Sitting staring at the mountain of catch up here on my desk isn’t making me think the Gartner IAM Summit in London was a bad idea. It does make me want to distract myself. So my thoughts turn to Ant Allan’s part in the opening keynote. Opening keynotes by their nature are designed to be provocative. They cement thoughts that one ought to explore through the balance of a conference. One point Ant made certainly stuck with me: the death of least privilege. Simply summed up, this is the notion that access will no longer follow a default deny model, where one is only allowed access when specifically granted, but rather a default allow model, where everything is permitted that is not explicitly denied. Least privilege has been considered the best practice in a default deny world. It is granting to each person only the exact privilege, therefore the least privilege, which they need to do their job. I have heard this from Gartner a few times now and I bristle each time.
First, it’s only fair to note that there is some truth in the idea. Some of that truth is in simple numbers. As more and more assets become electronic, more and more of those are things “everyone” must use. It’s a good thing that we no longer need to print many of the forms we use to fulfill the individual needs we have in dealing with human resources, accounting, and other corporate functions. The trade for paper is access. Everyone must be able to get to the file share with the electronic forms. Everyone must be able to get to the portal where workflows can be accessed. There is also the inexorable move to self-service for many corporate functions. These self-service interfaces also must be available to all in order to be useful. Then there are things like guest WIFI access. This has become the norm. Even 5 years ago the notion that there would be fast, reliable, open WIFI in the guts of some financial or pharmaceutical company’s headquarters would have been laughable. Now I’m put off when it’s not there. All these stand as examples where allowed has triumphed over denied.
Here’s the thing. I think all of this open access actually makes the principle of least privilege more important, not less. There will always be places in the network, parts of applications, sections of filesystems and file shares where it will be absolutely required to control access via a default deny model. And in those areas least privilege will continue to rule. The people who used to enter businesses as new employees would come in expecting that all was denied until it was allowed. So this did not present a problem. As expectations shift in both the new people walking in the door and even with old hands like me who get miffed when the guest WIFI doesn’t work well, what will truly alter is the way least privilege will need to be enforced and the means it will use to interact with the users. In a world where nearly everything is allowed the “access denied” message will be a gut punch. This means that the parts of your infrastructure that will be ruled by default deny will have to become very adept at offering options for self-service access request. They will need smoothly defined processes to have the owners of resources quickly review and decide access questions. To fit into the world of default allow, least privilege will need to become a conversation not a wall.
To be fair, I’m told Ant did come round to say things very much like this in the closing keynote. (Sorry, Ant. I heard you also called to me and I wasn’t there. I had a meeting in the bar upstairs. We’ll leave the question of if the meeting was with a customer or a nice cask strength Bowmore to the ages.) I’m sure some of my reaction to all of this is driven by the phrase “the death of”. I’ve seen that game played out badly before. But I’m unsurprised Ant and I saw more eye to eye on this one. Over time least privilege will become not the rule for all, rather the rule for the most sensitive. It will not be because there is less protected, but that there is more and more appearing that needs little to no protection. But death is nowhere in sight for least privilege. At least not as far out as this man can see.