Thursday, February 18, 2010

Least Privilege

When studying for the CompTIA Security+ (SY0-201) exam, you'll come across this objective.

3.1 Identify and apply industry best practices for access control methods.

One of the praactices you should understand is: Least Privilege.

The principle of least privilege specifies that individuals or processes should be granted only the rights needed to perform assigned tasks or functions, but no more. For example, if Sally needs to print to a printer, you should grant her print permission for that printer but nothing else.
There's a subtle difference between Least Privilege and Need to Know.  Least Privilege focuses on rights or actions.  Need to Know focuses on permissions or access to data.

Good luck with your studies.

Darril Gibson
CompTIA Security+: Get Certified Get Ahead: SY0-201 Study Guide