Untitled Document
 
Thursday, July 29, 2010
Home
News
       CISO News Feed
       Upcoming Conferences
       Newsletter Archive
Resources
       CISO Security Links
       Project Manager Security
       Security Program Development
          Security Program Considerations
             Organizational Drivers
             Security Strategy
             Mission & Mandate
             Roles & Responsibilities
             Security Policies
             Security Project Portfolio
             Training & Awareness
          Statistics & Metrics
          Regulations
          Ask The Experts a Question
       Glossary and Definitions
Publications
Research
       Security Stress Survey
       New Security Survey
Tools
Community
About Us
Contact Us
 You are here: Admin Tools * RSS Feed   Search
CISO/CSO Security Brief- Least Privilege Description

Practical Security Solutions

By Ron Collette, CISSP & Mike Gentile, CISSP

ron@cisohandbook.com, mike@cisohandbook.com

 

The concept of “Least Privilege” is an often misunderstood concept in security. We are constantly asked to illustrate this idea.  Therefore, we felt it was the right place to kick-off our new series of security briefs. As with all of our briefs, we will attempt to provide a 3rd party definition followed by a relatable analogy to reinforce the concept. We don’t guarantee that these stories won’t be cheesy, only that they address the topic.

Definition of “Least Privilege” from www.wikipedia.org

The principle is to grant just the minimum possible privileges to permit a legitimate action, in order to enhance protection of data and functionality from faults (fault tolerance) and malicious behavior (computer security).  The principle of minimal privilege is also known as or similar to POLA: principle of least authority (or access).

 

Analogy

Let’s say that you own a mansion.  Your home has locks on all of the doors, gates, and windows.  Further, you have a vault in the main house and various locked cabinets. You possess keys to all of the locks described above since you are the lord of the manor. Like we said relatable.

 

In order to enforce least privilege for the estate you would grant access by determining the function needed to be performed and the access that is required to carry it out.  For example The gardener would only get a key to the gates, not access to the house.  The house keeper would get access to the side yard and the house, but not the locked cabinets and the vault.  The butler would get keys to the side gates, house, and the locked cabinets (Liquor, guns, silver, etc.); but not the vault. As the owner of the house, you would have access to everything. Each function has been granted only the access necessary to perform their specific function….nothing more. 

 

Told you it was easy!


Posted on Friday, January 06, 2006 (Archive on August 14, 2006)
Posted by CISOHandbook.com
Return
  
 
 
 
   Privacy Statement  |  Terms Of Use
Copyright (c) 2010 CISO/CSO Handbook