by Anthony Moillic, Field CISO EMEA & APAC at Netwrix
A constant stream of news about breaches and cyberattacks keeps data privacy at the top of the minds of businesses and the general public. As a global community, we care about how our data is collected, stored, and used and expect data security commitment from the organisations we share our sensitive data with. According to Netwrix’s most recent annual security report, 43% of organisations name data privacy among their top five IT priorities for 2024. This article provides an actionable plan on how to strengthen both data privacy and data security within the organisation.
Understanding the principle of least privilege
The bedrock of data security is the principle of least privilege: each individual, service and application must receive only the permissions needed for their assigned roles — regardless of their technical expertise, perceived trustworthiness, or rank in the organisational hierarchy.
To illustrate the principle of least privilege, consider the layered security measures that banks put in place to protect the cash and other valuable assets they hold. While a bank appreciates all its employees, it must strictly limit what each of them can do: general employees are permitted to access only public areas; tellers have specific rights to their own cash drawers; loan officers review customer credit histories; and certain managers may access safe deposit box rooms. Meanwhile, access to vaults containing gold bullion and other high-value assets is restricted to a highly select group.
A bank’s monetary assets are analogous to your organisation’s sensitive data. Just as loan officers cannot access cash drawers and tellers cannot open safe deposit boxes, your IT teams should not be able to view your client databases, while your sales reps should not have access to your software repositories. And very few people should have access to your gold bullion, such as your vital intellectual property.
The importance of enforcing least privilege
Failing to enforce the core principle of least privilege puts data privacy at risk in multiple ways. Users can misuse their access, either accidentally or deliberately, to view or modify content that they should not be accessing in the first place. An even greater risk is a threat actor compromising a user account since they can then abuse all the rights and privileges granted to that account.
The threat isn’t confined to human actors: malware inherits the privileges of the user account that downloaded it. For instance, a ransomware package can encrypt all the data that the user account can modify, whether or not the user actually needed those access rights. Similarly, applications must be limited to only the functionalities essential for their operation in order to minimise the potential for their misuse.
Follow up with monitoring
Clearly, the days of granting users blanket local admin rights to their devices, applications and mapped drives are a thing of the past. However, ensuring that users are granted only the permissions they need to do their jobs is not sufficient. Organisations must carefully monitor what employees, contractors, applications, and other identities are doing throughout the environment so they can catch suspicious activity in time to prevent costly data breaches, downtime, or other damage.
Because IT ecosystems are buzzing with activity, it pays to understand normal user activity. For instance, when a user deletes a file, is that action suspicious or simply part of a legitimate business process? Having insight into what’s normal and abnormal empowers IT and security teams to focus on true threats.
A multi-layered approach
More broadly, enforcing the principle of least privilege is not a simple “set it and forget it” event. It requires a multi-layered approach with components such as:
- Identity governance and administration (IGA) — IGA involves overseeing the entire lifecycle of identities, including ensuring that each user has only the access necessary for their roles.
- Data access governance (DAG) — DAG extends the control of IGA to data. It involves managing who can access what information and under what conditions, and ensuring that sensitive data is adequately protected according to policy and regulatory requirements.
- Privileged access management (PAM) — PAM gives special attention to managing accounts that have elevated access to systems and data, since the misuse or takeover of those accounts poses increased risk to data privacy, security, and business continuity.
Together, these components form a comprehensive framework for strictly controlling access to systems and data to strengthen the organisation’s security posture.
Conclusion
Data privacy is a year-round imperative that begins with a culture of security awareness shared by everyone in the organisation from the top down. By enforcing the principle of least privilege with effective IGA, DAG and PAM, organisations can secure data privacy, reinforce customer confidence, avoid costly breaches, and ensure regulatory compliance. As a result, they can focus less on cybersecurity threats and more on maximising their operational potential.
