What is the Principle of Least Privilege (POLP)?

Data Security Knowledge Base

A Best Practice for Information Security and Compliance

Text

The principle of least privilege is the idea that at any user, program, or process should have only the bare minimum privileges necessary to perform its function. For example, a user account created for pulling records from a database doesn’t need admin rights, while a programmer whose main function is updating lines of legacy code doesn’t need access to financial records. The principle of least privilege can also be referred to as the principle of minimal privilege (POMP) or the principle of least authority (POLA). Following the principle of least privilege is considered a best practice in information security.

How the Principle of Least Privilege Works

Text

The principle of least privilege works by allowing only enough access to perform the required job. In an IT environment, adhering to the principle of least privilege reduces the risk of attackers gaining access to critical systems or sensitive data by compromising a low-level user account, device, or application. Implementing the POLP helps contain compromises to their area of origin, stopping them from spreading to the system at large.

Examples of the Principle of Least Privilege

Text

The principle of least privilege can be applied to every level of a system. It applies to end users, systems, processes, networks, databases, applications, and every other facet of an IT environment. Below are just a few examples of how the principle can work (or fail) in practice.

User Account with Least Privilege:
MySQL Accounts with Least Privilege:
Using Just in Time Least Privilege:

Benefits of the Principle of Least Privilege

Better security:

Edward Snowden was able to leak millions of NSA files because he had admin privileges, though his highest-level task was creating database backups. Since the Snowden leaks, the NSA has employed the principle of least privilege to revoke higher-level powers from 90% of its employees.

Best Practices for the Principle of Least Privilege (How to Implement POLP)

Conduct a privilege audit.

Check all existing accounts, processes, and programs to ensure that they only have the permissions required to do the job.

Start all accounts with least privilege.

The default for all new account privileges should be set as low as possible. Only add specific higher-level powers as needed to perform the job.

Enforce the separation of privileges.

Separate admin accounts from standard accounts, and higher level system functions from lower ones.

Use just in time privileges.

Wherever possible, restrict raised privileges only to moments when they are needed. Implement on expiring privileges and one-time-use credentials.

Make individual actions traceable.

User IDs, one-time passwords, monitoring, and automatic auditing can make it easier to track and limit damage.

Make it regular.

Auditing privileges regularly prevents a situation where older users, accounts, and processes accumulate privileges over time, whether they still need those things or not.