Principle of Least Privilege and Multi Factor Authentication

IT Security has always been important, and as many businesses grow and utilise cloud-based systems the need to fully secure them has grown increasingly.

When you own the IT equipment and know where your data physically is, it is easy to work out your boundaries; ensuring your servers are locked up and your data is backed up. 

As technology has changed and allowed the data to be accessed from any part of the internet connected world the physical boundaries have changed. The need for data backup has not changed, whether it is an accidental corruption or due to a software update or the latest malware which encrypts your data, the ability to restore data from a backup will always be needed. 

Creating layers within a system adds to its complexity but also its security. Ensuring your users have access to only the data they need vs everything just in case is of key importance. 

This is known as the Principal of Least Privilege. (This means that any user, program or process should have only the minimum privileges necessary to perform a task.)

The process for securing systems requires a number of steps:

·        Conduct a privilege audit. Check all existing accounts, processes, and programs to ensure that they only have the permissions required to do the job.

·        Start all accounts with least privilege. The default for all new account privileges should be set as low as possible. Only add specific higher-level powers as needed to perform the job.

·        Enforce the separation of privileges. Separate admin accounts from standard accounts, and higher-level system functions from lower ones.

·        Use just in time privileges. Wherever possible, restrict raised privileges only to moments when they are needed. Implement on expiring privileges and one-time-use credentials.

·        Make individual actions traceable. User IDs, one-time passwords, monitoring, and automatic auditing can make it easier to track and limit damage.

·        Make it regular. Auditing privileges regularly prevents a situation where older users, accounts, and processes accumulate privileges over time, whether they still need those things or not.

Least Privilege Examples

A member of the accounts department who has access to read only the company bank records and match them to the accounts system; receives a spoofed email asking them to transfer funds a 3rd party. As they do not have permission to send payments, they would have to request further authorisation or deny the request. 

If the same person opens a link which infects their computer with a zero day virus, only their files and systems which they have access to maybe affected but the whole system would not be.

Even restricting IT departments so that they have a separate admin account that is used for admin tasks, but is not their user account helps to ensure that if their own account is compromised for any reason the whole system is not affected. This is known as just in time privilege.

Multi-Factor Authentication

Microsoft Office 365 provides a wide range of applications and services which can be accessed via a single sign on process. This all sounds great until the password is compromised.  Key individuals such as directors, IT admins and office managers are targeted by malicious persons who would benefit from accessing all or even some data found on the office 365 platform in email or OneDrive, Microsoft has its own security solution called MFA (Multi-Factor Authentication) which adds a 2nd layer of authentication to allow or deny users from accessing their systems.

Office 365 Multi-Factor Authentication will send an SMS/TXT message to a mobile number or via the Microsoft Authenticator app which is setup in advanced. 

For some non-Microsoft applications which may need to integrate with the office 365 email, Microsoft offer a separate password which is setup for individual apps and is randomly generated by Microsoft and are not editable.  

The above is only a brief outline as to how you can keep your systems and data secure. If you feel that you would like to discuss in further detail how we can help, then please give us a call on 0333 332 6600