Title: Policy of Least Privilege and Segregation of Duties, their Deployment, Application, & Effectiveness

Issue Number: Vol. 10, No. 4
Year of Publication: 2021
Page Numbers: 112-119
Authors: Joseph C. Brickley, Kutub Thakur
Journal Name: International Journal of Cyber-Security and Digital Forensics (IJCSDF)
- Hong Kong


With the risk of insider threats on the rise, organizations should deploy the policy of least privilege and Segregation of Duties (SOD) as a safeguard against malicious exposure of information from disgruntled employees. Effectively deploying the policy of least privilege will also decrease the damage dealt if an outsider compromises an account. SOD consists of a process in which request, and approvals are divided into two separate roles or duties. This will ensure that employees can not commit fraud and cover up their tracks, especially when dealing with money. This paper explores the five least privilege and SOD deployment models consisting of discretionary access control (DAC), role-based access control (RBAC), rule-based access control (RuBAC), attribute-based access control (ABAC), and mandatory access control (MAC). The policy of least privilege and SOD is not a "set it and forget it" defense against fraud, as employees often switch roles and are granted more privileges, commonly referred to as privilege creep. Monitoring and auditing tools should be put in place to assist in identifying and preventing privilege creep. It is recommended to use automated auditing tools, specifically Creeper, as it is fast and more accurate than a human auditor and a competitor.