Least Privilege is a determination based on two key points of evaluation (at least) for what is necessary to perform a specific action and the appropriateness of that grant.
Least Privilege necessary to ______ . Where the blank may be "read some sensitive data", "write to a file", "delete a record", "log in with some level of administrative capability".
In practice privileges are assigned in bundles in the form of a role such as: administrator, super-user, user, auditor, etc.
Need to Know: a business justification for some group gaining access to some system for some purpose. This is tied to a recognizable business outcome and can be vetted by the system owner, the requestors management, project leadership or other source of authority.
Right to Know: the person or group which is requesting permissions presents the qualities necessary to perform their intended action. This must be, at a minimum, proof of identity & assignment (employment, active contract & function). It nearly always includes answers to key questions like:
- has adequate training been completed
- have necessary certifications been verified
- is the recipients level of responsibility in the org inline with the responsibility required for the privilege (example: if the privilege gives rights to a set of data requiring disclosure only to directors and above)
- have all required contracts/agreements been collected/verified
Need to Know and Right to Know are used to determine Least Privilege