What is least privilege in the IT world? We are conditioned to always grant least privilege access through the daunting audits and the constant, mind numbing security reminders. In the support admin world, those two words, ‘least privilege’’ once spoken, are enough to quiet a noisy room of engineers. We often hear, “Well, we are just trying to maintain least privilege access so we can’t give you x.” Once those words are uttered to developers, you had better grab your battle gear because you know it will be an uphill fight for what needs to be done. But for the select few, nay, the fortunate few, when those two worlds collide there is often a productive conversation about what least privilege means.
Least Privilege Defined
We can argue over what least privilege means in your context, in my context, or in someone else’s context but, let’s at least get a working definition. NIST defines the principle of what is least privilege as follows:
“The principle that users and programs should only have the necessary privileges to complete their tasks.”
It’s been a long time since I’ve been in an English class but I’m going to take a stab at this one. It seems to me there are several keywords in this sentence that help define what is least privilege.
The first keyword is “necessary”. Necessary means you give what is needed but you do not give what is not needed.
So what does this look like in an organization? As you are working on something you must think through what permissions are needed to do the job you are doing. Your scope of permissions is designed to get the current task done, not what needs to be done in the future. This demonstrates a thorough understanding of the task at hand and allows you to lead with those who own the permissions for what you need and don’t need. The “more is better” train-of-thought should never be entertained.
Complete their tasks
Next is “complete their tasks.” In order for a user or program to complete their tasks, they must be given the permissions necessary to be successful.
So what does this look like in an organization? Security brings great value to an organization and is often seen as the enabler of innovation. Instead of saying no to everyone who needs access, entertain the idea. You are the expert, therefore, drive the conversation to understand and educate users as to why they do or do not need access to complete their tasks. Being a brick wall helps no one in the organization.
Tools To Help
Google Cloud is ready when you are to have these conversations. Even if you do not know where to start, we can help.
Google Cloud Predefined Roles
How easy can it be? Well, sometimes pretty easy. Google Cloud has used their knowledge of their services and how companies have implemented them and distilled access levels into predefined roles that it can be used to help guide you in giving people and programs access.
Learn More Here
Google Cloud IAM Recommender
Still not convinced you have the right permissions for the right users or programs? IAM Recommender can help you see what permissions have and have not been used within the last 90 days. This gives you insight into what permissions are actually being used on Google Cloud.
Learn More Here