Let us learn today what is key difference between Least Privilege and Need to Know access principles.
Need to Know - Example
A mathematics teacher could be authorised to access Maths Exam previous years' question papers for all classes in the school. This is what he wants to know and no harm in giving him access to old exam question papers. This is decided on the basis of "Need to Know". In terms of IT, the example would be say you work in HR, you will have access to all general HR-related files and data.
Least Privilege - Example
A mathematics teachers on the basis of "Need to Know" was authorised to access Maths Exam previous years' question papers for all classes in the school. But, his "least privilege" principle says that he can only write new Maths Exam questions papers for the classes he teaches. Another example, his "Least Privilege" principle restricts his "Need to Know" principle allowing him to check/mark the exam sheets only for the classes he teaches. In terms of IT, the example would be say you work in HR, "Need to Know" authorises you with general HR-related data, but "Least Privilege" will control access to update only specific HR-related files, for which you are the data owner.
Need to Know is more fundamental authorisation whereas Least Privilege is more granular. You could have a "view" access at the "Need to Know" principle level but then the "Least Privilege" principle mainly governs with "Write" and "Execute" bits.
The author is a professional CISSP trainer trainer within CMA training pool. He is CMA’s CISSP/CISA/ISO 27001/SOX/Information Risk Management/SAP Cyber Security trainer.
CISSP Online Training Session - Every Saturday UK 10.30am, Dubai 1.30pm and India 3.00pm Click here to register
You can also follow us on twitter – https://twitter.com/cm_alliance
And connect with us on linkedin – https://uk.linkedin.com/in/cyber-management-alliance-9922b411b
And subscribe to our Cyber video series at https://www.brighttalk.com/channel/14185
Like this article?Share it with other!