The Principle of Least Privilege (PoLP) is a concept in information security and data protection that states a user should be given the minimum amount of access required to do their job. This is important because:
- Users should not have access to something they should not see
- If their accounts are compromised then you are minimising the amount of information at risk
When looking at this from a surface level, this idea makes sense, but practically speaking, this does not always work as it could put restrictions on a user’s ability to work. Therefore it is all about understanding the risk.
Using our helpdesk team as an example, the PoLP should mean that each helpdesk team should only see their own clients. This would be a major headache when the High Wycombe helpdesk teams are in a meeting and other offices, such as Bristol, Manchester and Swindon need to cover their calls. It is a risk to Complete I.T. that we do not lock down these permissions but it is an acceptable risk because the work to grant permissions each time to the different offices would not be realistic.
One of the biggest challenges to ensuring PoLP is new starters, team members changing roles, and people leaving a business. Permissions and access rights will get set/changed for all these instances so ensuring that each person has the correct access is a critical task.
It is important that checks are completed and documented on a regular basis and cover all systems/permissions that the business has.
Using Complete I.T. as an example, we have identified 12 key systems which we will check on a regular basis. Each system has a designated owner who is responsible for undertaking these checks. We then make a record of what systems we have reviewed, how we reviewed it and what actions were taken. These checks are not only for our own peace of mind but would be invaluable in the event of an information security incident as evidence that we have a well-maintained system that follows the PoLP.