Blog: Analogies & The Principle of Least Privilege
VMWare v-Shield does a great job at providing an additional layer of security at the network layer. In addition to applying the least privilege principle at the network level, another important element for securing endpoint environments is applying this same principle on endpoints. Typically, owners of datacenter applications request full administrative rights in order to manage applications. But this level of access provides permissions to OS elements outside of the scope of specific applications. For instance, an application administrator for a server application needs to manage database and web applications and thus possesses full administrative rights. As a result, having full control of the server may cause unintentional damage or open it up to malicious attacks. By having administrator privileges on an endpoint, the user has full rights to take a server out of domain or unintentionally apply untested updates to drivers, which can damage the OS. Third party privilege management products that provide granular level control to physical and virtual desktops and servers should be considered so the least privilege principle can be applied on the level of an application or process. Applications can raise permissions only for a required task or application in the context of a logged on user account instead of granting full admin rights or using the context of another administrative account. If you need to provide access for developers to a production server, there is no need to open full access to entire server, instead just elevate permissions to specific action and utilize various auditing and reporting features. Look for vendors who partner with VMware as they’ve already worked to integrate their products with VMware virtualization software.
Subscribe