Skip to content
Portnox_Logo_White
Portnox Logo

  • About
  • Contact Us
  • Login

  • Products
    • PORTNOX CLOUDZero trust access control
    • ZTNACloud-native zero trust access control & security
          • How it worksVendor agnostic, cloud-native security
          • What's NewAI-driven with IoT fingerprinting & profiling
          • PricingClear and easy pricing
          • Why PortnoxManage your security with ease
          • How to Leverage the Principle of Least Privilege for Stronger Network SecurityHow to Leverage the Principle of Least Privilege for Stronger Network Security
            The principle of least privilege (PoLP) is an information security concept that gives applications or users minimum required network permissions to perform their jobs. Therefore, PoLP is an important aspect of privilege access management (PAM).  Implementing the principle of least privilege provides network security by avoiding needless exposure. For example, a user and employee access limit reduces the risks of cybercriminals getting hold of critical files.  Having easy access to the most critical assets of an organization is vitally important. The only users with full access should be the current administrator or the executives in the company. For newly hired personnel within the organization,  the lowest permission levels should be implemented at the onset. Full permissions should be granted  after screening and a background check. Bear in mind that background checks are  always cheaper than data breaches.  Why is PoLP Important? Putting the least privilege in place goes beyond having a single or limited number of admins for internal operations. Subsequently, many organizations give users over-privileged access to information that has nothing to do with them. The bitter truth is that half of the users share their credentials with someone else.  Cyber threats occur inside or outside, and both attackers operate alike. Criminals from outside leverage user account to gain control over endpoints and to acquire targeted access to valuable data. Insiders leverage  the access they have or any compromised accounts. With that, they can leverage data and applications for malicious activities.  The principle of least privilege ensures that access to critical assets and high-value data gets protected. It applies to not only  just users, but also  to applications, connected devices, and systems that require access as well.   The principle of least privilege allows the minimum amount of access necessary for employees to complete their job without restriction. It gives a form of balance, keeps systems safe, and facilitates productivity.  There primary goals of least privilege include:   To bring a balance between usability and security protections.  To implement a minimum access policy for managing and securing privileged credentials.   Flexible controls are needed to balance compliance requirements with cybersecurity, end-user experience, and operational functions.  Users only need access to the minimum amount of required privileges.  There’s a need to give users a frictionless experience while keeping the system highly secure.   Key Benefits of Least Privilege Reducing the Potential for Insider Threats Cyber actors on the inside use  access to get all accessible data  for exfiltration or destruction. In order to successfully prevent an insider threat, use a comprehensive security policy that contains procedures to prevent and detect misuse. There should also be guidelines for conducting misuse investigations and potential consequences and restricting employee access to  critical infrastructure. There should have a place for locking up sensitive information and isolating high-value systems requiring tight verification access. If necessary,  biometric authentication can be used to prevent  employees from using another staff key card.  Reducing the Attack Surface An attack surface refers to all possible points where unauthorized users could gain access to a system and extract data. Organizations with already over-privileged users need to implement the least privilege principle to eliminate unnecessary access. A smaller attack surface is easier to protect. One way to go about it is by determining user roles and privilege levels, to help  understand the particular behaviors of users and employees.   Limiting Malware Propagation or Infection The principle of least privilege prevents malware from spreading on a network. Malware often requires local administrator rights to gain access. Meanwhile, an administrator with access to various network resources has the potential to spread malware to others.   Having fewer users with elevated rights helps in reducing malware infections. In the event of any attack, it becomes easier to contain, thereby preventing the spread to the entire system. In addition, PoLP reduces users’ ability  to install or download unauthorized applications, which can often include malware.  Increased System Stability Organizations often have to deal with human errors from within the work environment. For instance, an employee could mistakenly tamper with a file and cause major organizational issues . The principle of least privilege is a great way to prevent high-impact human error and thus guarantee greater network and system stability.  Applications running with restricted privileges  are  less likely to crash the entire system. PoLP also helps limit the downtime associated with a crash or data breach. As a result, an organization practicing PoLP enjoys more stability, enhanced fault tolerance, and improved work productivity.   Challenges with PoLP Implementing the PoLP comes with numerous benefits, though certain roadblocks can impede its full success. These might include:  Diverse and Complicated Networks The least privilege comes with the need to centralize accounts to accommodate users and machines. Modern computing environments use numerous complex  platforms – both cloud and on-premise. The implication is multiple endpoints for applications and heterogeneous operating systems. As a result, it becomes quite challenging to guarantee the five most important concerns for the security of an organization’s network.   These five concerns include the constant protection of networking equipment, security from computer operating system attacks on , preservation of computer hardware , and maintaining data integrity and confidentiality..   Cloud Computing and Environments Companies that use cloud environments experience challenges regarding  a lack of segmentation, excess privileges, and account sharing due to cloud-native computing. The misconfigurations that stem from cloud permissions often leave an organization vulnerable to potential cybersecurity attacks. Therefore, implementing the principle of least privilege requires strategies beyond a single tool or product.   Default Settings Challenges Operating systems focus more on ease of use than security. Moreover, the software conditions come with default credentials that are easy to find online. These operating systems shy away from enforcing a minimum access policy as default. The implication is that users have the power to carry out actions like creating backups and deleting files. which can negate the principle of least privilege and expose a network to potential attacks.  