What is the principle of least privilege?

The principle of least privilege states that users should receive only the minimum access permissions needed to perform their specific job functions, and only for the duration required. This limits the blast radius if an account is compromised, because an attacker can only reach what that account can access. Least privilege is a foundational requirement in ISO 27001, NIST 800-53, SOC 2, and PCI DSS, and it applies to human users, service accounts, and application integrations alike.

How does permission creep happen and how is it prevented?

Permission creep occurs gradually as employees receive additional access for projects, temporary assignments, or role changes without having previous access removed. Over months or years, accounts accumulate far more privileges than the current role requires. Prevention requires regular access reviews (typically quarterly), automated detection of unused permissions, time-limited access grants for temporary needs, and a clear process for managers to certify that their team members' access remains appropriate.

Least Privilege Awareness

Keep access to the minimum your job requires.

What You'll Learn

Define the principle of least privilege and explain why it limits the blast radius of compromised accounts
Conduct a practical access review by identifying permissions that exceed what each role actually requires
Recognize permission creep patterns such as accumulated role-based access, shared service accounts, and stale contractor credentials
Request and justify access through proper approval workflows instead of accepting shortcuts like shared credentials or blanket admin grants
Connect least privilege practices to lateral movement prevention, understanding how one over-provisioned account enables network-wide compromise

Training Steps

A Growing Role

Welcome to Harmon Financial Services! You are Alice, a senior analyst who has been with the company for three years. Over time, your role has evolved significantly. You started in operations, moved to compliance, and now work in strategic planning. Along the way, you accumulated access to various systems - some of which you no longer use.
The Quarterly Access Review

Harmon Financial conducts quarterly access reviews as required by SOX compliance. Every employee must review their current access rights and confirm they still need each permission. Alice receives an email from the IT Security team about the upcoming review.
Opening the Access Portal

The email from IT Security explains why access reviews matter: unused access creates unnecessary risk, permissions should match your current role, and reducing your access footprint protects you if credentials are compromised. Alice clicks the link to access the Access Review Portal where she can review and manage her permissions.
Logging In

The Access Review Portal login page appears. Alice uses her saved credentials from the password manager to log in securely.
Reviewing Current Access

The portal displays Alice's current access rights across all systems. She's surprised by how much access she has accumulated: Current Access: Customer Database (Read/Write) - From her operations role 2 years ago Compliance Audit System (Admin) - From her compliance role 1 year ago Strategic Planning Portal (Read) - Current role requirement Financial Reporting Dashboard (Read) - Current role requirement Legacy CRM System (Full Access) - System she hasn't touched in 18 months
Understanding the Blast Radius

The portal explains the concept of 'blast radius' - the potential damage if your account is compromised. Your Current Blast Radius: 5 systems with direct access Over 50,000 customer records accessible Admin rights to compliance audit logs Full access to legacy CRM data If Alice's credentials were stolen through phishing, an attacker would have access to ALL of this. By reducing unnecessary access, she shrinks her blast radius and limits potential damage.
Evaluating Customer Database Access

The first item is Customer Database access. Alice had Read/Write access from her operations role, but she hasn't needed to access customer records in over a year. Questions to consider: When did I last use this access? Does my current role require it? Could I request temporary access if needed later? For Alice, the answers are clear: she no longer needs this access.
Evaluating Compliance System Admin Rights

Next is the Compliance Audit System. Alice had Admin rights from her compliance role, but she transferred to strategic planning a year ago. Admin rights are particularly sensitive because they allow modifying audit logs - something that requires strict accountability and should only be held by active compliance team members.
The Legacy System Question

The Legacy CRM System is more complicated. Alice has Full Access, but the system is rarely used. However, she occasionally needs to pull historical data for strategic reports. Options: Keep Full Access - Maintains current risk level Request Read-Only Access - Reduces risk while preserving research capability Remove Access - Request temporary access when needed The principle of least privilege suggests requesting Read-Only access - she doesn't need to modify data, only read it.
Confirming Current Role Access

The final items are the Strategic Planning Portal and Financial Reporting Dashboard. These are both required for Alice's current role and she uses them regularly. The portal shows these as 'Confirmed - Required for current role.' No action needed for access that matches current job functions.

What You'll Learn

Training Steps

A Growing Role

The Quarterly Access Review

Opening the Access Portal

Logging In

Reviewing Current Access

Understanding the Blast Radius

Evaluating Customer Database Access

Evaluating Compliance System Admin Rights

The Legacy System Question

Confirming Current Role Access