Implementing the Need-To-Know principle ⏵ Redlings

Author Dr. Ewan Fleischmann 25.07.2022

The most important things in a nutshell

The need-to-know principle describes a security objective to limit access to confidential information to what is absolutely necessary.
The principle is referenced in many legal requirements and also standards such as ISO/IEC 27001/2, BSI IT-Grundschutz, GDPR, PCI-DSS, among others.
The implementation of the need-to-know principle for data and the principle of minimal rights for IT accounts not only leads to advantages in compliance but also to a significantly more resilient IT landscape against cyber threats such as malware and insider threats.

Beitrag teilen

Reading time 3 minutes

1. What is the Need-to-Know Principle?

The need-to-know principle states that a user should only have access to the information that his or her job function requires.

Fully implemented, with real-time need-to-know, this access principle even meets intelligence and military requirements.

In companies and in most public offices, one usually suffices with a

restrictive allocation of access rights,
prompt correction of access rights in the event of changes, and
regular auditing of access to data.

In practice, this is sufficient to ensure that users can only access data that is absolutely necessary for legitimate reasons.

2. Need to Know vs. principle of minimal rights

The difference between need to know and the principle of minimal rights lies in the scope of application: The need to know principle is about the persons who are allowed to see certain confidential or secret information. The principle of minimal rights refers to the privileged access rights of users and technical accounts.

3. Need to Know in use (selection).

GDPR: For the processing of personal data, integrity and confidentiality must be ensured. Implementation includes limiting access to personal data to employees who absolutely need this access to perform their tasks, which corresponds exactly to the need-to-know principle.

ISO/IEC 27001/27002: In the Code of Practice of ISO/IEC 27002, the implementation of the need-to-know principle is required in section 9.1.1 Access control policy.

BSI IT-Grundschutz: The IT-Grundschutz requires identity and authorisation management in compliance with the need-to-know and the principle of minimum rights (least privilege).
PCI DSS: Also PCI-DSS requires access protection to card data based on need-to-know.
Other: Other good practices and compliance standards also expect the implementation of the need-to-know principle / principle of minimal rights.

4. Why is the Need-to-Know Principle important?

Significant advantages in the resilience of the IT environment against internal and external attackers result from the consistent implementation of the need-to-know principle or the principle of minimal rights.

Reduction of damage in the event of ransomware incidents: The damage in the event of a ransomware attack arises from the encryption/destruction of the accessible data combined with the outflow of the data to the Internet. With a consistent implementation of the need-to-know principle, this damage can be minimised in the event of an incident.

Minimising the damage in the case of security incidents with insiders: With the need-to-know principle, the advantage is that in the case of a malicious threat from an insider, the amount of data that can flow out of the company is minimised.
Stops the spread of malware: Malware attacks are greatly slowed down or can even end directly on the end device if only users with minimal rights and access are present there. If escalation of privileges cannot take place, movement in the network (lateral movement) is very difficult or even impossible.
Reduction of opportunities for cyber attacks: Most complex attacks today are based on the misuse of privileged access data. Applying the principle of minimal rights by limiting the privileges of administrators reduces this attack surface.
Implementation of compliance requirements:. Many internal guidelines and legal regulations require the implementation of the need-to-know principle or the principle of minimal rights.

5. Implementation of the Need-to-Know Principle in the Company

In order to effectively implement the need-to-know principle in the company, a series of measures must be implemented, which primarily concern the control of user access rights and the administration of administrative accounts.

Ensure the allocation of minimal access rights to data.

A rights and roles concept (RBAC) must be established that makes the allocation and control of access rights to shared data practicable. An appropriate separation according to department and the responsibilities of team members must be ensured.
Regularly check whether access rights to shared data repositories are still correct.
Immediate blocking of access in the event of a member leaving the team or the company.
Write access to critical configuration files and critical areas of the file system must be prevented for normal users.

Ensure that minimal access rights are granted to sensitive areas of the building.

Access to servers and the IT security area must be severely restricted. It would not be the first time that the cleaning company "ventilates" the server room on Friday afternoon.

Minimum assignment of rights for accounts.

Inventorize the entire IT environment for privileged accounts on premise, in the cloud, in DevOps environments, on IoT devices and other endpoints.
Eliminate unnecessary local user administrative privileges.
Restricting access via maintenance interfaces
Reducing the privileges of technical users to what is absolutely necessary
Separation of administrative and normal access accounts
Isolation of privileged accounts (via jump server; also via AD configuration)
If privileged rights are needed in the short term, for example to install software, then this must only be usable for a short time and for exactly this one purpose.