How to Implement PoLP The Implementation of PoLP need not be a complex task. A simple restriction preventing end-users from exfiltrating certain information is a good start. Organizations that want to successfully implement the principle of least privilege can start with the following:   Conducting privilege audits by reviewing all existing accounts, programs, and processes to ensure there is no loophole.   Starting or converting all accounts to least privilege  to put the necessary checks and balances in place.  Organizations can also add privileges based on the access required to perform specific tasks.   Separating privileges requires distinguishing between lower-level privilege accounts and higher-level-privilege accounts.  Track and trace user or individual employee actions through one-time-use credentials. It goes a long way to avoid potential damage.  Examples of the Principle of Least Privilege The principle of least privilege has opportunities for every level of a system. It covers applications, databases, end users, networks, systems, processes, and all other facets of an IT environment. Here are some examples of accounts that need PoLP:    User Accounts: The principle of least privilege only gives users or employees the necessary rights for carrying out their tasks or responsibilities. If the user’s computer gets compromised, it limits the lateral spread of that threat. A major challenge arises when an employee has root access privileges, which can cause   MySQL Accounts: When several accounts perform unique tasks, a MySQL setup needs to follow the PoLP. When the online setup allows users to sort data, the MySQL account with sorting privileges becomes an issue of compulsion. That way, a hacker who gains access to exploits  only gains the power to sort records. However, there comes a big problem if the account has the power to delete records, as the hacker then has the ability to wipe out the entire database.  Just in Time Accounts: Users who rarely need root privileges should only receive reduced privileges the rest of the time. Organizations must make it a policy only to retrieve passwords from a vault when needed. Using disposable credentials equally goes a long way to guarantee cyber security. It serves as a great way to increase the traceability of a network.  Final Thoughts Network security best practices call for implementing the principle of least privilege. It serves as  an efficient method for ensuring mission-critical data does not fall into the wrong hands. With such high stakes, it is crucial to learn how to properly implement PoLP  across your organization’s network. [...] Read more...
    • RADIUSCloud-native RADIUS authentication essentials
          • How it worksUnderstanding cloud RADIUS authentication
          • What's NewDevice-related security bolsters zero-trust
          • PricingClear and easy pricing
          • Why PortnoxManage your security with ease
          • Strengthening IoT Security with Cloud-Native DHCP ListeningStrengthening IoT Security with Cloud-Native DHCP Listening
            Enhanced IoT Fingerprinting & Security with Cloud-Native DHCP Listening More Like the Internet of Everything With the explosion of new devices connecting to the internet, IoT (or, the Internet of Things) really might as well be called IoE (or, the Internet of Everything.) The use cases for always-connected devices span across industries – from facilities that can now better manage energy usage according to peak customer traffic, and medical devices that can adjust medication levels in seconds, to retail warehouses that can track inventory down to the last widget. It’s undeniable that IoT has been a game-changer. That’s not to say, however, that IoT does not present some unique challenges – specifically for network security professionals. Who Are You? The devices themselves tend to run on extremely lean operating systems, which means they don’t run typical monitoring protocols like SNMP. There’s also no possibility of installing extra software like agents. They’re designed to be easy to set up; just point them at an internet connection, which means any user can add an IoT device. This creates an especially tough situation for IT administrators. After all, an essential part of zero trust security is knowing what is on your network, which means you need to make sure operating systems and firmware are patched and up-to-date to close the gap on any known vulnerabilities. But how can you know what’s on your network if the devices don’t report back specific identification in any way? This problem has become so common it has a name – “Shadow IoT” – and it’s so prevalent that 80% of IT leaders found devices on their network they didn’t know about. IoT Fingerprinting to the Rescue! To combat this, several companies that make security tools like Network Access Control software have begun offering IoT Fingerprinting. This is a way to gather information about IoT devices like model, OS or Firmware, and manufacturer without requiring the devices to report in. While an absolute game changer for helping secure these devices, it is not without its challenges. The biggest issue is that there is no real standard across devices – most don’t support Simple Network Management Protocol (SNMP) or Windows Management Instrumentation (WMI). Some devices support Universal Plug & Play (UnPNP) or Bonjour, but typically you only find that on consumer devices like a Roku or an AppleTV. Some Cisco devices support CDP (Cisco Discovery Protocol), but that doesn’t cover other vendors; some may use LLDP instead (Link Layer Discover Protocol) but typically you will find that only on phones, video conferencing equipment, and commercial IP surveillance cameras. Port scanning via Nmap & TCP have more drawbacks – they scale very poorly. Also, with increased pressure on IoT manufacturers to pay more attention to security, more and more devices are being shipped with all ports turned off. And of course, the most basic firewall will raise alarms when a port scan is detected. MAC address will get you some information, but they pose some challenges too. The first six hexadecimal digits of a MAC address are called the OUI and they identify the manufacturer. This is useful, but also not super accurate in the sense that if you find an HP device on your network, that does little to tell you what it exactly is. It also does not tell you any information about operating systems or firmware. DHCP at first seems like a great option – when a device connects to a network, its first step is typically to request an IP from a DHCP server. During the DORA process (Discovery, Offer, Request, Acknowledge) much information is passed back and forth, including information to fingerprint the device. Many enterprise switches support a process called DHCP Gleaning, where the switch listens for DHCP requests Switchport interfaces and is then