A basic principle in information security that holds that entities (people, processes, devices) should be assigned the fewest privileges consistent with their assigned duties and functions. For example, the restrictive "need-to-know" approach defines zero access by default and then opens security as required. All data in a corporate network would be off-limits except to specific people or groups (see role-based access control).In contrast, a less-restrictive strategy opens up all systems and closes access as required; for example, allowing employees access to all systems except human resources and accounting, which would be limited to only employees in those departments.
A security principle holding that users should be allocated the least possible set of privileges on a computer system. For security reasons, users should be given only the amount of privileges needed to complete their tasks. Without question, least-privilege is a critical area in security. Accepting that organizations, university and medical institutions, as well as government agencies have in recent years adopted the Internet as a key means of conducting important transactions—often involving sensitive information—one important factor these organizations and agencies have had to address is an unprecedented demand for security measures to guarantee the confidentiality, integrity, and availability of sensitive online information. A great place to begin building sound security measures to protect information assets, note security experts, is to install network perimeter-based protection with capabilities consistent with the security expectations of the organization.