Need to know and least privilege are two of the foundational principles of cybersecurity. Need to know limits information access to the information that an individual requires to carry out his or her job responsibilities. Least privilege extends this concept to system privileges. Learn about the principles of need to know and least privilege.
- [Instructor] Let's take some time to talk about a few of the key principles of information security. These are general rules that form the foundation of many of the security controls that organizations put in place to protect the confidentiality of sensitive information. The first of these principles is the concept known as need to know. In organizations that enforce need to know, individuals are not automatically given access to sensitive information simply because they possess the appropriate security credentials and clearance.
Instead, access decisions are made on a case by case basis, and the individual must demonstrate that he or she has a valid business need to access the information. This need to know principle is commonly followed in military and government circles that handle classified information. An extension of the need to know principle is the principle of least privilege. Least privilege says that an individual should be assigned the minimum set of privileges that is necessary to carry out his or her job responsibilities.
This is particularly important for privileged users such as system administrators and other IT professionals. Rather than granting IT staff blanket superuser access to all systems, security administrators should carefully evaluate each employee's job responsibilities and assign the minimum set of permissions required by those duties. Implementing least privilege in the real world can be a cumbersome undertaking, and organizations need to strike a balance between the desire to follow a least privilege approach and the practical realities of running an IT organization.
Many organizations choose to follow the least privilege approach and supplement it with emergency access procedures that allow IT staff to upgrade their own privileges in an emergency situation by following a highly audited process. Privilege aggregation, also known as privilege creep, is one of the most common barriers to least privilege. IT staff commonly change job responsibilities and shift from department to department. When they take on new responsibilities, they often require new system privileges and they simply can't carry out their job tasks until someone grants those permissions.
This usually means that new permissions are granted fairly quickly. However, there's no immediate detrimental effect if nobody revokes that individual's old permissions that are no longer needed in the new job. IT staff who remain in an organization for a long time with a variety of different positions may accumulate privileges over time that in aggregate violate the least privilege principle. User account reviews are a good control against privilege creep.
The principles of need to know and least privilege form the core foundation of cyber security programs.
- Conducting investigations
- Reviewing the basic concepts of computer forensics
- Using network forensic analysis techniques
- Reporting and documenting incidents
- Correlating security event Information
- Understanding continuous security monitoring activities
- Preventing data loss and theft with data loss prevention technology
- Reviewing the security issues surrounding virtualization
- Learning about the major cloud computing models
- Learning about the three tiers of public cloud computing
- Implementing the principle of separation of duties
- Building an incident response program