Least privilege and separation of duties are two related IT security concepts that are critical in the prevention of fraud and other abuses by employees and other authorized system users. The two principles are part of the broader topic of access control which addresses how user permissions are restricted to help ensure a secure environment.
Known as insider threats, the list of ways that authorized users can cause mischief is sobering. The crimes include fraud, stealing of company secrets, system sabotage and espionage. These are not rare occurrences. The 2017 U.S. State of Cybercrime Survey from Carnegie Mellon University’s CERT Division found that 1-in-5 cyber attacks come from insiders. More important, almost half (43%) of survey respondents said that insider attacks were more costly or damaging than outsider attacks.
Least Privilege
The principle of least privilege says that an individual should be given the bare minimum access needed to perform their job functions. Consider a budget analyst that needs to review payroll information to complete a quarterly report. The analyst never needs to make any updates to the payroll data. That employee should have read only privileges to payroll.
Least privilege is a principle that is applied to both data and system functions. When we think of data privileges, we are typically thinking of the ability to view information (read) and to change information (write), as well as creating and deleting records and files.
In today’s networks, users access data in many different ways. Some information is stored in files and folders on network drives, with permissions set by system administrators using the operating system tools. Some information will be stored in content management and sharing systems that might have similar functionality to network drives, but permissions are managed using administrative tools provided by the management system itself.
Much of an organization’s data is likely to be managed and accessed through software interfaces, such as an accounting or inventory management program. Most organizations use many different programs from a variety of vendors. Each program will have its own security model. One program might enable privileges to be set on individual fields, while another might have privileges set on a screen-by-screen or module basis. In the worst case, a program will offer little or no security and other measures will be required to ensure data integrity.
When we think of system privileges, we are generally talking about activities such as logging in to computers and networks, starting programs, and installing software and hardware. These activities open significant threat vectors and least privileges should be applied whenever possible.
The opening of a system-level threat might be unintentional on the part of the employee. For example, an employee with privileges to install software on their company issued laptop could easily introduce malware to the network. If there is no legitimate business need for the employee to have such privileges, such risk cannot be justified.
There are a handful of additional important terms and concepts associated with least privilege.
Entitlement is a term used to refer to both the process of granting users privileges and the scope of those privileges.
Privilege creep, or aggregation, refers to the tendency of users to accumulate privileges over time. Users may gain privileges as job duties change or as they transition to new roles. While not a problem in and of itself, privilege creep can result in users having access to resources they no longer need which would then violate the principle of least privilege.
Transitive Trust refers to a situation in which trust is passed across security objects, granting users privilege that may or may not be intended. It is sometimes expressed as a logic relationship: if A trusts B and B trusts C, then A inherits trust of C. In the opposite case of non-transitive trust, the trust between A-B, and B-C does not create the inherited trust and A does not trust C. The trust models among security objects should be evaluated to ensure least privilege is not violated.
Separation of Duties
The principle of separation of duties says that no user should have all the privileges necessary to complete a critical business function by themselves. Instead, the critical business function should be divided into discrete tasks and the appropriate privilege granted to different users. By requiring the involvement of more than one employee, separation of duties helps prevent fraud and abuse.
Consider the task of adding a new vendor to a purchasing system. Creating fake vendors is a common element of invoicing fraud schemes. Under separation of duties we would want to divide the function into a task to create a new vendor and a task to approve a new vendor, and then assign the tasks to different employees. While it does not prevent fraud completely, separating the task in this way reduces the likelihood of fraud by forcing two or more employees to collude.
Separation of duties is of particular concern to organizations that must comply with the Gramm-Leach-Bliley Act (GLBA) of 1999 and the Sarbanes-Oxley Act (SOX) of 2002 . Both of these acts include stringent separation of duties requirements to protect privacy and prevent frauds and other crimes.
Two Person Control
Two person control, also called dual control, calls for two people to separately approve the completion of a sensitive business function. For example, an accounting system might require two separate managers to both approve the issuance of a check over $25,000. Similarly, a backup system might require the concurrence of two system administrators to completely purge backup data.
Students preparing for exams often confuse the concepts of two-person control and separation of duties. Two-person control requires two people to concur to perform a single action. Separation of duties requires that a single person not have the ability to perform two separate actions which, when combined, might pose a business risk.
Understanding least privilege and separation of duties is an important component of your preparation for a variety of security certification programs. If you’re interested in earning your next security certification, sign up for the free CertMike study groups for the CISSP, Security+, SSCP, or CySA+ exam....
