Against 'Least Privilege'
By steffo on May 16, 2007
The principle of 'least privilege' (LP) states that a subject should have access to the smallest number of objects necessary to perform some task (p. 242 of Security in Computing, by C. Pfleger, 1997 Prentice Hall). I never questioned this principle until I came in touch with Identity Management. The more I looked on the management side of security rather than on its technical side, I found that in most cases LP leads to systems whose security is more diffcult to manage. These systems are less secure than a system which doesn't follow the LP paradigm.
Tales from the field: a company with 5000 employees has 3000 AD groups (I didn't count the RACF groups but there are many). The big question is: how many business roles (e.g. sales rep, developer) do exists in this company (the sales rep role might imply memebership in 10 LDAP groups so the pure amount of LDAP groups doen't say anything about least privilege). The number of business roles vary from company to company. One my customers told me that an an organization having 1000 employees should have at most 50 (five percent!) business roles, otherwise there is no oranizational benefit from a role model.
I think if an organization's role amount is ten percent, that's still a good number. I met other customers who do not even have roles but maintain a list of privileges for each individual user (according to LP).
To me it seems that LP hinders organizations to achieve a low number of roles which in turn means that it hinders you in defining a proper security management structure. I'm willing to give up LP (and maybe use audit facilities to monitor access rather to prevent access) as a general principle. LP must be questioned under practical aspects and in many cases LP is a requirement that comes from regulations rather than from reality.