The Principle of Least Privilege

One of the most fundamental tenets of information security is the Principle of Least Privilege. First formulated by Jerome Saltzer for a 1974 Communications of the ACM article, the Principle states that ‘every program and every privileged user of the system should operate using the least amount of privilege necessary to complete the job.’ What does this mean for a business and its employees?

Think of the privileges afforded to every employee of your company. Presumably, the privilege of accessing the private premises is afforded to all, as doing their jobs on the pavement outside wouldn’t be particularly effective. They are given permission to access the company computer systems, which allows them to do so without breaching the Computer Misuse Act. Each month or so, they are paid for their time—they do not have to steal the money from the company bank account to get it.

The point of these examples is to get across the idea that every employee is afforded some privileges, even in an office so lax that these are limited to just access and remuneration. The point of the Principle is that permissions must be more fine-grained that this. Its all well and good checking credentials at front door of the office, but does every single employee really need to be able to access the server room? Does a canteen worker need to be able to get into a boardroom, or a manager to get into the cookhouse?

The Principle goes beyond mere physical access. Of those employees who need access to the office computer systems, do all of them need to be able to access all files? Does someone in marketing need to be able to view financial data, or vice versa? Of course, there may some day be a situation in which they do, but that can be dealt with on an individual basis, perhaps with temporary or supervised access being granted (and then, once the need is gone, rapidly revoked). The Principle focusses on those privileges that are afforded on a day-to-day basis.

The Principle can also be combined with a robust information classification framework to restrict access to specific files on a contextual basis. A range of models exist to govern this access, such as the Biba Model, in which a user may only write down to a lower integrity level, and may only read up from a higher (mimicking a military chain of command).

Wouldn’t it be easier to just let everyone access everything, though, and skip all this faff about rights and permissions? Certainly, it would, but doing so ensures that if (or when) an attacker breaches your system and takes over an employee’s account, you will have helpfully just handed them the keys to the kingdom. With proper application of the Principle, you can insulate yourself against the impact of a breach by constraining an attacker’s available moves. This can also help in a later incident investigation, as the areas damaged will give some indication as to where the attacker managed to get in.

Scroll to Top