Principle 7 - The Principle of Least Privilege
Detail
Services should be designed such that users or processes gain access only to function and information for which they have been authoritatively granted access privileges, whether explicit or implicit.
Where these permissions have been recorded as common attributes of the user identity being used in the context of the system access, they should be acquired and consumed from the trusted identity service which manages and stores them.
Decision Evaluation Criteria:
- Has the service provider detailed an acceptable model and technical strategy for the application and enforcement of user access controls that complies with policy ?
- Does the service use an assured identity service for it's provision of user access rights (Principle 4) ?
Basis
- NIST 26 - Implement least privilege
- CSSLP - Enable and enforce the principle of least privilege