Home > Access control Concepts > Separation of Duty vs Least Privilege

Separation of Duty vs Least Privilege

Separation of Duty (SoD) is diving the responsibility and privilege of performing a job among more than one persons or roles. The purpose of SoD is to make it difficult to perform fraud. The observation behind SoD is that it is difficult to corrupt two person to commit a fraudulent activity. Note that SoD does not eliminate fraud, it just makes fraud more difficult and potentially reducing the occurrence  of it.

Example of SoD: In many places, it requires two different signs from two different persons on a check to approve it.

Least Privilege (LP): Least privilege requires possessing just enough privilege to perform a job.  The purpose of least privilege is that if something bad happens due to unintentional error, the loss should be minimum. As opposed to SoD, it does not limit users having all privileges for a job, rather it limits users to activate least amount of privileges for performing a particular job.

An example of least privilege is that a person can be both ‘faculty’ and ‘chair person’ of a department. When he is performing job as a faculty, he should only activate privileges required for faculty (Assuming that faculty job does not require privileges of ‘chair person’ job.  Now, if the person get infected with malware while performing faculty job, hopefully the malware could possess maximum privilege of the faculty role and not ‘chair man’ role.

Note that enforcing SoD or Least Privilege requires both human efforts and technological support. For example, which job should go through SoD is an human decision. On the other hand, once specified different critical subtasks for a job, the available security mechanism (e.g. Access control) should enforce decision made my authority.

In Role Based Access Control (RBAC) SOD or Least privilege is supported through Permission Role Assignment (PRA),  User Role Assignment (URA) and Sessions.  All of PRA, URA and Session Support is required for SoD and LP. While both PRA and URA involves support from human (more specifically RBAC administrators), Session  in RBAC is a technical instrument .

May 5, 2015.

  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: