From the course: CISSP Cert Prep (2021): 7 Security Operations

Need to know and least privilege

From the course: CISSP Cert Prep (2021): 7 Security Operations

Start my 1-month free trial

Need to know and least privilege

- [Instructor] Let's take some time to talk about a few of the key principles of information security. These are the general rules that form the foundation of many of the security controls that we put in place to protect our information and systems. The first of these principles is the concept known as need to know. In organizations that enforce need to know, individuals are not automatically given access to sensitive information simply because they possess the appropriate security credentials and clearance. Instead, access decisions are made on a case by case basis and an individual must demonstrate that they have a valid business need to access information. This need to know principle is commonly followed in military and government circles that handle classified information. An extension of the need to know principle is the principle of least privilege. Least privilege says that an individual should be assigned the minimum set of privileges necessary to carry out their job functions. This is particularly important for privileged users such as system administrators and other IT professionals. Rather than granting IT staff blanket super-user access to all systems, security administrators should carefully evaluate each employee's job responsibilities and assign them the minimum set of permissions required by those duties. Now, implementing least privilege in the real world can be a cumbersome undertaking and organizations need to strike a balance between the desire to follow a least privilege approach and the practical realities of running an IT organization. Many organizations choose to follow a least privilege approach and supplement it with emergency access procedures that allow it staff to upgrade their own privileges in an emergency situation by following a highly audited process. Privilege aggregation or privilege creep is one of the most common barriers to least privilege. IT staff commonly changed job responsibilities frequently and even move from department to department. When they take on new responsibilities, they often require a new privileges and they simply can't carry out their job function until someone grants those permissions. This usually means that new permissions are granted fairly quickly. However, there is no immediate detrimental effect if nobody revokes that individual's old permissions that are no longer needed in their new job. IT staff who remain in an organization for a long time with a variety of different positions may accumulate privileges over time that in aggregate violate the least privileged principle. User account reviews are a good control against this privileged group.

Contents