Thursday, February 18, 2010

Least Privilege

When studying for the CompTIA Security+ (SY0-201) exam, you'll come across this objective.

3.1 Identify and apply industry best practices for access control methods.

One of the praactices you should understand is: Least Privilege.

The principle of least privilege specifies that individuals or processes should be granted only the rights needed to perform assigned tasks or functions, but no more. For example, if Sally needs to print to a printer, you should grant her print permission for that printer but nothing else.
There's a subtle difference between Least Privilege and Need to Know.  Least Privilege focuses on rights or actions.  Need to Know focuses on permissions or access to data.

Good luck with your studies.

Darril Gibson
CompTIA Security+: Get Certified Get Ahead: SY0-201 Study Guide
Posted by at
Reactions: 

2 comments:

  1. I wonder this situation :
    When an Administrator has a right to view User Profile, or he can renew user's password... We call that : Need-To-Know right ? . I have a little confused with Least Privilege ...

    ReplyDelete

  2. The differences are subtle.

    The ability to view a user profile is granted through permissions so this would be referred to as need to know.

    The ability to reset a user's password is granted through a right so it is restricted through least privilege.

    However, the Security+ exam won't test your knowledge at that depth.

    The blog talks about how least privilege restricts a user's ability to perform tasks or functions, which is controlled with rights.

    Need to know focuses on a user's access to data, which is controlled with permissions.

    HTH,

    Darril

    ReplyDelete

Subscribe to: Post Comments (Atom)