Cybersecurity In-Depth

The Edge

What Does Least Privilege Access Mean for Cloud Security?

While traditional security controls are necessary at the perimeter, organizations also need to prevent malicious privileged access.

Question: What role will least privilege access play as part of a cloud security strategy in the coming years?

David McNeely, Chief Technology Officer, Delinea: Least privilege plays a critical role as one of several controls that are necessary to secure cloud-based infrastructure, services, and applications. Let's first define least privilege as an approach for granting just enough privilege, just in time, and for a limited duration in order to reduce the overall risk represented by the privileged access, whether it is requested by an individual or machine.

Most organizations take the opportunity to rethink security as they move infrastructure and applications to the cloud or as they design new applications in the cloud. As we look at security models for the cloud, we find that cloud infrastructure providers have a shared responsibility model that defines what they will control as well as what the customer will be responsible for managing, such as their data security from the virtual machine (VM) to operating system and app layers.

In order to define and enforce a more stringent security posture both on-premises and in the cloud, many organizations have adopted a zero-trust mindset. Zero trust mandates a "never trust, always verify" policy and least access/privilege model that focuses on identity-based authentication and access controls to ensure bad actors cannot use easily compromised credentials to gain privileged access, move around the network, and extract sensitive and valuable data.

As organizations move to adopt zero trust, we are also finding organizations adopting a zero standing privilege posture, where no one has access rights or privileges permanently assigned; rather, access is granted just in time for a limited duration to reduce the attack surface and eliminate the potential for malicious actors accessing any infrastructure, even if they are able to compromise existing credentials.

Security is always best deployed in layers. While traditional security controls are necessary at the perimeter, we need to constantly think about how to prevent malicious privileged access, assuming that the bad actors are already on the inside and may already have access to credentials.

Quite simply, least privilege has become the foundational approach to access controls for cloud-based infrastructure, services, and applications.