On the Principle of Least Privilege

7 June 2012 00:00 AEST

Security

The Principle of Least Privilege states that a user (or service) should be given the absolute bare minimum privileges required in order to fulfil its function.

On the surface, how could this possibly be bad? If I have everything I need in order to do my job then by definition I have everything I need. Likewise, if my app has all the privileges it needs in order to function correctly then, again, by definition it can function correctly. Right?

For the purpose of this post I’m going to focus on application security.

Where this all falls down is in defining “least privilege” in a sensible manner. How do we normally decide what privileges an application will require? When we decide on what the application will do, of course. And how do we decide what an application will do? We gather our requirements, of course. And when do we do this? We (of course, of course) gather all our requirements up-front, because that’s how we roll.

To rephrase that:

We gather our requirements up-front.
We know these requirements to be inaccurate, incomplete or just plain wrong.
We set our security policies according to these requirements.
We have our policies “signed off” by some governance group or other.
We send our security requirements off to our sysadmins to implement in the form of AD security groups, firewall ACLs etc.

In other words:

We send our known-broken security requirements, based on our known-broken application requirements, off to be set in stone before we ever even ship our application.

If you’re going to set strict security policies for your app then your development team should be responsible - and held accountable - for setting sensible policies and updating them quickly according to changing requirements. If you’re going to wrap security policies in endless red tape then don’t be surprised when 1) people ask for more privileges than they need just to avoid administrative pain; and 2) your project ends up with a sub-optimal result because of a bunch of undocumented security work-arounds that decrease your overall security anyway.

You’re likely to be much better served by frequent automated and manual audits of both production and non-production environments to identify mismatches between organisational policies and configuration actuality.

TL;DR: Hire smart people. Trust them. Get out of their road. Check their homework. Hold them accountable.

Work

I'm at Octopus Deploy, helping to ship software that helps people ship software. Other interesting places I've been before Octopus include ThoughtWorks, Readify, Zap BI, Realex Payments and TRL.

I'm also a co-founder at Stack Mechanics, one of the organisers of the DDD Brisbane conference and, in my spare time (ha!), I also run my own photography business, Ivory Digital.

I'm a fan of high-quality code, domain-driven design, event-driven architecture, continuous delivery and, most importantly, shipping code that works and that solves people's problems.

I have a number of small open-source creations, including Nimbus, ConfigInjector and NotDeadYet, and am an occasional contributor to several more.

I'm a regular speaker and presenter at conferences and training events. My mother wrote COBOL on punch cards and I've been coding in one form or another since I was five years old.

Play

Cyclist. Photographer. Ballroom dancer. Motorcyclist. Occasional sailor. Lapsed fencer.

Twitter

Follow @uglybugger
Tweets by @uglybugger

On the Principle of Least Privilege

Work

Play

Subscribe

Twitter