Least Privilege Policy

Security regulations call for a least privilege policy, which means limiting access to reduce your attack surface. Least privilege requires that every user, application and system account have the minimum access to resources needed to do their job. Many customers, users or applications have admin or root privileges with access to sensitive data/operating systems. Under a least privilege model, administrative accounts with elevated privileges are given only to people who really need them. All others operate as standard users with an appropriate set of privileges.

Regulations like PCI DSS, HIPAA, SOX, and NIST and CIS security controls recommend or require implementing a least privilege model as part of a compliance solution. During an audit, you may have to demonstrate how the principle of least privilege is applied and enforced in your organization to control administrative accounts.

To successfully comply with a least privilege policy, you must know which privileges you need to manage. That means finding out which endpoints and local users have admin or root credentials, identify which apps are in use and if they require admin rights to run and understand your risk level for service accounts and apps with an elevated set of privileges.

Imagine how much damage and risk you will take away if you remove your business users from local admin groups, yet provide them with a way to install approved applications. IBM Privilege Manager helps with just that.

Get started with IBM’s free endpoint application and least privilege discovery tools.

To successfully comply with at least privilege policy, you must know which privileges you need to manage. Find out which endpoints and local users have admin or root credentials, identify which apps are in use and if they require admin rights to run and understand your risk level for service accounts and apps with an elevated set of privileges.

Can you imagine how much damage and risk you will take away if you can remove your business users from local admin groups – yet provide them with a way to install approved applications? IBM Privilege Manager helps with just that.

Secure your largest attack surface with a single agent

IBM Privilege Manager can communicate with hundreds of thousands of machines at once. You can check policies and execute 24/7 control across every device and application under your purview through a single, streamlined dashboard.

You can discover which users and endpoints have local administrative rights, including hidden or hardcoded privileges across domain and non-domain machines, and automatically remove these rights as needed. This helps you control the exact membership of all local groups and users to reduce the risk of backdoor accounts.

Define flexible policies that ensure a frictionless user experience

IBM Privilege Manager automatically elevates the applications and data that users across your organization need—without requiring credentials or forcing users to request IT support. It provides granular policy-based controls that determine and maintain access to trusted applications and processes.

Through advanced real-time threat intelligence, the solution whitelists, blacklists or graylists your applications according to flexible policies you define.

  • Whitelisting – Trusted applications are whitelisted and elevated, so users can easily access them without IT support.
  • Blacklisting – Blacklisted applications are blacklisted based on real-time threat intelligence and are blocked from running.
  • Graylisting – Potential threats are graylisted, meaning they’ve moved to an isolated sandbox environment for further testing.

Additionally, any application can be quarantine and “sandboxed” at any time, as you deem necessary, regardless of its list designation. A quarantined application can be safely executed and tested without the risk of exposing system folders or underlying OS configurations.

Easily manage and remove local administrative rights

Determine which accounts are members of any local group, including system administrators. If necessary, you can quickly reset all endpoints to a “clean slate” by removing all local administrative privileges at once.

Boost productivity for users and support staff

Since policy-based controls are enacted on the application level, users can access the trusted applications, systems and data they need without local administrative rights or the hassle of submitting tickets to IT support.

Achieve audit compliance through transparency

Share an easy-to-understand auditable trail of all application policies, administration credentials and privilege elevation activities with auditors. You’ll provide a clear picture of your compliance levels and what actions, if any, should be taken.

Read the last part tomorrow!