Least Privilege and Separation of Duties

Key Concepts

Least privilege is one of the most testable and practical access control principles. It means a subject receives only the permissions required to perform assigned work, no more, and no longer than necessary. It is easy to say and hard to operate because access tends to accumulate. Employees change teams, projects end, contractors extend and leave, emergency access is granted, and temporary exceptions become permanent unless someone removes them.

A useful way to apply least privilege is to ask four questions. What task is the subject expected to perform? What object is required for that task? What exact action is required on that object? How long is the access needed? A marketing intern who prepares campaign reports may need read access to selected analytics dashboards for the summer. That intern does not need administrator access to the analytics platform, export rights for all customer records, or permanent access after the internship ends.

Need to know is closely related but narrower. It focuses on whether a subject needs specific information to do the job. A nurse may need to know a patient's medication list for treatment. A billing clerk may need insurance and invoice details but not full clinical notes. Least privilege includes need to know, but it also covers system actions like restart, approve, delete, configure, deploy, or create users.

Separation of duties, sometimes called segregation of duties, divides sensitive tasks among multiple people or roles. The goal is to prevent one person from having enough access to commit and hide an error or fraud. In finance, one person may create a vendor, another may approve the vendor, and a third may release payment. In software delivery, a developer may write code, but a separate reviewer approves the change and an automated pipeline deploys it. In identity administration, a manager may request access, an application owner approves it, and an identity team provisions it.

Separation of duties works well when the steps are meaningful. A weak process says two approvals are required but both approvals come from the same person using two accounts. A stronger process separates request, approval, implementation, and review. It also logs each step so the organization can prove who did what.

Exam Application

Dual control and split knowledge are related ideas. Dual control requires two authorized people to perform a sensitive action together, such as opening a secure facility or approving a large wire transfer. Split knowledge means no single person knows the entire secret, such as dividing a recovery key into parts. These controls are useful when the risk is high enough that normal role separation is not enough.

Consider a small company where the office manager can create vendors, change bank account details, approve invoices, and issue payments. That may feel efficient, but it creates a large fraud risk and a large mistake risk. A better design may let the office manager enter invoices, require department manager approval for the purchase, and require finance approval before payment. The system can enforce amount limits, route exceptions, and log approvals.

The exam often presents least privilege as the best answer when a user has too much access for a task. It presents separation of duties when one person controls an entire high-risk process. Both principles are preventive controls. They reduce the chance that a single compromised account, careless action, or dishonest user can cause broad harm.

The practical challenge is balance. Too little access slows work and encourages workarounds. Too much access increases risk. Good access design is specific, reviewed, time bounded when appropriate, and aligned to real job duties.

High-Yield Checkpoints

• Least privilege grants only the access needed to perform an assigned task for an appropriate period of time.
• Need to know limits access to information, while least privilege applies more broadly to systems, functions, and actions.
• Separation of duties divides sensitive work so one person cannot complete a high-risk process alone.
• Dual control and split knowledge are stronger controls for especially sensitive actions such as vault access or key management.
• Excessive permissions increase the impact of compromise, mistakes, fraud, and insider misuse.