Tech Talk Tuesday – Principle of Least Privilege

Welcome to #TechTalkTuesday – where tech terms are defined, explained, and no longer a mystery. 

Today we’re talking about the principle of least privilege. We touched upon it last week when we discussed zero trust. It plays an important role in helping organizations reduce risks across the board.    

IT security is complex and multifaceted, established upon several key foundational principles. The principle of least privilege is one of the many supporting principles that help organizations achieve their security goals.  

Just what is it? What does it do?  

At its core, the principle of least privilege relates to access control. Individual users should be given only the very minimum access privileges that are necessary for them to perform the tasks of their job and nothing else.  

Here are three examples:  

  1. An employee tasked with sales data entry will be given access to only that function in the system. The employee would not be given any access to other areas of the system that do not involve the functions of his data entry tasks.  
  2. A marketing manager will not need to access information about employee salaries and benefits.  
  3. An accountant should not need to gain access to editing source code or need to access the company servers. 

The concept of access restriction is not something new. It’s something that we see applied in other parts of our daily lives. Some examples of this could include the following. 

Parental controls on your tablet to keep children from seeing inappropriate content. 

Students in a connected classroom may be able to access their learning tools but won’t have access to the grading system that educators will. 

In information security, there is a framework referred to as AAA. This represents authentication, authorization, and accountability. It addresses the strong need to verify the identity of each user that is looking to access a network or resource (authentication). It determined what each user is permitted to do within the needs of their job (authorization). And it effectively tracks the actions that they take (accountability). 

Looking at the principle of least privilege from a high level, it is engineered to help an organization reduce risk. Excess privileges and the potential for misuse, whether intentionally or accidentally, can pose a serious cybersecurity risk to the organization, its assets, and of course, its people. By reducing the organization’s attack surface, risks can also be effectively reduced. 

The principle of least privilege applies to individuals; that much is clear. But it can also be applied to services, programs, devices, and networks.