Need-to-Know and Least Privilege

Applying Security Operations Concepts 
699
Need-to-Know Access 
The
need-to-know
principle imposes the requirement to grant users access only to data or 
resources they need to perform assigned work tasks. The primary purpose is to keep secret 
information secret. If you want to keep a secret, the best way is to tell no one. If you’re the 
only person who knows it, you can ensure that it remains a secret. If you tell a trusted friend, 
it might remain secret. Your trusted friend might tell someone else—such as another trusted 
friend. However, the risk of the secret leaking out to others increases as more and more peo-
ple learn it. Limit the people who know and you increase the chances of keeping it secret. 
Need-to-know is commonly associated with security clearances, such as a person having 
a Secret clearance. However, the clearance doesn’t automatically grant access to the data. As 
an example, imagine that Sally has a Secret clearance. This indicates that she is cleared to 
access Secret data. However, the clearance doesn’t automatically grant her access to all Secret 
data. Instead, administrators grant her access to only the Secret data she has a need-to-know 
for her job. 
Although need-to-know is most often associated with clearances used in military and 
government agencies, it can also apply in civilian organizations. For example, database 
administrators may need access to a database server to perform maintenance, but they don’t 
need access to all the data within the server’s databases. Restricting access based on a need-
to-know helps protect against unauthorized access resulting in a loss of confi dentiality.

Download 19,3 Mb.

Do'stlaringiz bilan baham: