Skip to content

Page086

Least Privilege and Defense-in-Depth

As stated previously, least privilege means users should be granted the minimum amount of access (authorization) required to do their jobs, but no more. Need-to-know is more granular than least privilege: the user must need to know that specific piece of information before accessing it. Defense-in-Depth (also called layered defenses) applies multiple safeguards (also called controls: measures taken to reduce risk) to protect an asset. Any single security control may fail; by deploying multiple controls, you improve the confidentiality, integrity, and availability of your data.

Secure Defaults

Secure defaults (also called secure by default) means operating systems and applications are deployed in a secure state. Historically operating systems were deployed in a (sometimes) highly insecure state, requiring hardening after installation.

For example: In the 1990s Unix and Linux systems often had over a dozen listening network services enabled by default. Since these services were insecure by default, system administrators would then harden the systems by disabling unnecessary services. This raises the question: why are the services enabled when they are unnecessary? Most Linux distributions now use secure defaults: Ubuntu Linux 22.04 (desktop) has zero listening network services by default. Even the OpenSSH daemon is not installed by default (although it is automatically installed on most server distributions).

Privacy by Design

Privacy by Design is similar to secure defaults, focusing on privacy (as the name implies). Historically many privacy controls (such as those used on a cell phone) were disabled by default, requiring the user to opt out of practices such as sharing data with advertisers. Privacy by design requires such controls to be enabled by default, allowing users to opt into sharing data with advertisers (if they choose to).

Deloitte describes privacy by design as “a framework based on proactively embedding privacy into the design and operation of IT systems, networked infrastructure, and business practices” [2], and describes the seven foundation principles of privacy by design:

  1. Proactive not reactive—preventative not remedial
    • Anticipate, identify, and prevent invasive events before they happen; this means taking action before the fact, not afterward.
  2. Lead with privacy as the default setting
    • Ensure personal data is automatically protected in all IT systems or business practices, with no added action required by any individual.
  3. Embed privacy into design
    • Privacy measures should not be add-ons, but fully integrated components of the system.
  4. Retain full functionality (positive-sum, not zero-sum)
    • Privacy by Design employs a “win-win” approach to all legitimate system design goals; that is, both privacy and security are important, and no unnecessary trade-offs need to be made to achieve both.
  5. Ensure end-to-end security
    • Data lifecycle security means all data should be securely retained as needed and destroyed when no longer needed.
  6. Maintain visibility and transparency—keep it open
    • Assure stakeholders that business practices and technologies are operating according to objectives and subject to independent verification.
  7. Respect user privacy—keep it user-centric
    • Keep things user-centric; individual privacy interests must be supported by strong privacy defaults, appropriate notice, and user-friendly options [2].