![]() ![]() This framework addresses the need to verify the identity of users seeking access to a network or other resource (authentication), determine what they’re allowed to do (authorization), and track all actions they take (accounting or accountability). Parents use parental controls on their home devices to restrict children’s access to harmful content, ticketed airline passengers can board a plane but aren’t allowed in the cockpit, students have access to learning systems but not to teachers’ grading files, and a parking attendant with a valet key can park your car but can’t access the locked glove box, console, or trunk.Īs a principle, least privilege falls under the second A in an information security framework known as AAA -authentication, authorization, and accounting (or accountability). Most of us are familiar with the concept of restricting access and see or practice variations of this principle in everyday life. Similarly, to do their jobs, a marketing specialist does not need access to employee salary data, an entry-level government worker should not have access to top-secret documents, and a finance specialist should not be able to edit application source code. ![]() ![]() So, an employee whose job entails processing payroll checks would only have access to that specific function in a payroll application but would not have administrative access to the customer database. The principle of least privilege addresses access control and states that an individual should have only the minimum access privileges necessary to perform a specific job or task and nothing more. A supporting principle that helps organizations achieve these goals is the principle of least privilege. ![]() The three most important- confidentiality, integrity, and availability (the CIA triad)-are considered the goals of any information security program. Information security is a complex, multifaceted discipline built upon many foundational principles. The same idea can be applied to Firewall and Switch configurations for network devices and services.What Is the Principle of Least Privilege? It can be hard to figure out what to remove. If you start from a base of everything being allowed, then it can be hard to tell for sure which permissions will cause interference with an employee’s signed duties. Accomplishing this is much easier when you start from a base of nothing being allowed and build on that. The basic concept is that you allow a user the least amount of privileges that are necessary for them to perform their assigned duties, nothing more. The second option embodies the idea of “ Least Privilege.” In this case, the user is likely to complain (probably quickly) and the situation will be remedied. This approach is much safer, because if a mistake is made, it is most likely going to be that someone is not allowed access to something they SHOULD. You then explicitly allow them to be able to access different places/resources. Using this approach, nobody has access to anywhere/anything to start with. Also, if a user has more access then they should, it’s quite likely they will not complain about it, so it could easily go unnoticed for a long time. It’s the responsibility of the company to properly set this up for them. This is risky, because what happens if you forget to prevent access to somewhere important? A user isn’t responsible for knowing everywhere they should/shouldn’t access. Then you start to explicitly block them from places they shouldn’t be allowed to go. Using this approach, what you would do is start off with everyone having access to everywhere. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |