioning (Privileges, Roles, Members, Teams): https://www.youtube.com/watch?v=2RgpKwB988s

What is Segregation of Duties?

**** Do read up on SoD to understand better and why it needs to be implemented together with Least Of Privilege as a CyberSecurity Policy. Below is just a short brief about it. ****

When you begin to implement Least of Privilege Permissions, automatically Segregation of Duties conversation will start to take place and to initiate work on it parallelly.

Both Least Of Privilege & Segregation of Duties work together hand-in-hand.

A hireachy needs to be formed to ensure the relevant personnel/accounts are being assigned with specific tasks to carry out daily without overlapping each other.

It's recommended to complete Segregation of Duties Matrix for each department to identify which responsibilities requires a seperation and no conflicts in the assignment of responsibilities to prevent frauds and errors to occur.

Read here to understand SoD more: https://safetyculture.com/topics/internal-control/segregation-of-duties

For example:

In Finance department:

i. A user who generates payment invoices must not handle the receiving & approval of payments.

ii. As such, User A is assigned with Generate Payment Invoice Permission.

iii. User B is assigned with Receiving and Approval of Payments.

Least of Privilege & Segregation of Duties is attained.

For example:

Active Directory Team and Server Team will have responsibilites that can overlap.

i. AD Team is given basic access to Windows Server and relevant permissions required to perform AD tasks.

ii. Server Team is assigned with necessary access to perform maintenance/updates/backup and have NO access to AD Application & Tasks.

Least of Privilege & Segregation of Duties is attained.

Implementing it as an Official CyberSecurity Policy for Least of Privilege Permissions & Segregation of Duties will be an on-going continous Security Improvement & Enhancement in the entire organization to enforce Security First Approach, Never Trust, Always Verify mindset.

This will also provide a deeper clarity and technical in-depth knowledge for all the employees in the organization to understand what are the required permissions are needed to carry out their daily activities without causing overlapping responsibilities & conflicts to prevent frauds, misuse or damage of data and unauthorized access. It also enable them to create a hireachy with relevant roles within the department and work towards to ensure compliance is met and to pass the audit.

With the right IAM tool relevant to the business needs, Just-In-Time Elevation can be configured with Auto-Approval or with Manager Approval. Session Monitoring can be configured to record session when very highly sensitive operations tasks are being performed.

This is now a mandatory activity to begin, regardless of how tedious/tiresome/manual it is, every effort, every min, every brainstorming ideas, the hardwork will benefit each department and the organization a long way and a resilient security posture is achieved.