Privilege Analysis

Privilege Analysis (PA), dynamically analyzes privilege and role usage for database users and application service accounts at run time. PA helps to further harden the application by identifying unused privileges and roles based upon the actual usage of the roles and privileges by a user or from within the application. Understanding the set of unused roles and privileges is key to identify the least number of privileges the application needs to run. Reports generated by PA are richer and reflect the actual privileges and roles used/unused by users and applications during runtime. Static based role/privilege analysis tools can only show which roles and privileges are granted to users. Understanding actual usage of roles and privilege is essential to implementing a least privilege model for all database accounts and reduces your application attack surface.

Privilege Analysis allows to:

• Report on actual privileges and roles used in the database
• Identify unused privileges and roles by users and applications
• Reduce risk by helping enforce least privilege for users and applications

Least Privilege Model

Least privilege is a security model that limits access rights for users (user, application, utility) to the minimum privileges/roles they require to execute their work. This applies to any system – not just databases. Extraordinarily powerful privileges that are only used for troubleshooting should be requested and checked out as required, and not granted as part of a user’s everyday set of roles and privileges. Least privilege also requires continuous management with granting additional privileges as required/approved and revocation of privileges when they are no longer required.