GregSargent0055

Principle of least privilege I have been explaining this to people throughout my career but it would be really nice to point co-workers to a quick video where they can get the gist of the principle. It's a very simple principle, however people tend to forget it's a principle. Just because you can shut everyone's access off to every file and folder on a server doesn't mean you should. You need to take into account how it will impact the operations of your business, how much time it would take to maintain, and weigh that against the criticality of the data in question and your implemented security models. That's where I start to see people get confused. I'm not a writer by any means but here's a (probably terrible) example to hopefully explain the principle as I view it. Maybe it will give your writers a head start if you decide to tackle this topic: In the most simple terms it means you give users access to the resources they need to perform their duties and nothing more. This could be access to servers, folders, files, and even system I/O (prevent removable media from being read). However this can also address things such as access to buildings or rooms within said buildings. It doesn't have to be limited to IT functions. In the example below I'm going to use file/folder access since that's fairly easy for most of us to grasp and relate to. Say you've got a file share on the "Z:\" drive. It contains the following folders: Human Resources Accounting Information Technology An HR (Human Resources) employee would obviously need access to the HR folder, but shouldn't need access to the accounting or information technology folders. So you'd only give them access to the HR folder. However they might have some process that requires HR employees to access Accounting files every couple days. You would then need to review the data in the accounting folder and decide if you should simply give all HR employees access to all Accounting files. Maybe your IT department only has 1 person and you have a hundred sub folders in each root folder. It would take a long time for your technician to create individual permissions per folder and then assign users/groups to each folder. Additionally, once that has been implemented the IT department would have to maintain that structure and any changes in said structure could require a complete redesign. That is often overlooked in my experience. For your company it doesn't make sense to limit the HR access because it's simply not feasible. You're still following the principle of least privilege because you're still not giving them access to the Information Technology folder, but you had to make some sacrifices in security for ease of operation and gave them full access to HR and Accounting. For a small business that's usually acceptable. However if you work for a larger business the amount of time spent to secure that data is more often than not worth the time and effort. There are countless ways to handle the situation above but hopefully that gave a decent example of what the principle means in a business environment and that there is no single way to handle file access. There's a ton of variables to consider and in the end it's up to your IT and Business employees to come together and agree on a solution that works for everyone. As long as you keep the principle of least privilege in mind in those negotiations you're already ahead of the pack, in my book at least. Thanks for the consideration and more importantly thank you for the tech quickie (and other) channels your team produces.