How Zero Trust and the principle of least privilege work together

The principle of least privilege (PoLP) and Zero Trust Network Access ('Zero Trust' or ZTNA) are two security frameworks that complement each other in enforcing robust, proactive security measures.

The principle of least privilege focuses on user access control. The idea is to provide only the necessary access for a user or device to perform its job, thereby limiting the potential damage of a compromised account or malicious employee. PoLP significantly reduces the scope of access, restricting lateral movement throughout the network and reducing the amount of damage that can be done. Best practices in PoLP include assigning group- and role-based access controls, using separate administrator and standard accounts, and conducting regular privilege audits. The most fundamental best practice is to make PoLP the default and create all accounts with only the privileges necessary for the role.

On the other hand, Zero Trust focuses on authorization in addition to access control. It assumes that all requests for protected resources are threats, so it continuously verifies the authentication and authorization of users and devices. The verification process determines who and what is requesting access and whether the request is normal or suspicious. A successful ZTNA deployment requires a thorough understanding of the attack surface and the resources that need to be protected. 

Organizations should integrate both frameworks to create a strong security methodology. Here's a look at how they map to the access chain when a user logs in to a network or application:

1. Identification: The first step in the access chain is to recognize and differentiate users, applications, and systems.

Zero Trust requires identity verification upon every request.

The focus of PoLP is to ensure minimal permissions, which comes into play more prominently in later stages.

2. Authentication: User credentials are checked against the stored information to confirm the claimed identity of a user, application, or system.

Zero Trust assumes that the request is a potential threat. The National Institute of Standards and Technology (NIST) outlines this in detail in this publication (p.7):

All resource authentication and authorization are dynamic and strictly enforced before access is allowed. This is a constant cycle of obtaining access, scanning and assessing threats, adapting, and continually reevaluating trust in ongoing communication. 

The principle of least privilege doesn't dictate authentication mechanisms. Zero Trust ensures that PoLP policies are enforced and that only those with the correct privileges can access resources.

3. Authorization: The determination of what actions can be performed or what resources can be accessed based on the user's authenticated identity.

Zero Trust evaluates many data points in real time. These may include user behavior, device health, time of day, location, and more. It doesn't rely strictly on pre-set permissions.

PoLP dictates that users are only granted the minimum permissions necessary to perform their tasks. Authorization should be restrictive by default and only expanded when there's a genuine need.

4. Access: The process of granting or denying the ability to interact with a resource based on authenticated identity and authorized permissions.

After initial access is granted, Zero Trust repeats the verification process until the session has ended. This may result in an active user suddenly losing access if the user's behavior deviates from acceptable parameters.

Movement within a system is limited by a properly configured PoLP strategy. If a threat actor can successfully navigate the access chain to this point, he is still limited to what the compromised account can do.  

5. Audit & Accountability: This step involves monitoring and logging the activity of users, applications, and systems.

Zero Trust performs a continuous evaluation of user behavior and context, which requires a comprehensive audit trail. The audit trail is used to improve the system's ability to identify and respond to potential threats. In short, this data is a key factor in threat hunting and incident response.

PoLP permission sets might not be aligned with the true needs of the users. Audit logs can reveal patterns of attempts to access unauthorized resources or show that a particular resource is not being used as expected. Administrators can use this information to maintain the best possible security while ensuring that employees have what they need.

Organizations should integrate both frameworks to create a strong security methodology. Barracuda can help you quickly and easily deploy Zero Trust Access and other robust security and data protection solutions. Visit http://www.barracuda.com to see how.