The Custodian and the Princple of Least Privilege

It can be frustrating, when you suddenly loose permissions to something you have been doing for years only to find out you are now 'not allowed' to do it, and when you ask why you are told about the "Principle of Least Privilege"  - utter nonsense? or good information security practice?

Simply put, a person should have only sufficient the minimum sufficient access necessary to do his/her job, and no more.  Similarly, a software program should only have the minimum access to data necessary to fulfill its function and no more.  The principle of least privilege works hand-in-hand with the tenant of separation of duties and the concept of 'Need to Know

Consider the case of a custodian, let's call him Dave. Dave is responsible for cleaning the classrooms and office's inside a public school system. In order for Dave to do his job successfully, he needs access to all of the classrooms and offices. He likely has a keychain of many keys. (which always seem to be a problem in every sci-fi/horror flick when trying to escape)

Now if the custodian can access say the principal's office (for the purpose of cleaning it). Technically, he could also find student records, employee files, and all kinds of other sensitive information). This is a risk to the business (or in this case the school). It is not an issue of TRUST. Regardless of how long you have known Dave, he could for example have his keys stolen, or he might switch shifts with another custodian with less trust, or perhaps he is placed under duress for the keys. So how does one successfully manage that risk?

Need to Know - means that just because DAVE could access this data, he must not, because his job does not have a 'need to know' of the information.  Just because someone has access, does not imply the right to access. Dave accessing this information even if he can see it right on the principal's desk is a violation of 'Need to Know'. In the world of information security, just because you are granted 'full access' to all of the files on the company drive, does not imply it is okay to go read them all. While it might be obvious that Dave should not look at employee records, it is not always easy/clear in some other situations.

Separation of Duties  - The act of cleaning the room, is completely separate of the act of say administrating the employee files. Therefore Dave should not be hired both as the custodian, and as the office manager. This prevents accidental information leakage. If Dave understands his job is to clean the office he/she should not be asked to manage the employee files, and the Office Manager similarly would not have any reason to be searching around in the principals garbage can. This reduces risk a bit better then just 'Need to Know' because it clarifies by design, what people are responsible for which specific tasks. However, it still doesn't prevent someone from NOT searching the trash, it just provides policies/guidelines to help avoid it.  In IT Security, this would for example specific administrative tasks of a DBA should NOT involve writing new code, or deployment of a software application, and similarly and application developer should not be able to perform admin level operations on all (or any) specific database instance.

Principle of Least Privilege - If  we want to ensure that Dave cannot access the employee files, student records, we can simply choose to store them inside another area (eg: Filing Cabinet, computer system) to which Dave does not have the key (or password).  Dave has the requirement to access the office (to clean it) but no access to the files themselves. So even if Dave were to get curious, or loose his keys, or be put under duress, he simply cannot access the secured information.  This is also why some stores have a sign that state 'limited cash on hand' or 'employee cannot access safe'.  If someone holds up the store, even those on shift, cannot access the money themselves. Again from an IT Security perspective, a DBA might require access to the data (eg: for backup, maintenance purposes), but would not have access to the configuration files for the software that uses the data, or even require knowledge of the password that the application itself uses to access the data.

But what if you are small business? Well the good news is you can still follow all of these principles, but it might get a little more...complicated.

Your one 'IT person' technically has access to all of your files, but he should not just go around snooping them just because he can (need  to know), further more, he/she should have at least 2 accounts - one for his day to day activities(which cannot access "everything")  and a second account to be used only for special admin tasks - setting up accounts, enabling/disabling services ,etc.  (separation of duties). Finally it is possible for super sensitive data to setup multiple schemes - For example the CEO of the company may store files in an electronic vault, with a password only he/she knows.  You IT guy just sees this as one 'file'. He/she can still copy it, back it up, etc but cannot access the data itself without knowledge of the password that decrypts the contents.  In fact he doesn't even need the knowledge that it is an encrypted file at all. The file could be named josh_gates_to_oak_island_original.mp4 with the vault hidden inside it. It is even possible to have systems that require 2 people to access the data. In  this way one person only knows a "part" of the password. Neither can access the information individually, but both can unlock it together. (Principle of Least Privilege)

Be Warned: Whatever you decide - Just don't give the computer itself the power to decide who should have access !

If you liked this post please consider sharing via your favorite social networks!!

and ..if you like my blogging, video, audio, and programming - please consider becoming a patron and get exclusive access @


Popular posts from this blog

Programming Rant - Stop the Insanity!! - .NET 7 is not the successor to .NET 4.8

Everything in Moderation...

Despite of how it looks - I'm not part of a coup d'etat

Way back then...Apple ][

Diabetes is not caused by eating too much sugar !!!

So I started a Podcast ! - The G33k Dream Team .

The Most Dangerous Software on the Internet!

Windows Gadgets (Geek Wisdom Clock)

You should be able to do that...