captured as a device sensor and sent along with RADIUS accounting info. The problem here is that not all switches support DHCP Gleaning. For the ones that don’t, how do you get the information collected by the DHCP server to your network access control software to do the actual fingerprinting? Some solutions have you install an on-prem DHCP forwarder, which signs your IT team up to deal with deploying and maintaining yet another server, upgrades, patches, etc. Even worse, this separate forwarder creates overhead on your network that may impact your users and sensitive traffic. So, all hope is lost, and there’s no reliable way to accurately fingerprint all your IoT Devices, but there’s great news coming. Portnox’s DHCP Listener Heads to the Cloud Keep all the magic of a cloud-based solution – vendor agnostic, no maintenance, no upgrades, no worries – AND get the most accurate fingerprinting of all your IoT devices as part of your comprehensive zero-trust solution! You can easily configure your network devices to send the data your DHCP server already gathers throughout the course of handing out IP Addresses to the Portnox SaaS DHCP listener. All you need to enable is a layer 3 device on the same subnet as the devices you want fingerprinted, that is NOT also acting as a DHCP server. You will need to configure the DHCP helper, which will forward this information to us. Most devices support using a DHCP helper – in fact, most devices support running multiple, so no need to sacrifice anything in your current architecture. The helper will forward DHCP and BOOTP broadcasts on directly connected subnets and relay them to the Portnox DHCP listener on port 67. If you have bandwidth considerations, you can lay them to rest – DHCP is a very lightweight protocol, consuming less than 350 bytes per request on average. Since we are not making DHCP offers, the only bandwidth is from the clients DHCP request that is forwarded from the clients. So let’s say you have 500 clients. A DHCP lease is typically 24 hours, with clients renewing at 12 hours. That means you’d spend 175 kilobytes of total data every 12 hours…even a 28.8 baud modem could handle that request. We use this formula to calculate bandwidth: (((TOTAL # OF DHCP CLIENTS X 350BYTES) X2 FOR 24 HOURS) X8 CONVERT TO BITS)/ 86400 SECONDS IN A DAY IN EXCEL THE EQUIVALENT FORMULA WOULD READ: =(((500 *350)*2)*8)/86400 This first-of-its-kind SaaS DHCP listener is easy to set up, and opens a whole new world of accurate fingerprinting for IoT Devices – click here to get started! [...] Read more...
    • TACACS+Cloud-native network device authentication
          • How it worksNetwork device administration simplified
          • The first cloud-native TACACS+Manage your security with ease
          • PricingClear and easy pricing
          • AI-Powered Identity Authentication Is Here: What You Need To KnowAI-Powered Identity Authentication Is Here: What You Need To Know
            It should come as no surprise that identity authentication is one of the most critical aspects of doing business in the digital age. Without verifying your users are who they say they are, you leave the doors open for fraud, data breaches, and harmful cyber attacks. But with the advent of AI, identity authentication is going through a transformation. To understand how, let’s dive into everything you need to know about AI authentication. How Is AI Helping With Identity Verification? Traditional authentication methods are becoming less effective today due to high levels of password reuse and the increasing number of stolen credentials available on dark web databases from previous data breaches. Luckily, AI can provide better, more secure authentication by going beyond traditional boundaries and incorporating data context, biometrics, and patterns in user behavior. What Are the Different Types of AI Authentication? Biometric authentication is especially popular with cyber-defense-minded companies today, and AI plays a huge role here. Some examples include keystroke dynamics (typing pattern), behavioral biometrics (analyzing user behavioral patterns to create cyber fingerprints), facial recognition, and voice recognition. Behavioral biometrics, in particular, is quickly becoming the favored type of AI verification today. Why? Because behavioral biometrics can provide continuous authentication by tracking and verifying user behavior like typing rhythm, mouse movement, and device usage patterns. In addition, it also provides a more seamless and frictionless authentication experience, as it doesn’t require users to remember or enter passwords. And critically, these identity authentication tools are only possible with artificial intelligence and machine learning. These technologies rely on highly precise authentication driven by large data sets and advanced algorithms. And as a result, they’re almost impossible for fraudsters to bypass. How do AI Authentication Systems Mitigate AI Bias? “AI bias” refers to the tendency of artificial intelligence algorithms and systems to perpetuate and amplify existing biases and discrimination in the data they are trained on and in the decisions they make. There are several ways in which AI authentication systems can mitigate bias: Diverse training data: Using a diverse and representative dataset for training the AI system can help reduce bias and improve accuracy for underrepresented groups. Fairness algorithms: These algorithms can help identify and address bias in AI systems by balancing accuracy across different demographic groups. Human oversight: Having human oversight and review in the development and deployment of AI systems can help ensure that potential biases are identified and addressed. Regular monitoring and evaluation: Regular monitoring of the AI system’s performance and outcomes can help identify any potential biases that may emerge over time and allow for appropriate corrective actions to be taken. Transparency and accountability: Making AI systems transparent and accountable can help increase trust in the technology and promote responsible use. These measures can help mitigate AI bias in authentication systems and ensure that they are fair, unbiased, and effective in protecting the privacy and security of users. Final Thoughts The use of AI in cybersecurity is nothing new, but it is becoming increasingly powerful and more widespread. Today, more and more companies are looking to AI authentication to help safeguard their systems from nefarious actors. [...] Read more...
  • Solutions
    • Industry
      • Aerospace & Defense
      • Banking & Financial Services
      • Construction & Engineering
      • Education &Non-Profit
      • Hospitals & Healthcare
      • Law & Legal
      • Manufacturing
      • Oil, Gas & Chemicals
      • Real Estate
      • Technology & Telecom
    • Use Cases
      • NAC
      • BYOD
      • IoT Security
      • Compliance
  • Resources
    • Case Studies
    • Product Briefs
    • White Papers
    • Blog
  • Partners
    • Reseller Program
    • Managed Services
    • Become a Partner
    • Partner Portal
  • Request a Demo

