With a Zero Trust strategy for cybersecurity, the presence of an intruder is assumed. That means that tactics are needed to limit exposure and the potential damage that the intruder can do. One of those tactics is the Principle of Least Privilege.
Least privilege involves matching up permissions to access data with the job or tasks that need to be done. This starts with determining exactly what data is needed to perform specific functions and then establishing limits.
从历史上看, companies have been quite relaxed when it comes to allocating permissions with user and even administrator accounts because opening up access is sometimes the easiest way to get things to work. 然而, when an account that has the power to make system-wide changes is compromised, the potential for damage resulting from a cyber intrusion is a lot greater.
最小特权原则的应用
Here are some examples of what the Principle of Least Privilege looks like in practical terms:
- Managers can get to the employee information that’s pertinent to them, but they can’t see employee records that have to do with payroll and benefits.
- Quality assurance inspectors have access to the specs of the component that’s being manufactured, but not to blueprints detailing the entire assembly that it’s a part of.
- Accounting clerks can pay bills and post payments, but they don’t have access to all of the corporate financial information.
- Shared file access is controlled and users have no more permissions than they need, 从只读到编辑.
There are other scenarios that aren’t necessarily tied to a job role where the Principle of Least Privilege should be applied such as:
- Users should not have local administrator privileges for their computers.
- Service accounts should be used instead of domain accounts for server functions.
- Privileged accounts should only be used for administrative tasks.
黑客攻击的特权账户
A “Privileged Account” has ultimate power when it comes to making changes inside of your network so naturally, 这些都是网络罪犯的首要目标.
Forrester Research estimates that 80% of security breaches involve privileged accounts. Privileged accounts provide elevated access to all of the other accounts in the domain, 以及应用程序和系统. 落入坏人之手, they have the ability to take over an entire IT system, 更不用说偷了, 损坏或暴露存储在那里的数据.
Privileged accounts should be used exclusively for administrative tasks, and users should have a different account for their other job functions and communications. It might seem inconvenient to have more than one account to log in and out of but to a hacker, capturing a privileged account is like stealing the keys to the castle. Not only will they be able to move about inside the castle, but they’ll be able to control all the inhabitants and steal the jewels inside too.
维护最小权限
While technical controls are used as one of the tactics to limit data access at the application or system level, you also need documented policies so that the people controlling permissions know exactly what is and isn’t allowed.
Data access guidelines should be included in employee training. Employees need to know not just what data they need, but how they should handle situations like – what should they do when a vendor asks for access to IT systems; what should happen when an employee is terminated; or what should they do if someone asks to use their account credentials.
相关: Learn About 12 澳门赌场网址大全 Basics You Can’t Ignore
Moving Towards a Zero Trust 澳门赌场网址大全 Strategy
Zero Trust is a cybersecurity strategy promoted by a 2021年5月的白宫行政命令. While you may not be responsible for the security of critical infrastructure, every organization that does business on the internet needs to play a part in thwarting cyber-criminals.
你有安全漏洞吗?
It can be difficult to know if you have gaps in security that are increasing your exposure to cyber risk. That’s why a cyber assessment is the best next step in strengthening your security posture. You’ll get the recommendations you need to develop a cybersecurity plan that will allow you to build cyber resilience.
澳门网赌大全网址 安排网络评估.