Need to know and least privilege are two of the foundational principles of cybersecurity. Need to know limits information access to the information that an individual requires to carry out his or her job responsibilities. Least privilege extends this concept to system privileges. In this video, learn about the principles of need to know and least privilege.
- [Narrator] Let's take some time to talk about a few of the key principles of information security. These are general rules that form the foundation of many of the security controls that organizations put in place to protect the confidentiality of sensitive information. The first of these principles is the concept known as need to know. In organizations that enforce need to know, individuals are not automatically given access to sensitive information simply because they possess the appropriate security credentials and clearance.
Instead, access decisions are made on a case by case basis and the individual must demonstrate that he or she has a valid business need to access the information. This need to know principle is commonly followed in military and government circles that handle classified information. An extension of the need to know principle is the principle of least privilege. Least privilege says that an individual should be assigned the minimum set of privileges that is necessary to carry out his or her job responsibilities.
This is particularly important for privileged users such as system administrators and other IT professionals. Rather than granting IT staff blanket super user access to all systems, security administrators could carefully evaluate each employee's job responsibilities and assign the minimum set of permissions required by those duties. Implementing least privilege in the real world can be a cumbersome undertaking, and organizations need to strike a balance between the desire to follow a least privilege approach and the practical realities of running an IT organization.
Many organizations choose to follow the least privilege approach and supplement it with emergency access procedures that allow IT staff to upgrade their own privileges in an emergency situation by following a highly audited process. Prevent aggregation, also known as privilege creep, is one of the most common barriers to least privilege. IT staff commonly change job responsibilities and shift from department to department. When they take on new responsibilities, they often require now system privileges and they simply can't carry out their job tasks until someone grants those permissions.
This usually means that new permissions are granted fairly quickly. However, there's no immediate detrimental effect if nobody revokes that individual's old permissions that are no longer needed in the now job. IT staff who remain in an organization for a long time with a variety of different permissions may accumulate privileges over time that, in aggregate, violate the least privilege principle. User account reviews are a good control against privilege creep.
The principles of need to know and least privilege form the core foundation of cybersecurity programs.
Find the companion study books at the Sybex test prep site and review the complete CISSP Body of Knowledge at https://www.isc2.org/cissp-domains/default.aspx.
- Conducting investigations
- Reporting and documenting incidents
- Continuous security monitoring
- Preventing data loss and theft
- Asset management
- Change management
- Virtualization security
- Security principles: need to know, separation of duties, and more
- Building an incident response program
- Personnel safety and emergency management