Content and Brand Director of ERP Maestro.
Three Best Practices for Achieving the Principle of Least Privilege
According to a recent report, Amazon is investigating allegations of a confidential data leak and the deletion of negative product reviews by some of the company’s employees with privileged access. Privileged users were cited as the biggest insider threat concern for 55 percent of organizations in 2017. The principle of least privilege, also called Principle of Least Access (PoLA), states that a user should be given only the bare amount of access required to do his/her job. Despite hundreds of real-life examples like Amazon, the principle of least privilege (PoLP) remains an illusory notion – either because administrators do not want to risk providing insufficient access that could be critical to the business or because there isn’t enough commentary in the industry about how to achieve the PoLP.
What are three best practices that can be quickly integrated to your access controls and risk management strategy to help achieve the PoLP?
- Remove unnecessary access roles from users
Assuming you already have a well-defined role design in place that was created in consultation with the business owners, it is crucial to ensure new risks do not crop up into these roles. To understand this, you must not only have visibility into role risks, but you must also have an insight into whether the threats were executed based on transactions. Removing unutilized T-Codes from users ensures that you are cutting out all the access that is not being used and is the first step towards limiting excess access.
- Grant temporary privileged access
If the user only requires access for a specific period of time, move them to a temporary firefighter role, so their access is limited to the time they will actually use it. Again, visibility here is critical. Having the visibility into what the user did during the periods of elevated access, not only ensures compliance but also reduces the vulnerability to internal fraud. Using tools that automatically revokes access to elevated user roles can simplify emergency access management.
- Conduct periodic access reviews
Periodic certifications are great detective controls to ensure that users have only the necessary privileges required to do their jobs. The regular auditing of user access privileges allows you to remove access to ex-employees, employees who have received a promotion or moved to a different department or users who have accumulated privileges over the years.
Following these best practices provides a secure SAP environment where employees have what they need and you are not risking your company’s sensitive data. By limiting the access to a user, you are also reducing the instances for the access to be misappropriated. The process of analyzing access controls doesn’t need to be a tedious manual task. With automated tools and workflows, the principle of least privilege is no longer just a theoretical notion but an easily achievable reality.
Contact us to speak to an internal cybersecurity expert or to learn more about automated access controls.