Cybersecurity In-Depth: Getting answers to questions about IT security threats and best practices from trusted cybersecurity professionals and industry experts.

While traditional security controls are necessary at the perimeter, organizations also need to prevent malicious privileged access.

David McNeely, Chief Technology Officer, Delinea

February 23, 2022

2 Min Read
3D illustration of a blue network with icons and the text zero trust written on the front. Black background.
Source: Olivier Le Moal via Alamy Stock Photo

Question: What role will least privilege access play as part of a cloud security strategy in the coming years?

David McNeely, Chief Technology Officer, Delinea: Least privilege plays a critical role as one of several controls that are necessary to secure cloud-based infrastructure, services, and applications. Let's first define least privilege as an approach for granting just enough privilege, just in time, and for a limited duration in order to reduce the overall risk represented by the privileged access, whether it is requested by an individual or machine.

Most organizations take the opportunity to rethink security as they move infrastructure and applications to the cloud or as they design new applications in the cloud. As we look at security models for the cloud, we find that cloud infrastructure providers have a shared responsibility model that defines what they will control as well as what the customer will be responsible for managing, such as their data security from the virtual machine (VM) to operating system and app layers.

In order to define and enforce a more stringent security posture both on-premises and in the cloud, many organizations have adopted a zero-trust mindset. Zero trust mandates a "never trust, always verify" policy and least access/privilege model that focuses on identity-based authentication and access controls to ensure bad actors cannot use easily compromised credentials to gain privileged access, move around the network, and extract sensitive and valuable data.

As organizations move to adopt zero trust, we are also finding organizations adopting a zero standing privilege posture, where no one has access rights or privileges permanently assigned; rather, access is granted just in time for a limited duration to reduce the attack surface and eliminate the potential for malicious actors accessing any infrastructure, even if they are able to compromise existing credentials.

Security is always best deployed in layers. While traditional security controls are necessary at the perimeter, we need to constantly think about how to prevent malicious privileged access, assuming that the bad actors are already on the inside and may already have access to credentials.

Quite simply, least privilege has become the foundational approach to access controls for cloud-based infrastructure, services, and applications.

About the Author(s)

David McNeely

Chief Technology Officer, Delinea

David McNeely is chief technology officer at Delinea (formerly ThycoticCentrify), where he is focused on helping customers meet the evolving security needs of the modern enterprise, while contributing to the strategic vision of the company’s product portfolio. He previously served in a variety of roles at AOL and Netscape Communications (acquired by AOL).

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights