One of the most common vulnerabilities identified in network security and HIPAA assessments relate to sensitive personal information accessible by users who shouldn’t have access or in the worst case by everyone. Privileges are the rights and permissions assigned to authorized users to access resources (e.g. folders and files). The principle of “least privilege” specifies individuals and processes are granted only the rights and permissions needed to perform their assigned tasks and functions, but no more. When implementing least privilege, you reduce risk by limiting the resources a user can access. You may be more familiar with a similar principle “need to know.”
Frequently organizations grant far-reaching rights and permissions because it is easier than dealing with requests from users because they can’t access certain files and folders, however the risks of not implementing least privilege can be serious. A disgruntled or careless employee can delete or modify key files, or a hacker can take control of a user’s account and gain access to sensitive information.
Implementing least privilege requires thought and planning. Depending on the size and complexity of your organization, implementation can be a daunting task. It involves identifying job roles, assigning rights and permissions to the roles, and finally assigning users to the roles. Using role-based access controls can significantly reduce the administrative burden, as opposed to granting individual right and permissions on request. Once least privilege is implemented, it must be properly maintained. When a user’s job role changes, their rights and permissions should be updated as well.
A network or HIPAA assessment can help identify these types of vulnerabilities and ISD can advise you in planning and implementation. Give us a call to learn about other ways to secure your organization’s precious data resources.