Professional Documents
Culture Documents
Solution: Least Privilege:: Definition of The Concept
Solution: Least Privilege:: Definition of The Concept
Solution: Least Privilege:: Definition of The Concept
Least Privilege:
A privilege on a computer is the ability for a user to operate on managed computer resources.
According to the principle of least privilege, Users, systems, and processes should only have
access to the resources (systems, files or networks) which are strictly necessary to accomplish
their assigned purpose. When the degree of privileges granted to a given user for completing
assigned tasks is reduced, this promotes accountability and reduces the risk of unintended
exploitation. When privileges aren't needed, the operating system should disable them. For
operations with severe repercussions, like installing software or removing a system file, the
computer system OS may often prompt users to escalate their privilege (Lopez & Rubio, 2018).
Example:
In my house, I am the only one that has the right to install new software. To reduce the
likelihood of anyone installing anything that is malicious I require that they ask me to install it.
Everyone in the house runs as a normal user with reduced privileges, including me. I only use the
admin account to install new software or problem solve more complicated issues.
Process Isolation:
A process is a computer program that is executing. Each process has its own memory sector
or address space, that only it may access. Other processes cannot tamper with or meddle with the
program's address space since it is isolated from those other memory addresses. On a computer
for instance, a database, a browser or a word processor etc, all run in different address spaces.
Process isolation assures that none of the processes can affect the address space of the others
Example:
Day to day browsing on the web is never done on my primary work computer. I do casual
browsing on the web on a tablet that I make sure to keep up to date on patches. This allow me to
keep my primary work computer away from the majority of harmful and infected web sites I may
Granularity of Access:
Granularity of Access control is a term used in computer science to describe the process of
allowing different access levels to a resource among different users. Whatever a user is allowed
Example:
I do not have admin privileges on my day to day account to reduce the likelihood that I
accidentally install something myself or come across something that uses a zero-day
vulnerability.
Abstraction:
Abstraction refers to the concept that anything complex can be perceived of and expressed in a
more straightforward manner. Because they reduce the complexities of an entity towards
something comprehensible, all models are abstractions. Abstraction helps with cybersecurity by
removing or decreasing any clutter that could distract a user or developer from properly
exploiting a resource. Only include the information that is required, while minimizing the
Example:
My wife teaches meditation and frequently records audio to post on her web site or send to
clients. I have helped her by processing the audio to make it sound better and more professional.
This involves a lot of audio manipulation and settings. Sometimes she need it quicker or I might
not be around so I have created a script that does most of this for her. This abstracts the
complicated settings making it easy for her to run the audio through.
References
Lopez, J., & Rubio, J. E. (2018). Access control for cyber-physical systems interconnected to the
Vahldiek-Oberwagner, A., Elnikety, E., Duarte, N. O., Sammler, M., Druschel, P., & Garg, D.
(2019). {ERIM}: Secure, efficient in-process isolation with protection keys ({MPK}). In 28th
Qi, H., Di, X., & Li, J. (2018). Formal definition and analysis of access control model based on
Selbst, A. D., Boyd, D., Friedler, S. A., Venkatasubramanian, S., & Vertesi, J. (2019, January).