Enabling a web application to only retrieve data and not change or delete it is another. What are some examples of least privilege applied to nonuser entities? “Hardening” a server by shutting down unnecessary ports and removing unused components is one. 1 It’s critical for organizations to understand that the principle must apply to all of these entities because if compromised, any could potentially put the organization or its data at risk. When it comes to access control, all of these are considered subjects (active entities) that request access to resources, or objects (passive entities that contain or receive information), such as systems, files, applications, directories, databases, ports, and more. In practice, the principle of least privilege applies not only to individuals but also to networks, devices, programs, processes, and services. Who and What Does Least Privilege Apply To? Like need to know, separation of duties is often used in addition to least privilege. This principle might be used, for example, to prevent an accounts specialist from setting up fake vendor accounts and then paying phony invoices against those accounts as a way to steal funds from the company.
Separation of duties calls for assigning critical tasks to two or more people so no single individual has complete control of any action that could put the organization at risk. Sales managers, for example, do not need continuous access to their direct reports’ personnel files but should have access for a limited time to complete each employee’s annual performance review. Often used together with least privilege, need to know provides more specific access control based on need. Least privilege is sometimes confused with, but is different from, two similar security principles: need to know and separation of duties. More specifically, the goal is to reduce the potential damage that excessive privileges or their misuse can cause, whether accidentally or intentionally. So, at a high level, the principle is meant to help organizations reduce risk Risk constitutes a specific threat matched to a specific vulnerability, where both likelihood and impact are evaluated to determine the level of risk. -to the business, its people, and its assets. This framework addresses the need to verify the identity of users seeking access to a network or other resource (authentication), determine what they’re allowed to do (authorization), and track all actions they take (accounting or accountability). Parents use parental controls on their home devices to restrict children’s access to harmful content, ticketed airline passengers can board a plane but aren’t allowed in the cockpit, students have access to learning systems but not to teachers’ grading files, and a parking attendant with a valet key can park your car but can’t access the locked glove box, console, or trunk.Īs a principle, least privilege falls under the second A in an information security framework known as AAA -authentication, authorization, and accounting (or accountability). Most of us are familiar with the concept of restricting access and see or practice variations of this principle in everyday life. Similarly, to do their jobs, a marketing specialist does not need access to employee salary data, an entry-level government worker should not have access to top-secret documents, and a finance specialist should not be able to edit application source code. So, an employee whose job entails processing payroll checks would only have access to that specific function in a payroll application but would not have administrative access to the customer database. The principle of least privilege addresses access control and states that an individual should have only the minimum access privileges necessary to perform a specific job or task and nothing more. A supporting principle that helps organizations achieve these goals is the principle of least privilege.
The three most important- confidentiality, integrity, and availability (the CIA triad)-are considered the goals of any information security program. Information security is a complex, multifaceted discipline built upon many foundational principles. What Is the Principle of Least Privilege?
0 kommentar(er)
