Authorization and the Principle of Least Privilege: Giving People Exactly What They Need

Title

CISSP Lens: Pick answers that align business risk, governance intent, and practical control execution.

Authorization and the Principle of Least Privilege: Giving People Exactly What They Need

Hook / Why this matters

Many breaches involve attackers using valid accounts that simply had too much access. Authentication worked, but authorization failed. Least privilege turns access control from a yes or no decision into a careful question of how much access is truly needed.

Core concept explained simply

Authorization determines what an authenticated user or system is allowed to do. Where authentication answers "who are you", authorization answers "what are you allowed to do".

Least privilege and need to know

The principle of least privilege says that every subject should have the minimum access necessary to perform assigned tasks, and no more. Need to know focuses this on information, granting access only to data required for a job function.

When applied effectively, least privilege:

• Reduces the impact of compromised accounts
• Limits the damage that mistakes or misuse can cause
• Simplifies audits and compliance reviews

Separation of duties

Separation of duties ensures that no single person can control all steps of a critical process. Examples include:

• One person creates a vendor record, another approves it
• One developer commits code, another approves deployment
• One employee requests a payment, another approves it

This reduces fraud and error risk. Authorization systems must enforce these separations, not just policies on paper.

Privilege escalation

Privilege escalation occurs when a user gains more privileges than intended.

• Vertical escalation: Gaining higher privileges, such as a user becoming an administrator
• Horizontal escalation: Accessing another user's data or functions at the same level, such as viewing someone else's inbox

Poorly designed authorization often makes these attacks easier.

Privileged Access Management

Privileged Access Management (PAM) focuses on high value accounts such as system administrators, database administrators, and domain admins.

Modern PAM practices include:

• Vaulting shared or sensitive credentials
• Just in time elevation where admin access is granted temporarily for specific tasks
• Session recording and monitoring for privileged activity

This approach reduces the number of always privileged accounts and improves accountability.

Entitlement reviews

Over time, people change roles, take on projects, and collect new access rights. If old access is not removed, privilege creep builds up.

Entitlement reviews or access certification campaigns ask managers and data owners to periodically confirm that access rights are still appropriate.

• Done well, they prune unnecessary access and detect segregation of duties violations
• Done poorly, they become checkbox exercises with rubber stamped approvals

CISSP lens

For Domain 5, authorization concepts connect directly to risk management and governance.

Important exam points:

• Least privilege and need to know are core security principles that reduce risk and appear across multiple domains
• Separation of duties is both a technical and process control, especially important for financial and high value operations
• Privilege creep is a governance problem that requires processes, not just technology
• PAM and just in time access are preferred over permanent administrator rights

Questions often describe an employee who changed roles but kept old access, or a process where one person can create and approve their own transactions. The best answers apply least privilege, separation of duties, and periodic reviews.

Real world scenario

A mid sized company had an accounts payable clerk who joined as an assistant and grew into a more senior role over several years. Each time she took on new duties, IT added the necessary access.

No one removed her old rights. Eventually she could:

• Create new vendor records
• Enter invoices
• Approve payments
• Access the banking portal

There was no technical enforcement of separation of duties.

She created fake vendors, entered invoices, approved them herself, and paid them out. The fraud continued for months before a pattern was noticed during an external audit.

In response, the company:

• Redesigned financial system roles to enforce separation of duties
• Implemented quarterly access certifications for finance systems
• Introduced PAM controls for banking portal access, using temporary elevation and dual control
• Updated HR and IAM processes so role changes triggered automatic review and removal of old access

Common mistakes and misconceptions

• Assuming that adding access is harmless. Over time, unremoved access leads to privilege creep and increased risk.
• Treating separation of duties as a documentation task only. Without system enforcement, users can bypass the intent.
• Granting permanent local admin or domain admin rights because it is convenient for IT staff.
• Focusing only on external threats and overlooking how internal users can misuse excessive access.
• Running access reviews annually with huge lists that managers rubber stamp instead of evaluating.

Actionable checklist

• Identify your most critical business processes, such as payments, user provisioning, and code deployment, and document required separations of duty.
• Configure applications and IAM systems to enforce separation of duties technically, not just through policy.
• Implement a PAM solution or process that supports just in time elevation for administrative tasks and records privileged sessions.
• Establish regular access certification campaigns for critical systems, with smaller, more frequent reviews instead of a massive annual exercise.
• Ensure that role changes and terminations automatically trigger removal of unneeded access, not just addition of new rights.
• Track and report metrics such as the number of privileged accounts and the age of privileges to monitor privilege creep.

Key takeaways

• Authorization controls what authenticated users can do, and least privilege limits that to what is necessary.
• Separation of duties prevents any one person from having end to end control over critical processes.
• Privilege creep accumulates slowly but creates significant risk if not managed.
• PAM and just in time elevation limit the number and duration of highly privileged sessions.
• Effective authorization management combines process, governance, and technical enforcement.

Optional exam style reflection question

Question: An employee moves from the finance department to marketing but retains full access to the finance system. Which principle is being violated, and what control would best address this

Answer: The principle of least privilege is violated, since the employee now has access beyond what is needed for the new role. Stronger role based access control with automated role change handling, combined with regular access reviews, would ensure that old finance privileges are removed when the employee changes roles.