Least Privilege and Compliance

As mentioned in a prior blog post on “Implementing Windows Privilege Management” I wanted to drill down in another blog post how the concept of least privilege has found its way in various compliance and regulatory requirements we see out there. So in this blog post I will cover this topic, and luckily Centrify has a nice whitepaper entitled “Windows Least Privilege Management and Beyond” that I can leverage for the specifics on how the concept of least privilege maps to specific compliance requirements.

The concept of “least privilege” is very simple: give people the least amount of administrative privileges on IT systems that they need to do their jobs. As Gartner notes in its 2012 report entitled “Hype Cycle for Identity and Access Management Technologies” organizations should:

“Adopt a “least privilege” model for granting privileges, including superuser privileges. It is not good practice for administrators to use a privileged account for mundane activities… there is a need for the organization to have more granular control over and visibility into the way that these [administrator] privileges are granted and used.”

As the aforementioned Centrify whitepaper discusses, the myriad of compliance regulations create ongoing challenges for enterprises in every industry and many companies must meet multiple requirements for internal controls (SOX), payments data security (PCI DSS), patient health information (HIPAA) and other industry specific requirements (GBLA, NERC and FISMA/NIST SP 800-53). Common to every major compliance regulation and industry mandate are requirements to ensure users authenticate with a unique identity (and not share accounts) and privileges are limited to only ones needed to perform job functions. In addition, user activity must be track and monitored with enough detail to determine the effectiveness of the security controls the organization has put in place.

All major compliance standards require least-privilege security. Below are some examples of compliance and where the concept of least privilege shows up. [Hat tip to our marketing department for putting this table together.]

Sample of major least-privilege security compliance requirements

Compliance rule Description
SOX Section 404
Requires security controls that ensure that only authorized users have access to enterprise IT resources and financial information. Section 404 also requires that security controls be demonstrably effective.
GBLA Section 501 (b) and FTC Safeguards Rule
The rule requires financial institutions to have an information security plan that “contains administrative, technical, and physical safeguards” to “insure the security and confidentiality of customer information: protect against any anticipated threats or hazards to the security or integrity of such information; and protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer.
PCI DSS Requirement 7:
Restrict access to cardholder data by business need to know

7.1  Limit access to system components and cardholder data to only those individuals whose job requires such access. Access limitations must include the following:

  • Restriction of access rights to privileged user IDs to least privileges necessary to perform job responsibilities
  • Assignment of privileges is based on individual personnel’s job classification and function
  • Implementation of an automated access control system

7.2  Establish an access control system for systems components with multiple users that restricts access based on a user’s need to know, and is set to “deny all” unless specifically allowed.

HIPAA HIPAA Technical Safeguards (§164.312)
Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights.
FISMA/NIST SP 800-53 AC-3 Access Enforcement

–  The information system enforces approved authorization for logical access to the system in accordance with applicable policy.

AC-5 Separation of Duties

–  Separate duties of individuals and necessary, to prevent activity without collusion and implement separation of duties through assigned information system access authorizations.

AC-6 Least Privilege

–  The organization employs the concept of least privilege, allowing only authorized access for users (and processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational mission and business functions.
NERC CIP 007-3 R5
The Responsible Entity shall ensure that individual and shared system accounts and authorized access permissions are consistent with the concept of “need to know” with respect to work functions performed.

Compliance specifications often refer to “need-to-know” or “business need-to-know” when describing a specific authorization control. In order to fully address these compliance rules and satisfy internal and external auditor organizations should also track and monitor privilege activity. Tracking privileged activity including elevated privileges is a critical part of fully meeting least-privilege compliance requirements.

We think that DirectAuthorize and DirectAudit offers the perfect one-two punch in terms of addressing the least privilege mandates set out in regulatory compliance regimens. Historically focused on UNIX and Linux platforms, we now offer both DirectAuthorize and DirectAudit on Windows. For more information on DirectAuthorize for Windows please check out a 5 minute video of DirectAuthorize here or request a free trial here.