Why principle of least privilege is a must in perimeter-less workspace

Why principle of least privilege is a must in perimeter-less workspace

4 min read

Gone are the days when employees would gather on office premises, use office-provided laptops or desktops and work only within the realm of a defined network. Working from wherever one is, using whatever device one has, over whatever network one can access is the new norm.

While many would attribute this radical transformation of organizations into perimeter-less digital workspaces to the Covid Pandemic, the Covid-19 has essentially acted only as a catalyst to this transformation process. With the exponential increase in popularity, availability and relevance of cloud computing, SaaS applications and mobile devices over the past few years, it was always a matter of ‘when’ and not ‘if’. A perimeter-less work environment has the potential to open doors to a world of endless possibilities, provided that the switch is done in the right way.

Although there are several possible security risks associated with going perimeter-less, listed below are certain best practices to mitigate some common but critical security concerns.

Compromise of user credentials:

With a distributed workforce, user identity-related cyberthreats have become more concerning than ever. Malicious forces can pretend to be authorized users just by stealing and using authorized credentials, without any sort of suspicion. The highly infamous SolarWinds Cyberattack was essentially a result of identity thefts at multiple levels, followed by stealthy activities with minimal footprints within corporate networks, which were all noticed too late.

It is essential to have a zero trust-based access framework in place, where no user is trusted, and every access request is assumed to be hostile until verified. Strong multi-factor authentication is an integral part of the zero-trust framework. The second factor of authentication can be OTPs, hardware tokens, push notifications, or biometrics, on top of the conventional passwords.

Privilege Escalation Attacks:

In a conventional work environment, access policies were not given high priority. While most companies had access policies defined at a very high level based on only one factor – the role of the user, some might not have even felt the need to keep any sort of access policies in place. Most organizations did not attach much weightage to factors like the time of access, the device used, the network used, the geolocation of the user, etc., while defining access policies. But in a perimeter-less workspace, organizations cannot exercise the same amount of control by using the same access policies.

Privilege escalation attacks happen when a malicious force gains illicit access to elevated privileges or rights, more than what a user is entitled to or supposed to have. Most insider attacks are often a form of privilege access attacks.

Defining contextual access policies at a very granular level by taking multiple factors, like time, geolocation, the device used, the network used, etc., into consideration is an effective way of preventing privilege escalation attacks. Also, the policies should be based on the principle of least privilege, where a user is given the least possible access privileges necessary to perform a specific job or task and nothing more.

Endpoint malware infections:

In a perimeter-less workspace, every single endpoint has the potential to be the starting point of a cyberattack or data breach. A remote device is highly susceptible to malware infections, as the security levels of the home and public internet networks are always questionable.

The security posture of a remote device has to be always checked, and provisions have to be made to allow only compliant devices to be connected. On top of this, network layer-based connections have to be avoided wherever possible when allowing remote devices to connect to corporate networks. For, network layer-based connections result in provisioning an easy passage for all malware potentially residing in the endpoints to the corporate network through network bridging. Instead, the endpoints shall be connected to the corporate network on the application-layer level.

Unencrypted data transfer:

A man-in-the-middle attack is said to occur when a hacker is able to intercept and tamper with the data that is being communicated from one end device to another or to corporate servers. The attacker can also make independent connections with the users and relay messages between them, impersonating authorized users, making users believe they are talking to authorized users. The possibility of a MiTM attack significantly increases in a perimeter-less workspace.

Organizations should ensure that all the communication between the corporate network and the users must be through TLS-encrypted connections. TLS performs two crucial functions – encryption and authentication. TLS encrypts data so that no unauthorized entity can intercept, steal or hamper the data, ensuring data security, privacy, and integrity. It can also act as a machine’s identity, ensuring that a user actually communicates with the person he intends to.

BYOD Security Risks:

There was not much necessity for a user in the conventional office-based workspace to use his personal device for work. Employers were always worried about the loss of control and the many security concerns associated with the usage of personal devices, as the security posture of a personal device is always questionable.

But in a perimeter-less workspace, usage of personal devices is more of a necessity than a luxury. In case of emergencies when a user can’t use the corporate-provided device, using a personal device becomes the only option. The onboarding process of new users becomes much more straightforward and cost-efficient if they are allowed to use their own devices instead of making them wait for the arrival of corporate devices.

The many security issues associated with the switch to a perimeter-less workspace do not make it any less desirable. In the modern-day business environment, going perimeter-less is surely a step towards achieving sustainable business growth. Organizations must equip themselves to mitigate the security rather than being bogged down by them.