The Principle of Least Privilege

09 Aug


The materials on, and specifically the guide by Rause & Tipton certainly supplemented the material by Shon Harris while I was studying for my CISSP. Even though I haven’t seen this page since sometime in 2007, a recent discussion thread re-linked it, as a starting point for a discussion on the principle of least privilege.

The Principle

While the principle of least privilege can be briefly summarized and defined, the context in which it is evaluated through a given access control method is quite a different undertaking. The principle of least privilege can be succinctly defined as “limiting the access of authorized users to data they require to perform their duties” (Conrad et. al., 2010)(p. 47). All access not required would then be denied. This is slightly less restrictive than the need-to-know standard, which would be a subset of the authorizations offered in the least privilege approach. Both can be considered “deny by default” provisions where access must be specifically allocated by a person authorized to grant that access.

Authorization to grant access is the key delineator between the two primary access control methods of Mandatory Access Control and Discretionary Access Control. MAC restricts this authorization to an administrator of the data; owners and users are unable to provision or grant rights to other users. In the DAC model however, this privilege is granted to data owners and creators; effectively decentralizing the assignment of privilege to content owners.

Not well-covered in the linked article by Rause & Tipton is one additional model: Non-Discretionary Access Control. This access control methods typically though of when discussing NDAC are Role-Based Access Control (RBAC) and Attribute-Based Access Control (ABAC). While many will argue that it belongs as a subcategory of MAC; it exists as a separate entity. Consider the following:

  • “…RBAC is sometimes described as a form of MAC in the sense that users are unavoidably constrained by and have no influence over the enforcement of the organization’s protection policies. However, RBAC is different from TCSEC (Orange Book) MAC.” According to NIST, “RBAC is a separate and distinct model from MAC and DAC.” This is a frequently confused (and argued) point: non-discretionary access control is not the same as MAC.” (Conrad et. al., 2010)
  • The NIST source cited by Conrad has moved, but is is available here:

At this point: least privilege, need-to-know, and the models to support the assignment of authorization have been defined, the next area to tackle would be that of policy and supporting models. Supporting models are subcategorized into a matrix of security models which include: confidentiality, integrity, information flow, noninterference, take-grant, access-control matrices, Grahm-Denning, Harrison-Ruzzon-Ullman, Zachman Framework and Brewer-Nash models.

These models do have overlap. For example the Lattice-Based, State Machine, and Bell-LaPudula models are all confidentiality models, while the Biba and Clark-Wilson models are integrity models. Each of these, however, falls into the larger category of information flow models.

Avoiding the temptation to define and explain each of these, it will at this time have to be sufficient to say that these models are then supported by the system’s mode of operation. Modes of operation are codified within the Common Criteria adapted from DoD 5200.28 and provide modes for each of the MAC models for operation.

While these models themselves do little to protect organizational assets, the adherence to the governance policies they define (including both administrative and technical controls) provides the structural foundation to protect the confidentiality, integrity and availability of information.



Conrad, E., Misenar, S., & Feldman, J. (2010). CISSP Study Guide. Syngress: Burlington, MA.

ISO/IEC. (n.d.). Common Criteria Documents. Retrieved from NSA Common Criteria Evaluation Scheme:

Krause, M., & Tipton, H. (1997). CISSP Open Study Guides . Retrieved from Handbook of Information Security Management:

NIST. (n.d.). DoD 5200.28. Retrieved from Computer Security Research Center:


Leave a comment

Posted by on August 9, 2012 in Information Technology


Have Something to Add?

Loading Facebook Comments ...

Join the conversation!

%d bloggers like this: