The principle of least privilege is intended to create an environment that, while providing elevated access, still limits risk. The act of isolating privileges based on need and providing users only the access they require is a key first step. But once the accounts are created and the privileges established, a gap exists. Accounts can still be compromised. Given, the more restrictive least privilege environment cannot police itself to detect inappropriate use, the need for some level of monitoring and enforcement is required.
Implementing least privilege
To start implementing least privilege, organisations create an environment where users are only granted the permissions they need to do their job. Privileged and non-privileged accounts are first separated. User profiles should then be correctly identified and permissions defined for each to bring each account into a state of least privilege. Then whether it’s the local Admin account on a workstation, or THE Administrator account in Active Directory – and everything in between – you have to reduce the number of employees that have access to these types of accounts.
But even with this all in place, organisations run the risk that account misuse (even accounts restricted down to the bare work essential privileges) will provide enough access for a threat action to take place. In reality, least privilege is really about the compromised use of a privileged account.
What is a privileged account?
But, what should you consider a ‘privileged’ account? It’s not a good idea to only focus on accounts that are ‘admin’ level.
Let’s take an example: the Director of Accounts Payable needs access to the AP system. It’s still possible that the account gets compromised and used to make fraudulent payments in order to steal the company’s money. There is a good chance that the user is not considered an admin of anything, but still the misuse of his account could hurt the company.
To avoid that, you need to monitor and better secure the access of every user account to make sure the underlying goals of least privilege are met
More from Interviews
- A Chat With Piero Pavone, CEO Of Preciso On How Native Advertising Is Shaping A More Sustainable Future
- Efficient Referrals: Meet Kirsty Sharman, Founder Of Referral Factory
- A Chat With João Moura, CEO And Co-Founder, On Transaction Risk Platform: Fraudio
- A Chat With Michael J Bannach, Founder & President, Stealth Technology Group On How Employees Leak Company Secrets Into Chatbots – And What Safe, Approved AI Should Look Like
- A Conversation With Allister Frost, Future-Ready Mindset Author and Speaker, On How AI Panic Is Pushing Brits Into Rushed Career Swaps That Could Prove Costly
- Interview With Yuliya Barabash, Founder Of SBSB Fintech Lawyers On Where Crypto Companies Actually Win in 2026
- A Chat With Avion Gray (CEO) And Samantha Rosenberg (COO), Co-Founders Of Belong On Wealth Building
- Interview With Bert van der Zwan, CEO at Bizzdesign On Enterprise Transformation
Leverage Logon security in addition to least privilege
Monitoring logons is the first step to limit the risk associated with any user – which of course, is the goal of any least privilege initiative! It gives visibility into account use, before malicious actions happen. For example a logon that stems from an unusual country or endpoint should be a red flag. Likewise for multiple failed logon attempts or concurrent logons.
Restrictions and multi factor authentication should also provide enforcement to protect accounts from being misused.
For example restrictions by machine or time, and a prompt for a second authentication factor on certain circumstances such as a new machine or a remote access.
Combining these functionalities allows you to keep the least privilege controls in place and to protect the environment from compromised credentials. By including logon security as part of your least privilege strategy, an environment remains in a constant state of enforcement to reduce risk.
François Amigorena is the founder and CEO of IS Decisions, and an expert commentator on cybersecurity issues.
IS Decisions software makes it easy to protect against unauthorized access to networks and the sensitive files within.
For more information, visit: https://www.isdecisions.com/
