In this era of fast-emerging and evolving technology areas, like robotic process automation (RPA), IoT, shadow IT applications run from the cloud, and other facets of digital transformation, least privilege is an imperative security control to get right. In fact, adoption of “least privilege” was advanced by the publication of the “Department of Defense Trusted Computer System Evaluation Criteria” in 1985, following the recommendations of a task force dedicated to safeguarding classified data. While this blog will focus on the cybersecurity context of least privilege, no doubt you’re familiar with analogous concepts, such as “need to know” popularized amongst military and governmental circles. However, least privilege also applies to processes, applications, systems, and devices (such as IoT), in that each should have only those permissions required to perform an authorized activity. When applied to people, least privilege access, sometimes called the principle of least privilege (POLP), means enforcing the minimal level of user rights, or lowest clearance level, that allows the user to perform his/her role. Privilege itself refers to the authorization to bypass certain security restraints.

Least privilege is the concept and practice of restricting access rights for users, accounts, and computing processes to only those resources absolutely required to perform routine, legitimate activities. This is an updated blog that was first published on November 17, 2016