Attempted Murder of a Sacred Security Cow

A Tweet from the author that says: Unpopular opinion: the overhead requires to manage “least privilege access” isn’t worth the security benefits. We should allow by default and make restrictions the exception.
@Accidental CISO replies I think we need to send someone to check on Helen — 68 likes

Those in Favor of Least Privilege

  • Elevated access should be temporary, supported by an approved business case. Plus, it’s easier to know who should have access, than who shouldn’t. “‘Who need access’ can be enumerated. ‘Who doesn’t need/shouldn’t have access’ cannot.”
  • A well designed architecture makes managing PoLP easier “A lot of it comes down to how good your defaults and the role definitions (membership, privileges) are to begin with. Done right, you’re managing most of things at most once across an organisational unit.” Also, just because it’s difficult to do doesn’t make it not worth doing
  • Not doing PoLP is also hard “…seems ripe for mistakes and accidental disclosures. How do you prove access was indeed required vs. missing it?”
  • PoLP is more scaleable than the alternative: “Having done IAM for a global bank, and supporting well over 100k users, I think it’d be a nightmare to figure out who shouldn’t access specific resources vs the few who need access to specific resources. I definitely wouldn’t want to do that for the thousands of resources.”
  • As long as users act insecurely, we need PoLP. “Allow LP by default and I won’t even have to phish”
  • Having PoLP limits the attack surface, by making it harder for attackers to get access to stuff after an account has been compromised. For incident response “whitelisting and RBAC is more effective than blacklisting”

Those who are open to Questioning the Value of Least Privilege

  • PoLP bumps into Least Resistance, usually by the business. This then puts burden on the IAM team to manage approved and unapproved exceptions, a cumbersome re-certification process, or failed audits. “Security Theater is just as much about the stories we tell ourselves.”
  • If your risk assessment and controls support PoLP, or removal of it, why not? Best practice isn’t required. “… most organizations are leaning towards excessive permissions, even when there’s no clear business justification.”
  • Some resources may not need PoLP (“internal resources, documents, diagrams”). Others may. Having a one size fits all may not be optimal
  • Where access is one person, one host, PoLP makes less sense “Restrict Admin priv made sense in the mainframe, multiuser on 1 system days when hosing admin would affect hundreds of users. Not as important now.”
  • Does size matter? “I feel like there’s a tipping point in terms of organizational size and number of accounts/endpoints/resources where default deny with manual intervention for exceptions becomes less overhead than default allow with exceptions.”



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Helen Patton

Helen Patton

Cyber Security, Technology Ethics, and Humanity. What else? I can be found at or on Twitter @CisoHelen