The GenAI explosion is something to behold, with advancements in the technology emerging on a seemingly daily basis. But the cynical security professional in me also sighs, “This is why we can’t have nice things.” Where businesses see AI as a tool for efficiency and market differentiation, cyber attackers are in mustache-twirling mode, devising new schemes to exploit undefined learning curves.
As someone who spends each workday trying to make identity and access safer amid the scale and complexity of modern business, I can attest to the concerning frequency with which cybercriminals use new technology to gain access to corporate systems. For example, AI can be used to create realistic and effective phishing attacks and algorithms that can automate brute-force attacks by attempting millions of password combinations at high speeds. AI also can analyze leaked password databases and user information to predict commonly used passwords or patterns, making them easier to crack.
We’re also seeing how AI can contextualize network traffic, user behavior patterns and access control configurations to identify and exploit accounts or systems with excessive permissions or outdated software with known vulnerabilities. Once attackers gain a foothold, they can use AI to automate their processes and escalate privileges to gain access to sensitive data and resources. Almost every successful attack you read about in the news leveraged this approach, and now AI is making it easier and faster.
All of this begs the multibillion-dollar question: How do we stop it? We can’t, but we can make it inherently more difficult by implementing a policy of least privilege.
The benefits of a least privilege policy
Microsoft found that 90% of identities use less than 5% of the access permissions granted. This year’s Verizon Data Breach Incident Report found that stolen credentials are now the most common action taken by attackers. These findings show that companies are unnecessarily opening themselves up to attacks by not protecting access and privileges. Attackers don’t need any advantages, especially as they weaponize AI to access your sensitive data.
By implementing a least privilege policy, companies can rein in access and privilege to reduce risk to a bare minimum. Least privilege is based on a relatively simple concept: Users only have the right amount of access for the right amount of time that they need to do their job. When access is viewed as an asset in a limited capacity — as opposed to a birthright — companies drastically reduce risk and reap several benefits.
For example, limiting access permissions reduces the potential attack surface. Even if compromised credentials grant access, the attacker’s ability to move laterally within the system is significantly restricted. This compartmentalization, similar to a well-organized and consolidated view of your access ecosystem, makes it more difficult to reach sensitive data.
Organizations that implement least privilege also limit the damage an attacker can cause should they break through. With least privilege, the access a stolen credential allows is limited, reducing the potential for attackers to steal sensitive data, disrupt operations or install malware.
Additionally, a least privilege strategy enhances accountability by clearly defining access permissions for each role. Least privilege enables easier identification of suspicious activity, and if an account with limited access attempts to access restricted resources, it raises a red flag, potentially indicating a compromised credential.
Pillars of a least privilege policy
While every company will have nuances based on industry, compliance regulations, etc., there are three pillars that every least privilege policy should feature.
Granular access control
It’s critical to move away from broad access groups and start defining access based on specific roles and job functions — all while scrutinizing the “why” behind access. This strategy ensures users only have the keys to the resources they absolutely need. Applying access control methods — like role-based access control (RBAC), group-based access control (GBAC) and attribute-based access control (ABAC) — restricts access to varying degrees of granularity. The key is that access decisions are made on specific criteria based on need, as opposed to immediate, up-front access.
Just-in-time (JIT) provisioning
A common contributor to access risk is just-in-case (JIC) provisioning, which gives employees access to data and assets in perpetuity. This leads to over-provisioning and is in stark contrast to a least privilege implementation. Instead, companies should adopt a just-in-time provisioning approach, which grants access only when necessary and for a predetermined period. JIT provisioning minimizes the window of opportunity for attackers who might exploit stolen credentials. Think of it like a hotel room key — it grants access only for the duration of your stay, and you only get the key when you check in and need it..
Privileged account management (PAM)
Sometimes called privileged access management or privileged identity management, some users (admins and service accounts, for example) will need more traditional access privileges, so it’s important to implement special controls for privileged accounts that hold extensive access. These controls might include multi-factor authentication (MFA), session monitoring and dedicated privileged access workstations (PAWs) that isolate privileged activity.
Implementing a least privilege strategy
Successfully implementing a least privilege policy requires careful planning and ongoing maintenance. With attackers using AI to exploit access vulnerabilities, it will be important to continuously evaluate your methods to ensure they’re up to speed and effective with emerging attack methods.
The first step is reducing access. Start by eliminating excessive accounts that are widening your attack surface. For all accounts that remain, apply JIT where possible, making access time-bound. Get granular by scrutinizing every privilege in each repository, ensuring users only have access to the assets necessary to perform required functions. It’s also essential to monitor and refine access over time. For example, an employee may have been granted access to assets that they haven’t used in a while. If that’s the case, remove access or convert to JIT if they may need access at some point in the future. Staying on top of evolving access needs and making the necessary adjustments is the best way to maintain a narrow attack surface.
Next, create a plan for implementation. Adopting least privilege isn’t like flipping a switch, so create a clear and achievable timeline for adoption (a year is a reasonable amount of time for such a change). Adoption should take place in phases to make acclimation more seamless. To that end, put in extra legwork to get buy-in from users by highlighting the benefits of least privilege — such as protecting data against rising AI-powered attacks. Include continuous least privilege education for employees, emphasizing how least privilege protects them from being wrongly implicated in the event of a security issue.
It’s also important to form a group of business leaders and senior individual contributors to lead the least privilege implementation to ensure the process stays as close to the proposed timeline as possible. This group should also collaborate with senior engineering and IT staff to create a program and architecture document, which details the least privilege strategy with deadlines for account reduction, privilege limitation and other essential milestones.
The rise of AI-powered attacks presents a significant challenge to traditional security measures. However, by embracing the principle of least privilege, organizations can significantly bolster their defenses. Implementing a least privilege strategy with a clear plan for maintaining it empowers your organization to reduce the probability of successful AI-powered threats and protect your nice things.