Benefits of the Least Privileged Principle: Assuming A Breach

Yan Aksenfeld
March 24, 2020

Extending the Benefits of the Principle of Least Privilege   

If you’ve ever had a job where certain information was dispersed on a need-to-know basis (and who hasn’t), then you can relate to the principle of least privilege (PoLP). In a broad sense, it’s about restricting access to sensitive data. Only people whose roles require that information can see or know about it.

When it comes to cybersecurity, the principle of least privilege is fundamental to protecting critical systems and data from bad actors. Not surprisingly, the military helped promote this concept way back in the 1980s when it published the Department of Defense Trusted Computer System Evaluation Criteria. It defined PoLP as requiring that “each subject in a system be granted the most restrictive set of privileges (or lowest clearance) needed for the performance of authorized tasks.” 

PoLP for a Cyber World

Fast forward 40 years to today’s digital universe, where an organization’s crown jewels are just a click or a download away from cyber criminals. Consider this: 74% of IT decision makers whose organizations have had data breaches say they involved privileged access credential abuse. In the face of unrelenting cyber attacks, PoLP has now become more crucial than ever. 

By limiting users’ access rights to the resources absolutely necessary to do their jobs, you can limit the damage that can result from errors or unauthorized use. You reduce the attack surface by containing a cyber attack to a smaller set of resources. That’s why minimizing the number of people who have admin privileges or admin accounts, which are gateways to corporate networks, is a best practice.  

Although many organizations try to implement a least-privilege policy as part of their security strategy, it’s easier said than done. Choosing who gets what access rights can be extremely difficult, even if you have a policy that specifies access by job function or role.  

The Malware Problem

For some organizations, PoLP includes removing interfaces such as USB ports from devices so end users can’t unintentionally copy malware-infected files from a USB drive or, in the case of insider threats, intentionally copy confidential information to it. However, there are many other ways for malware to breach systems and sensitive information.

Most malware comes from users clicking on emails, downloading files, and visiting websites that, unbeknownst to them, load viruses onto their devices. Some studies show that 92% of malware is delivered via email. Once inside the operating system, attackers can easily gain access to privileged information – especially if they permit users to have access to local admin rights which many organizations allow. To prevent malware, some organizations augment PoLP by locking down devices and blocking users from the internet. This tends to hurt productivity, however, and frustrate users.

Safeguarding Privileged Access with Operating System Isolation

Microsoft recommends that users only access privileged accounts from separate, dedicated machines. This requires each privileged user to have two computers, one for sensitive work and the other for everything else. If malware infects the ‘other’ computer, it won’t be able to reach the privileged one. This physical air gap strategy is great for security but a hassle for users. They lose about 5 hours/week swiveling between workstations, and often have to lug two laptops around. It’s also more expensive for IT to maintain twice the number of machines. 

Organizations that want the enhanced PoLP benefits of physical air gap without its productivity hits are adopting virtual air gap solutions. Instead of needing two different devices, this approach lets users run multiple virtual operating systems on a single endpoint. It gives people who have privileged accounts and admin rights easy, fast access to all the resources they need on one computer, while keeping sensitive corporate information safe. 

Implementing this with Hysolate’s OS isolation platform is pretty straight forward. You dedicate one OS for privileged use and make it fully locked down and restricted to accessing sensitive data and systems. The other OS is reserved for general corporate work. It’s open to the internet and used for email and non-privileged information. If people try to use the wrong VM for a particular task, Hysolate automatically redirects them to the correct one.

Any cyber criminals that breach the corporate zone are completely contained within that operating system. They cannot reach the privileged account OS or even see that it exists. You can also configure that corporate zone to be non-persistent so that it’s wiped clean at specified intervals for added protection.

Want to extend the benefits of your PoLP implementation? Learn how Hysolate safeguards sensitive data. Start your free trial here.


Yan Aksenfeld

Yan is a Product Manager at Hysolate bringing more than a decade of experience in the software, IT and cyber security industries in both software and customer facing roles. He joined Hysolate in its first year as the first customer facing role as a senior sales engineer. Previously acting as a software engineer and customer success lead in the VMware end user computing business unit, Yan actually began his career in an IDF military intelligence unit where he was an architect and tech lead on large-scale virtualization and IT projects. He holds a BSc degree in Computer Science and an MBA.