difference between need to know, least privilege and confidential

Question

I'm studying for CISSP. Is least privilege, need to know and confidentiality all the same thing?

In my book it says "confidentiality is sometimes referred to as the principle of least privilege" and also in the index it has in parenthesis (need to know).

I found this site which claims need to know is an extension to least privilege http://simplicable.com/new/principle-of-least-privilege

And I found this practice question

What is the difference between least privilege and need-to-know?

and the answer given is

A user should have a need-to-know to access particular resources; least privilege should be implemented to ensure she only accesses the resources she has a need-to-know.

though I don't follow the reasoning.

score 6 · Accepted Answer · answered Feb 18 '16 at 05:31

Depending on how you look at it, they are shades of the same thing. The confusion comes in when the same terms are used for other things, too.

The principle of "least privilege" states that one should only have access to what they need and nothing more. Extend this idea to "confidentiality of data" and you end up with "need to know".

To put it another way, to keep data confidential, you need to make sure that only those who need access to that data have access, and no one else. Again, it's a form of "need to know" and "least privilege".

I would not say that the 3 ideas are the same idea, but to achieve "confidentiality", you end up needing to employ "least privilege", and by extension, "need to know".

BTW, the quote you have is dealing with the application of "least privilege" as its own idea apart from "need to know", which is valid. Least privilege can be applied to access and capability as well as to the confidentiality of data.

Is it that "least privilege" can apply to many things such as processes, users, use of assets but "need to know" is "least privilege" applied to data? Do I understand that correctly? — Celeritas, Feb 18 '16 at 07:19

John · Answer 2 · 2017-03-18T00:35:30.523

Let's say James Bond has "secret" clearance. That's his privilege. Should he have "top secret"? No. For a variety of reasons, even though he's James Bond, he has the least privilege he needs: He doesn't need to know "top secret" things, so his (least) privilege level is set to "secret."

Now, suppose Bond is battling evil in Jamaica. He gets to know rather a lot about Jamaica because of his "need to know." Does he also get to know "secret" information about Cuba? No. At present, he doesn't need to know that.

And by the way: His "license to kill"? That's more about a capability, and thus more like, say, getting write access to a file; and, thus, more an aspect of his privilege rather than his "need" to exploit it in a certain place. Indeed, if James shot someone in Cuba while on a mission regarding Jamaica, M would probably be pretty pissed unless James could prove that the Cuba killing was essentially to his "needs" regarding his Jamaica work.

score 1 · Answer 3 · answered Aug 07 '17 at 19:44

Need to know means the user has a legitimate reason to access something. Least privilege can then be implemented to limit that access and limit what the user can do with that something. For example, after it is determined that a user has a business need to access ('need to know') user data, the 'least privilege' question then is what KIND of access should they have to that user data? Read Only? Update? Delete? Give the user the least amount of privilege they need to get their need done.

score -1 · Answer 4 · answered Apr 15 '20 at 14:50

-1

Need-to-know generates the requirement for some action. Least-Privilege is the implementation of the posed requirement. From this perspective, (first) need-to-know ---> (then) least-privilege.

answered Apr 15 '20 at 14:50

Muhammad Yousaf

1
1

2

This adds nothing to the existing answers. – Chenmunka Apr 15 '20 at 16:53
"need to know" is a specific requirement for specific action. "Least-Privilege" is orthogonal to the specific requirement. – schroeder Apr 15 '20 at 18:12

score -1 · Answer 5 · answered Aug 27 '20 at 16:49

Least Privilege is a determination based on two key points of evaluation (at least) for what is necessary to perform a specific action and the appropriateness of that grant.

Least Privilege necessary to ______ . Where the blank may be "read some sensitive data", "write to a file", "delete a record", "log in with some level of administrative capability".

In practice privileges are assigned in bundles in the form of a role such as: administrator, super-user, user, auditor, etc.

Need to Know: a business justification for some group gaining access to some system for some purpose. This is tied to a recognizable business outcome and can be vetted by the system owner, the requestors management, project leadership or other source of authority.

Right to Know: the person or group which is requesting permissions presents the qualities necessary to perform their intended action. This must be, at a minimum, proof of identity & assignment (employment, active contract & function). It nearly always includes answers to key questions like:

has adequate training been completed
have necessary certifications been verified
is the recipients level of responsibility in the org inline with the responsibility required for the privilege (example: if the privilege gives rights to a set of data requiring disclosure only to directors and above)
have all required contracts/agreements been collected/verified

Need to Know and Right to Know are used to determine Least Privilege

difference between need to know, least privilege and confidential

5 Answers5