principle of least privilege (POLP)

The principle of least privilege (POLP) is the practice of limiting access to the minimal level that will allow normal functioning. Applied to employees, the principle of least privilege translates to giving people the lowest level of user rights that they can have and still do their jobs. The principle is also applied to things other than people, including programs and processes.

The principle of least privilege originated in the United States Department of Defense in the 1970s. The principle was designed to limit the potential damage of any security breach, whether accidental or malicious.

In a personal computing context, you can increase security by using an account without administrative rights. Operating in administrative mode can make your system vulnerable to malicious coding online that would be denied access if you were operating with lower permission levels. Some operating systems have least privilege built in. For example, Vista's user account control (UAC) has two operational modes, one with and one without administrative privileges. Even in the latter mode, however, explicit permission is required for external system access.

A related concept, privilege bracketing, involves ensuring that when permission levels must be raised temporarily that the higher level is in effect for the briefest possible time. So, for example, you might log on to an administrative account when necessary for some task and immediately revert to a lower-level account as soon as that task is complete.

The principle of least privilege is also known as the principle of least authority (POLA).

Read more about principle of least privilege (POLP): - Wikipedia has an entry about the principle of least privilege. - From MSDN, 'Least Privilege: Teach Your Apps To Play Nicely With Windows Vista User Account Control.' - According to Red Hat security expert Steve Grubb, 'For Linux security, principle of least privilege prevails.' - Marco Peretti of BeyondTrust answers questions about least privilege in a Windows context.

Do you have something to add to this definition? Let us know. Send your comments to techterms@whatis.com

BROWSE BY TAG Application and Platform Security,   Windows Security: Alerts, Updates and Best Practices,   Operating System Security,   VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT When BIOS updates become malware attacks Information security threats expert Sherri Davidoff explains how attackers can plant BIOS malware and how security pros can thwart such attacks. Microsoft patches WebDAV security vulnerability in bevy of updates Zero-day flaws in Microsoft Internet Information Services (IIS) Web server and Internet Explorer were among 31 vulnerabilities repaired Tuesday. Microsoft plans 10 security updates, fixing IE, Word, Excel vulnerabilities The software giant plans to issue six critical bulletins repairing flaws in Internet Explorer, Word, Excel and Office.

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary BotHunter  (SearchSecurity.com) BotHunter is a type of bot application that looks for other bots by tracking two-way communication flows between active software inside a private... security identifier  (SearchSecurity.com)