Resources

Explore Portnox's latest case studies, videos,
white papers, product briefs and more.

beatriz-perez-moya-XN4T2PVUUgk-unsplash
Filter by type
Filter by Use Case
Product Brief

[Product Brief] Portnox CORE

Download

Product Brief

[Product Brief] Portnox CLEAR

Download

Product Brief

[Data Sheet] Portnox CLEAR

Download

Try Portnox CLOUD for Free Today

Gain access to all of Portnox CLOUD’s powerful NAC capabilities for 30 days!

Start Free Trial
Portnox_Logo_White
  • Blog
  • Support
  • Legal
  • Privacy
Menu
  • Products
    • ZTNA
    • RADIUS
    • TACACS+
    • Pricing
  • Solutions
    • NAC
    • BYOD & Mobile
    • IoT / OT
    • Compliance
  • Resources
    • Blog
    • Case Studies
    • Products Briefs
    • White Papers
  • Partners
    • Become a Partner
    • Partner Portal
  • About
    • Why Portnox
    • News
    • Careers
    • Contact Us
    • Security Statement

©2023 Portnox. All Rights Reserved.

Gold-Microsoft-Partner
We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept”, you consent to the use of ALL the cookies.
Do not sell my personal information.
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT

Please share your location to continue.

Check our help guide for more info.

share your location