Least Privilege vs Elevated Admin Accounts
The Principle of Least Privilege (PoLP) is a cybersecurity concept that states individuals should be granted access to information only when it is necessary for the task they are working on.
Human Resources Department
- Handles Personal Details (e.g., name, address, contact info), Employment Contracts, and Employment History.
- HR employees are allowed to view and manage all HR related information, databases to perform their tasks, but not have administrative access to the system.
Finance Department
- Responsible for handling Financial Details (e.g., details for invoice payment).
- Only the finance team has access to details for invoice payment information, while administrative access to the system, personal details and employment contracts should be restricted.
Service Delivery Specialist
- Requires the new hire's Name and Role to provision hardware, software, and user accounts
- Administrative access to the device is reserved for service delivery specialists in case of technical issues, and they should not have access to personal or financial information
What is the risk associated with elevated rights?
Elevated administrative rights provide more control over a computer than a standard account. While it may seem convenient to manage your own computer with these rights, it also introduces higher security risks. Such accounts are often targeted by malicious actors or hackers seeking to gain access to the university’s network or cause a breach.
Executive staff who handle sensitive information or make academic leadership decisions are particularly high-profile targets for attackers. If compromised, the impact could be significant.
To mitigate these risks, it is essential to implement the principle of least privilege, ensuring that each staff member has only the necessary permissions related to their job responsibilities.