I am often fascinated or should I say disgruntled by the lack of emphasis on the principle of least privilege (POLP). Don’t get me wrong, who wouldn’t want to be a SYSADMIN? Ask me that question, and I’ll be startled immediately. The answer will always be, YES! And that’s a “YES” with a smile.
Let’s be serious, would you give your child and your child’s friends access to your bank account? I certainly wouldn’t. And it’s not because I don’t want my child to have access to some cash – I don’t want her to have unrestricted access to my account.
Instead of adhering to the principle of least privilege, database administrators, developers, and business users alike, frequently neglected the sysadmin server-level role.
I understand that even in this day and age we are still humans, we are not perfect, and we are prone to make the simplest of mistakes. However, it is time to hold ourselves accountable for those mistakes and adopt changes, such as POLP, to help rid us of those behaviors.
What is the principle of least privilege (POLP)?
The principle of least privilege (POLP) states that users, accounts, and computing processes should have minimal access to only those resources required to perform routine, legitimate activities.
I know, I know. Everyone knows this, blah blah blah. But really, how many of us practice POLP?
We have all being there; we inherit a system where everyone is a sysadmin. It may be tempting to revoke the sysadmin permission, however, first proceed with caution and do your due diligence first. Ask your peers and your manager why those accounts are sysadmins, document their responses, and propose alternative roles that will suffice the application or users’ “routine, legitimate activities.”