Terms Glossary L Least Privilege
Edit This Term Record

Least Privilege

The principle that a security architecture should be designed so that each entity is granted the minimum system resources and authorizations that the entity needs to perform its function.
Read More
In information security, computer science, and other fields, the principle of least privilege (also known as the principle of minimal privilege or the principle of least authority) requires that in a particular abstraction layer of a computing environment, every module (such as a process, a user, or a program, depending on the subject) must be able to access only the information and resources that are necessary for its legitimate purpose. The principle means giving a user account only those privileges which are essential to that user's work. For example, a backup user does not need to install software: hence, the backup user has rights only to run backup and backup-related applications. Any other privileges, such as installing new software, are blocked. The principle applies also to a personal computer user who usually does work in a normal user account, and opens a privileged, password protected account (that is, a superuser) only when the situation absolutely demands it. In practice, there exist multiple competing definitions of true least privilege. As program complexity increases at an exponential rate, so do the number of potential issues, rendering a predictive approach impractical. Examples include the values of variables it may process, addresses it will need, or the precise time such things will be required. Object capability systems allow, for instance, deferring granting a single-use privilege until the time when it will be used. Currently, the closest practical approach is to eliminate privileges that can be manually evaluated as unnecessary. The resulting set of privileges typically exceeds the true minimum required privileges for the process. Another limitation is the granularity of control that the operating environment has over privileges for an individual process. In practice, it is rarely possible to control a process's access to memory, processing time, I/O device addresses or modes with the precision needed to facilitate only the precise set of privileges a process will require.
Read More
Byos
Byos
Byos completely cloaks a device, or even an enterprise’s entire network, so that it cannot be discovered nor accessed, except by those entities that have proven their credentials beyond a shadow of a doubt. We then apply rules, based on that proven identity, so that access to each device is provisioned on an absolute Least Privilege basis. That makes lateral movement across the network practically impossible.
test test