The Principle of Least Privilege states that a user (or service) should be given the absolute bare minimum privileges required in order to fulfil its function.
On the surface, how could this possibly be bad? If I have everything I need in order to do my job then by definition I have everything I need. Likewise, if my app has all the privileges it needs in order to function correctly then, again, by definition it can function correctly. Right?
For the purpose of this post I’m going to focus on application security.
Where this all falls down is in defining “least privilege” in a sensible manner. How do we normally decide what privileges an application will require? When we decide on what the application will do, of course. And how do we decide what an application will do? We gather our requirements, of course. And when do we do this? We (of course, of course) gather all our requirements up-front, because that’s how we roll.
To rephrase that:
- We gather our requirements up-front.
- We know these requirements to be inaccurate, incomplete or just plain wrong.
- We set our security policies according to these requirements.
- We have our policies “signed off” by some governance group or other.
- We send our security requirements off to our sysadmins to implement in the form of AD security groups, firewall ACLs etc.
In other words:
We send our known-broken security requirements, based on our known-broken application requirements, off to be set in stone before we ever even ship our application.
If you’re going to set strict security policies for your app then your development team should be responsible - and held accountable - for setting sensible policies and updating them quickly according to changing requirements. If you’re going to wrap security policies in endless red tape then don’t be surprised when 1) people ask for more privileges than they need just to avoid administrative pain; and 2) your project ends up with a sub-optimal result because of a bunch of undocumented security work-arounds that decrease your overall security anyway.
You’re likely to be much better served by frequent automated and manual audits of both production and non-production environments to identify mismatches between organisational policies and configuration actuality.
TL;DR: Hire smart people. Trust them. Get out of their road. Check their homework. Hold them accountable.