The concept of the least privilege, or POLP, lies in the belief that any client, program or system should be granted only the minimal privilege to fulfill its function. For example, a new user who has been developed to pull information from a database does not need administrative privileges, whereas a programmer who updates existing code lines does not need access to financial records. The POLP principle is also known as the Least Authority Principle, or POLA, and the Minimal Privileges Principle, or POMP.
Under POLP, best practice for protection of information is considered.
How does it work?
The POLP only provides sufficient access to perform a particular task. Within the IT world, it reduces the risk of malicious attacks that could lead to access to critical systems and sensitive data due to the vulnerability of a low-level user account, one computer, or an application. It requires the compromise to the region of origin by applying the Least Privilege Theory, which avoids it spread.
Details of the Least Privilege Principle (POLP)
The Least Privilege Principle applies to all infrastructure levels including end users, computers, processes, networks, software, systems and other elements of the IT environment. Examples of how POLP can work in practice are given here.
POLP User Accounts
An individual who is responsible for entering information into a system has to have access to that particular database. If a virus was able to infect the computer of that employee, the infection would only happen in this database because that employee has no access to other servers or systems.
MySQL POLP Profile
A MySQL account can use POLP to perform a particular task by using many different accounts. An online form that allows users to sort data should only use a sorting privileged account. It allows an intruder to gain access only to one specific privilege. But, if that account can delete information, for example, the hacker can wipe out the whole server.
“Just in time” Last prerogative
A consumer who seldom needs root rights is only given this right when operating on a particular task. These rights should otherwise be pulled. Available certificates are an excellent way to implement POLP and improve security.
POLP has been developed for improved safety and therefore provides numerous benefits.
- Enhanced Security–Edward Snowden has been able to access and take millions of NSA files because he had permissions for administrators, even if his work just was to make backups. The NSA has since adopted POLP.
- Limit Malware Attacks –If a malware program or computer becomes compromised, POLP is able to prevent the initial infection from spreading throughout the network.
- Enhance audits–Once POLP is in operation, its scope will be dramatically reduced. In fact, some laws actually require businesses to comply with this rule.
- Enhanced stability–The Last Privilege Theory increases system stability by minimizing change consequences.
POLP Best Practice
- Make an audit of privileges–Check all accounts, programs and processes to see whether they have or not the right privileges.
- Creating fewer privileged accounts–New generated user accounts should be the least privileged and the higher privileges to be later set.
- Separate rights–Separate administrative accounts of normal and higher accounts of low-level system functions should be available.
- Use the right “just in time”–you only should limit elevated privileges at times of need if possible.
- Trace individual steps–Automatic auditing will simplify monitoring and damage prevention.
- Regularize–privilege reviews should be carried out periodically in the operation of POLP to stop old user accounts and processes from gaining privileges.