According to a recent World Economic Forum community paper, “The ‘Zero Trust’ Model in Cybersecurity: Towards understanding and deployment:"
“Zero trust is a principle-based model designed within a cybersecurity strategy that enforces a data-centric approach to continuously treat everything as an unknown – whether a human or a machine — to ensure trustworthy behavior.”
Unpacking Zero Trust
At Schneider Electric, we have been unpacking the principles of our Zero Trust model in a series of blog posts. In our first, we discussed the need for organizations to routinely verify, authorize, and validate users of IT and OT infrastructures to prevent potential compromises to critical data and systems.
What is Least-Privilege Access?
Building on this concept, our second principle of Least-Privilege Access ensures that users only have access to exactly what they need — nothing more, nothing less. Identifying and limiting users’ access rights to what is strictly necessary not only limits our exposure to malware and cyber-attacks, but it also bolsters productivity by affording people with exactly what they need to do their jobs.
As advancements in smart technologies and automated processes require an increasingly larger workforce with more unique access control requirements, however, implementing the principle of Least-Privilege Access in our organization is easier said than done. To keep up with today’s needs, we take an active role in managing access privileges to ensure that users have the requisite permissions to fulfill vital tasks while removing access controls from those who no longer require them.
Failing to remove permissions runs the risk of privilege creep, which is the overabundance of permissions to sensitive systems granted to users who no longer need them to perform their functions. Privilege creep significantly opens up organizations to cyber vulnerabilities. Limiting the number of users with certain accesses not only reduces our risk of data loss, corruption, or theft, but it also makes traceability of the source for those problems far more efficient.
There are many ways we approach the principle of Least-Privilege Access. One of the most fundamental steps is creating clearly defined parameters for different levels of access. At the outset, all our new users begin with the bare-minimum amount of access required for the least-sensitive functions; these are referred to as least-privileged users (LPUs). By setting every new user up as an LPU, we can subsequently grant privileges on an individualized basis while keeping track of which individual users have been granted certain privileges.
Instead of solely granting permanent privileges, we also place time limits on access permissions, giving people temporary privileges if they need access for a specific task for a certain amount of time. Temporary privileges can either be granted within a specific timeframe before expiring or until the task is done. In the case of the latter, we often create and track one-time-use credentials while conducting due diligence that such permissions are revoked afterwards.
There are a number of other ways we practice least access as well. To counter privilege creep, we actively manage access rights to keep up with the rapidly changing landscape of our workforce and reprovision privileges when necessary. As shared accounts make it far more difficult to track access rights, we issue individual accounts to users wherever possible. In situations where someone cannot be given an individual account, we ensure that generic accounts are robustly secured through appropriate methods like smart card account logins for better traceability.
We have also worked with vendors that provide innovative and cost-effective privileged access management services so we can increase efficiencies without compromising on security. For instance, we can automatically discover and identify privileged accounts across a given network and set up automated alerts for IT and OT managers to help them detect, react, and stop outside attacks or internal misuse. We have also internal solutions for our EcoStruxure service such as Access Expert, which safely gives users with certain access privileges control over their invulnerable domains from the web or on mobile devices.
Practicing the principle of Least-Privilege Access is not only the responsible thing to do — it is in fact necessary to remain compliant with many global industrial standards. Cybersecurity regulations and standards series — such as ISA/IEC 62443, ISO 27001, the NIS Directive, LPM, NERC CIP, and NIST SP-800-82 — each contain highly complex requirements regarding access privileges. By making least privilege access a matter of well-documented policy, we are not only able to attain cyber standards certifications required by our customers but also prove compliance in case of an audit by regulatory agencies.
Trust Nothing and Verify Everything
The principle of Least-Privilege Access represents a core tenet of our zero-trust philosophy, and it requires we practice a “trust nothing and verify everything” philosophy. When it comes to cybersecurity, hypervigilance is crucial while even the slightest bit of slack can be disastrous.
We encourage other organizations who seek to protect their critical systems and data actively manage privileges to ensure they are granted, reprovisioned, and removed properly. While such scrupulous oversight comes at a cost, it is more than recouped by mitigating potential cyber-attacks and reducing inefficiencies by ensuring employees always have the exact privileges they need to do their jobs.