Arguably the most powerful security concept and yet it gets the least love.

Least Privilege is the concept of providing all the privileges one needs to have to perform their job and nothing more. If implemented correctly it will provide a layer of security so powerful you may not need anything else. Additionally, the end user will not even realize they are under such a powerful layer of security.

This Nirvana is often hard to obtain but with a little bit of patience, a few changes in some user behavior, and some policies with a good dose of executive support, most any organization can get pretty close. Today’s modern operating systems have plenty of tools to help achieve this.

To help you understand the power, lets talk about just one common Least Privilege settings, the removal of Administrative Rights. If you look at the critical vulnerabilities in Microsoft, Adobe and Java software over the years since their inception, in almost every year higher than 95% of those would have been mitigated if the user account was not running with Administrative Rights. In some years it was 100% of them. This is one of those rare items in IT where you do not have to guess when determining Risk. Because there is such a long history it can be used to predict future risk (or likelihood). Here is where insurance companies could really come into their own in terms of how they offer IT insurance but not a single one has realized this – anyway, I digress. Back to the removal of Administrative Rights – This tool has the potential to be more effective than all of your Anti-Virus, all your patch programs, all your IPS/IDS, and any other tool you may have spent millions of dollars and thousands of hours of time on, and it can be easily implemented with a simple group policy.

There are many more easily obtained Least Privilege controls that provide some powerful security. Of course, this principle can be applied to all of the various layers of the IT stack. From physical controls as to who is allowed into the datacenter to how programs are written and maintained.

This is where your security should start – with Least Privilege Controls. IF you do them well you may not have to do, or spend money on, anything else.