1. What is the Need-to-Know Principle?
The need-to-know principle states that a user should only have access to the information that his or her job function requires.
Fully implemented, with real-time need-to-know, this access principle even meets intelligence and military requirements.
In companies and in most public offices, one usually suffices with a
- restrictive allocation of access rights,
- prompt correction of access rights in the event of changes, and
- regular auditing of access to data.
In practice, this is sufficient to ensure that users can only access data that is absolutely necessary for legitimate reasons.
2. Need to Know vs. principle of minimal rights
The difference between need to know and the principle of minimal rights lies in the scope of application: The need to know principle is about the persons who are allowed to see certain confidential or secret information. The principle of minimal rights refers to the privileged access rights of users and technical accounts.
3. Need to Know in use (selection).
- GDPR: For the processing of personal data, integrity and confidentiality must be ensured. Implementation includes limiting access to personal data to employees who absolutely need this access to perform their tasks, which corresponds exactly to the need-to-know principle.
ISO/IEC 27001/27002: In the Code of Practice of ISO/IEC 27002, the implementation of the need-to-know principle is required in section 9.1.1 Access control policy.
- BSI IT-Grundschutz: The IT-Grundschutz requires identity and authorisation management in compliance with the need-to-know and the principle of minimum rights (least privilege).
- PCI DSS: Also PCI-DSS requires access protection to card data based on need-to-know.
- Other: Other good practices and compliance standards also expect the implementation of the need-to-know principle / principle of minimal rights.
4. Why is the Need-to-Know Principle important?
Significant advantages in the resilience of the IT environment against internal and external attackers result from the consistent implementation of the need-to-know principle or the principle of minimal rights.
Reduction of damage in the event of ransomware incidents: The damage in the event of a ransomware attack arises from the encryption/destruction of the accessible data combined with the outflow of the data to the Internet. With a consistent implementation of the need-to-know principle, this damage can be minimised in the event of an incident.
- Minimising the damage in the case of security incidents with insiders: With the need-to-know principle, the advantage is that in the case of a malicious threat from an insider, the amount of data that can flow out of the company is minimised.
- Stops the spread of malware: Malware attacks are greatly slowed down or can even end directly on the end device if only users with minimal rights and access are present there. If escalation of privileges cannot take place, movement in the network (lateral movement) is very difficult or even impossible.
- Reduction of opportunities for cyber attacks: Most complex attacks today are based on the misuse of privileged access data. Applying the principle of minimal rights by limiting the privileges of administrators reduces this attack surface.
- Implementation of compliance requirements:. Many internal guidelines and legal regulations require the implementation of the need-to-know principle or the principle of minimal rights.
5. Implementation of the Need-to-Know Principle in the Company
In order to effectively implement the need-to-know principle in the company, a series of measures must be implemented, which primarily concern the control of user access rights and the administration of administrative accounts.
Ensure the allocation of minimal access rights to data.
- A rights and roles concept (RBAC) must be established that makes the allocation and control of access rights to shared data practicable. An appropriate separation according to department and the responsibilities of team members must be ensured.
- Regularly check whether access rights to shared data repositories are still correct.
- Immediate blocking of access in the event of a member leaving the team or the company.
- Write access to critical configuration files and critical areas of the file system must be prevented for normal users.
Ensure that minimal access rights are granted to sensitive areas of the building.
- Access to servers and the IT security area must be severely restricted. It would not be the first time that the cleaning company "ventilates" the server room on Friday afternoon.
Minimum assignment of rights for accounts.
- Inventorize the entire IT environment for privileged accounts on premise, in the cloud, in DevOps environments, on IoT devices and other endpoints.
- Eliminate unnecessary local user administrative privileges.
- Restricting access via maintenance interfaces
- Reducing the privileges of technical users to what is absolutely necessary
- Separation of administrative and normal access accounts
- Isolation of privileged accounts (via jump server; also via AD configuration)
- If privileged rights are needed in the short term, for example to install software, then this must only be usable for a short time and for exactly this one purpose.
In addition, sufficiently strong authentication and authorisation concepts should be implemented.