The concept of giving users the minimum level of access they need.
The Principle of Least Privilege (PoLP) is a foundational concept in information security. It asserts that a user, program, or process should only have the minimum set of privileges and access rights necessary to perform its intended function, and nothing more. This principle should be applied for the minimum duration possible. The goal is to limit the potential damage that can result from an accident, error, or malicious attack. If an account is compromised, the attacker will only have access to the limited permissions of that account, rather than having free reign over the entire system. For example, a marketing employee's account should have access to marketing documents and tools but should not have access to the company's source code repositories or financial databases. If that employee's account is compromised through a phishing attack, the attacker's 'blast radius' is contained within the marketing department's resources. Applying PoLP involves several practices. It requires a thorough understanding of the tasks performed by different users and applications to assign the correct level of permissions. It's closely tied to Role-Based Access Control (RBAC), where roles are designed with the least privilege in mind. It also means running services and applications with the lowest possible privilege level. For instance, a web server should not run as the 'root' or 'administrator' user, as a vulnerability in the web server could then lead to a complete compromise of the entire machine. By consistently applying the Principle of Least Privilege across an organization, you significantly reduce the overall attack surface and mitigate the impact of security breaches.