Relationship Between Least Privilege and Need-to-Know
This article discusses the principles least privileges and need-to-know are related. You should be able to explain how least privileges and need-to-know can be controlled with correct data labeling and by assigning user roles. Pay attention to how too much security can sometimes be a bad thing.
Whenever we are talking security, and assigning access control lists, the principle of least privileges comes up. Our firewalls should block all ports, but the ones we need to do business. The same is true for file access control lists (ACLs). We should only allow read, or write, access to files as needed.
The principle of least privileges is very fundamental to information security and closely related to the idea of "the need to know". This term tends to be used more in government and military contexts, but it is very valid in commercial networks as well.
For example, in order to obtain certain information, a user needs a certain "clearance" (usually a position in the company) AND a need to know the information. In a hospital setting, for example, all nurses likely are considered trusted enough to read any patients' information. However, they still only should access information for patients they deal with.
Fine-grained access controls like this are critically linked to the correct labeling of data. In most cases I have seen, the labeling of data is actually the main problem. Consider a spreadsheet with patient data in a hospital. In order to provide proper access control, the access control system needs to take into account which patients are listed in the spreadsheet, then later it will compare that list to a list of patients a nurse is associated with before providing access. Realistically, this is not going to happen. Data needs to be properly segmented and once data of various classifications ends up in the same spot (like an Excel spreadsheet), it is usually too late.
As a start, one should probably first define different roles in the organization, and figure out what each role needs to know to get their work done. Later, the rolls may be refined and access control may be further restricted. The same is true for data labels. Initially, you may break data down in rough categories and as your system is refined, you may want to come up with closer categories.
But don't rush this. Nothing is more frustrating than security getting in the way of normal business processes and this is probably the fastest way to lose steam for your initiative. This control should be considered a control for a more mature organization that already covered most other controls. Start this one slowly, and consider implementing detective controls first before implementing enforcement.
For example to go back to our hospital case. If you come into the emergency room bleeding, your priority is that the nurse will have fast and proper access to your medical record. You getting proper help fast is more important (at least at that time) then your patient record confidentiality. Instead of focusing on enforcing access controls, a hospital may deploy log analysis to monitor nurses who accessed more files than others, or for example to review who accessed the records of a celebrity visiting the hospital.
Source: Johannes B. Ullrich, https://isc.sans.edu/forums/diary/Critical+Control+9+Controlled+Access+Based+on+the+Need+to+Know/11812/
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License.