If you landed here it’s because someone told you that you absolutely need to change from that least privilege methodologies to Zero-Trust access! And because when talking about privileged access, we want to have tight control over who is able to access what… and “zero” is better than “least”! Right?
In fact, it turns out that the two concepts are tightly coupled but they aren’t quite interchangeable. But let’s deep dive and give you the final answer!
Least privilege access
The Principle of Least Privilege (PoLP), refers to the concept and practice of restricting access rights for any entity (i.e. users, accounts, computing processes…) where the only resources available are the ones required to perform the authorized activities. The privilege itself refers to the authorization to bypass certain security restraints that would normally prevent the user to use the needed resources.
This is extremely important to prevent the risks and damage from cyber-security attacks.
What if someone stole the credentials of your Head of Software Development with administrator rights on all the production accounts… scary eh?
And what about zero-trust?
Zero-Trust is based on granting least privilege access, but the access is only granted on verification of multiple contextual environmental variables at each request:
- Who is requesting access
- The context of the request
- The risk of the access environment
Zero-trust is all about not trusting anything or anyone, anytime. Treat equally traffic that comes from your own network, APIs or users and traffic that comes outside of it.
This enables you to minimize the attack surface, improve audit, to reduce risk, and costs of security breaches.
So they aren’t really related…
Truth is, they are. But zero-trust spans across a lot of other concepts, one of which is the least privilege access principle. So zero-trust is a more comprehensive way to secure your environment where instead of using the traditional approach of “trust, but verify,” the Zero-Trust model implements “never trust, always verify” as its guiding principle.