The principle of least privilege is intended to create an environment that, while providing elevated access, still limits risk. The act of isolating privileges based on need and providing users only the access they require is a key first step. But once the accounts are created and the privileges established, a gap exists. Accounts can still be compromised. Given, the more restrictive least privilege environment cannot police itself to detect inappropriate use, the need for some level of monitoring and enforcement is required.
Implementing least privilege
To start implementing least privilege, organisations create an environment where users are only granted the permissions they need to do their job. Privileged and non-privileged accounts are first separated. User profiles should then be correctly identified and permissions defined for each to bring each account into a state of least privilege. Then whether it’s the local Admin account on a workstation, or THE Administrator account in Active Directory – and everything in between – you have to reduce the number of employees that have access to these types of accounts.
But even with this all in place, organisations run the risk that account misuse (even accounts restricted down to the bare work essential privileges) will provide enough access for a threat action to take place. In reality, least privilege is really about the compromised use of a privileged account.
What is a privileged account?
But, what should you consider a ‘privileged’ account? It’s not a good idea to only focus on accounts that are ‘admin’ level.
Let’s take an example: the Director of Accounts Payable needs access to the AP system. It’s still possible that the account gets compromised and used to make fraudulent payments in order to steal the company’s money. There is a good chance that the user is not considered an admin of anything, but still the misuse of his account could hurt the company.
To avoid that, you need to monitor and better secure the access of every user account to make sure the underlying goals of least privilege are met
More from Interviews
- A Conversation With Olga Ukrainskaya, Technical Marketing Manager, AI Expert And AI45 2026 Judge
- A Conversation With Robert Kraal, Co-Founder at Silverflow On Payment Processing Methods
- A Chat With Tiffany Masson, Founder And CEO Of Falkovia On AI Governance
- A Chat With Arif Ali, Technical Director Of Just After Midnight On How Everyday Choices Can Put Small Firms At Risk
- A Chat With Robin Nordnes, Founder & CEO At Raiku On Blockchain Infrastructure
- Interview with Susanne Seitz, CEO Of Siemens Buildings On Combining The Real And Digital Worlds
- A Chat With Jean-Baptiste Gaudemet, SVP Strategic Innovation Lab at Kyriba And FinTech50 2026 Judge
- A Chat With Madhu Nadig, Co-Founder & CTO Of Flagright And FinTech50 2026 Judge
Leverage Logon security in addition to least privilege
Monitoring logons is the first step to limit the risk associated with any user – which of course, is the goal of any least privilege initiative! It gives visibility into account use, before malicious actions happen. For example a logon that stems from an unusual country or endpoint should be a red flag. Likewise for multiple failed logon attempts or concurrent logons.
Restrictions and multi factor authentication should also provide enforcement to protect accounts from being misused.
For example restrictions by machine or time, and a prompt for a second authentication factor on certain circumstances such as a new machine or a remote access.
Combining these functionalities allows you to keep the least privilege controls in place and to protect the environment from compromised credentials. By including logon security as part of your least privilege strategy, an environment remains in a constant state of enforcement to reduce risk.
François Amigorena is the founder and CEO of IS Decisions, and an expert commentator on cybersecurity issues.
IS Decisions software makes it easy to protect against unauthorized access to networks and the sensitive files within.
For more information, visit: https://www.isdecisions.com/
