Least Privilege vs Need To Know — CISSP Confusion Masters

Dave On Cyber
3 min readDec 10, 2022

--

“Need to know” and “Least Privilege” — are they different or the same thing or existence of confusion?

For me, they are the confusion masters of CISSP.

Need to know — It’s about when the user (subject) has a legitimate reason to access a resource (object)

Least privilege — It’s about implementing appropriate role-based access control/ granting specific permission based on role or job function.

Least Privilege vs Need To Know (This sketch is elaborated on later in the article)

First comes the need to know), and decide which information the user should know. Then comes the least privilege), which implements relevant access controls.

Understand that “Need to know” and “Least privilege” are not two different concepts. They complement each other.

Think of “Least privilege” as an extension of “Need to know.”

Let’s understand with a simple example/ analogy — you have broken tap water in the ground-floor bathroom and a broken shower in the first-floor bathroom. You called a plumber. The plumber only needs to visit the bathroom on the ground and first floor; no need to enter/see your bedrooms, laundry/ kitchen (This is Need to know)

Remember — with Need to know; there is no action as yet. It’s all about determining what to access.

Then you allow the plumber only to fix tap water on the ground floor and the shower on the first floor (This is the least privilege).

Using the least privilege of special permission on a specific resource/ object, a plumber cannot perform any other action in the bathroom.

In a nutshell, the Need to know is the foundation of primary access. Once we determine the Need to know, we can use the principle of least privilege for granular control.

Let’s elaborate on our sketch from the introduction. Need to know is at a high level. I would restrict the user's access to circle objects. Their job function doesn’t need to know.

The least privilege opens the door the access. However, it means the user can access only some things. We can create role-based access control (RBAC) based on the job function. In our sketch, a user has read-write access to square objects and read-only access to triangle objects.

Few more examples

Need to know — There are 500 rooms in the hotel. You are allowed to check in to only Room 346

Least privilege — You can only listen to the radio inside Room 346 and access the shower and bed. You can’t do anything else. Note, even if there is a TV and video game, you can’t play because your access is restricted.

Need to know — There are ten screens in the multiplex theatre. You are allowed to enter Cinema 02.

Least privilege — You can watch a movie if you sit anywhere in Row K.

Providing access to sensitive is one of the aspects of security. Learn about public key cryptography and digital signatures to expand your knowledge of achieving confidentiality and integrity.

--

--

Dave On Cyber
Dave On Cyber

Written by Dave On Cyber

I share my CISSP knowledge, industry insight and learning approach through articles, digital sketches and short films. https://www.daveoncyber.com/

No responses yet