Separation of Duties and Least Privilege (Part 15 of 20: CERT Best Practices to Mitigate Insider Threats Series)
The 15th practice described in the newly released edition of the Common Sense Guide to Mitigating Insider Threats is Practice 15: Enforce separation of duties and least privilege. In this post, I discuss how implementing separation of duties and least privilege can benefit any organization's defense-in-depth strategy.
The CERT Division announced the public release of the fifth edition of the Common Sense Guide to Mitigating Insider Threats in December 2016. The guide describes 20 practices that organizations should implement across the enterprise to mitigate (prevent, detect, and respond to) insider threats, as well as case studies of organizations that failed to do so. The 15th of the 20 best practices follows.
Practice 15: Enforce separation of duties and least privilege.
Separation of duties is often synonymous with the "two-person" or "four eyes" rule wherein a task can be completed only with the participation of more than one employee. An example implementation of the two-person rule might include having two individuals enter a passcode and confirm successful, appropriate completion of the same task. While the two-person rule can serve to prevent single-actor insider threats, organizations should still be mindful that collusion between insiders can circumvent this procedure.
However, separation of duties also means that activities are broken into discrete tasks so that there is no one employee responsible for critical functions. An example would be to require separate employees to be responsible for either the backup or restore tasks. Organizations should review each critical function and the extent to which it relies on any one employee to complete the function.
While this concept seems simple, implementation can be a challenge, particularly for small to mid-sized organizations. Organizations can implement both technical and nontechnical controls to enforce the separation of duties in the business units as well as in the IT department:
- Require authorization from two users for the transfer or copy of data to removable media.
- Require two system administrators to approve the deletion of critical data or changes to configuration files.
- Institute oversight for employees handling sensitive information or performing critical functions, such as backup, restore, or system administration.
- Develop policies and procedures for how the two-person rule should be implemented and verified for specific functions.
- Require separate employees to be responsible for either the generation or approval of checks or cash transfers.
- Manage physical access to servers or enclaves by having two employees badge in together.
A complementary concept, least privilege, requires that employees have the minimum privileges needed to perform actions on information or assets that are within the scope of their job function. Implementation of the principle of least privilege on an information system (i.e., read, write, or execute permissions) can include restrictions around the creation, deletion, or modification of information.
Implementation of least privilege may also include restricting the installation of software. For instance, your organization may manage privileges so that interns can read or write files only within specified directories, but not execute programs or reconfigure user settings. While enterprise software typically allows implementing least privilege at scale, some users may seek to escalate their privileges by exploiting bugs or configuration gaps.
Organizations can implement the principle of least privilege in the following ways:
- Deploy role-based access controls and group policies to prevent employees from accessing information or services that are not required for their job.
- Segment the network into VLANs defined by business units to prevent users from freely traversing the network.
- Ensure that employees in administrator roles have separate, unique accounts for their administrator and non-administrator activities (i.e., using "Run as Administrator" on pre-approved tasks only).
- Perform regular audits of employee accounts to identify changes in roles and prevent privilege creep and former employees from having unauthorized access.
- Patch software regularly to reduce the likelihood that end users can exploit software bugs that allow escalation of privilege.
When these principles are implemented, organizations can limit the potential damage that can be caused by insiders. In addition to protecting against malicious attacks, separation of duties and least privilege also assists in mitigating unintentional insider threats. If no single employee has the privileges necessary to access and leak the "secret sauce," then there is no single point of failure if employees are targeted by a social engineering campaign.
Regardless of the strategies used to enforce separation of duties and least privilege, an organization should consider how each strategy fits into its overall defense-in-depth strategy, goals, organizational culture, and mission.
Refer to the complete fifth edition of the Common Sense Guide to Mitigating Insider Threats for a comprehensive understanding of the issues and recommendations mentioned in this post.
Check back next week to read Practice 16: Define explicit security agreements for any cloud services, especially access restrictions and monitoring capabilities, or subscribe to a feed of the Insider Threat blog to be alerted when a new post is available.