If you are going to adhere to the principle of least privilege, you also need to consider temporary privileged access. The idea is that a user and/or administrator should not always have privileged access but will probably need it for a short amount of time.
To do this, you need a few things:
- a mechanism to request access
- a workflow to approve the request either by business rules or user approval
- a mechanism to grant and revoke access in a specified amount of time
- a mechanism to extend the privileged access
- a mechanism to audit and report on this access and
- a "break glass" method of emergency access
In short, you need a robust role based access control (RBAC) system. If you have all of these pieces you can avoid the inevitable outcome of the off-duty admin saying, "OK, just this once, use my credentials"! Yes that happens.
Let's think through a use case. Your internal developers have created a web app that is crashing, they don't have access to production but need to run some tests and troubleshoot what has happened. They could work with an IT admin and get it done using their credentials but that doesn't always work.
So, they go to their access request portal and request access to the production system. Based on their role or admin approval, they are either immediately granted membership in a role for 24 horus or a one time password (OTP) that expires after 24 hours. Either way, steps one through three are achieved. The developer has access, it's been approved but it's going away in a specified period of time. They get to work troubleshooting.
One day later, they are still working at it and get a notification that their access is about to expire. They apply for an extension and it invokes the workflow again. Maybe this time, the request needs a VP of IT approval regardless of the role the developer is in. The workflow should be able to handle any business rule you put around the temporary privileged access. Still, step four done and accounted for.
And "accounted for" is a great segue to the need to report and audit such access. If this is a sensitive system, or even if you are just a highly regulated industry, somebody needs to say who had access to what, when and who approved it. Any changes within that system needs to be accounted for and the auditor will need to know how "developer X" got access. That's step five.
Now, the tricky one, the break glass method. Go back to the beginning of this scenario, it's Saturday at 2AM and your revenue producing portal crashes. Nobody can fix it but the developer and your business rules require a VP to approve his access request. However, that VP is in Fiji enjoying a hard-earned vacation.
Having a way to circumvent the normal approval process in an emergency is a must. The workflow takes a different route if this is deemed an emergency request. Maybe a director can approve it but it will send red flags throughout the auditing community and require a retroactive VP approval to keep them from sending in the infantry. This gives the emergency access (you still have all of the auditing of who did what and when from step 5), keeps a strong sense of security, gets the project done and keeps you in regulatory compliance.
This need for temporary privileged access (TPA I guess we could call it) happens constantly. The workarounds are dangerous from a security standpoint if you don't have a mechanism in place. The effect on your business is probably worse if you just ignore the need. And you still stand on the high and mighty pedestal of Least Privilege!