The Principle of Least Privilege

Posted by Rob Schnetzer on Thu, Mar, 07, 2019 @ 11:03 AM

What is the principle of least privilege, and why is it important for your business? 

In this brief video, Sagiss CTO Jim Lancaster explains the concept of least privilege: why it matters and how you can incorporate it into your organization’s IT security plan.

Principle of Least Privilege


What is "Least Privilege"?

The concept of least privilege is all about controlling access to data and making sure that only the people who need access to data actually have access to that data. For example, the people in sales only have access to sales data and the people in accounting only have access to accounting data. It’s a way of partitioning off your data into ‘islands’ so if one area is breached it doesn’t mean that the whole system is breached.

Tips for Implementation

The reason some companies struggle to implement least privilege is that they’ve been doing things wrong for a long time and they’ve got a very unorganized pile of data out on a server or whatever system they’re using. Instilling or retrofitting some sort of organization on top of it seems like a challenge. The first step is always the hardest.

How we generally approach least privilege is to create a new structure and then move the data into the new structure and work through any issues. In the end I believe it is something everyone should implement because it’s really all about protecting data and corporate information: protecting it from ransomware, from malicious outsiders and from employees gaining access to things they shouldn’t. It’s really very important that companies implement something like this. 

Best Practices

A rule of thumb for us is never to grant privileges explicitly to an end user; you always grant privileges to a group. That way you know who has access to what by their group membership. This is all built into Windows Active Directory, it’s part of Windows server and it’s very simple to administer. It’s available to everybody.  


If you have questions about the principle of least privilege or any aspect of small business cybersecurity, contact Sagiss today.