What is the difference between "Separation of Duties" and "Least Privilege"
By: Omer Kaan Aslim
October 06, 2020
Separating the duties of employees and implementing the principle of least privilege is vital to any cybersecurity program but what is the difference between the two?
What is “Separation of Duties” in Information Security?
Separation of duties is when important duties are divided among different individuals to prevent one individual from being able to commit fraud or cause damage. An example is distributing different tasks among members of an IT team. Here is a scenario: you have one IT team member who is responsible for administering systems and another who is responsible for reviewing audit logs. If you didn’t separate these tasks the system administrator could carry out malicious activities and cover their own tracks. This is why separation of duties is important if you want to have a functioning cybersecurity program.
What is “Least Privilege” in Information Security?
Least privilege is the principle that system users and applications should only have the necessary privileges to complete their required tasks. A simple example is not providing every user with administrative rights on their PC or limiting access to a shared drive on your network. The goal is to align the privileges a user has with their assigned job duties.
Least Privilege vs Separation of Duties
Separation of duties has to do with splitting tasks among employees to reduce the chance of one employee committing fraud. Least privilege is when you only provide employees with the account privileges they need to complete their work. The principle of least privilege can support the separation of duties.
Cybersecurity Maturity Model Certification (CMMC) Separation of Duties Requirements
CMMC Practice AC.3.017 - Separate the duties of individuals to reduce the risk of malevolent activity without collusion.
What you need to do: Do not allow one person to be in charge of an entire critical task. Assign parts of the critical task to different persons.
Scenario - Alice handles the creation of user accounts and the assignment of account privileges. Your company periodically audits user accounts and their privileges. Instead of letting Alice do this you separate duties by assigning the auditing task to another employee.
Cybersecurity Maturity Model Certification (CMMC) Least Privilege Requirements
CMMC Practice AC.2.007 - Employ the principle of least privilege, including for specific security functions and privileged accounts.
What you need to do - Only provide system users the privileges necessary to complete their work. Create user security groups representing the different job roles in your company. Assign the least amount of privileges necessary to the group allowing them to complete their work. Reserve administrative privileges to a limited number of employees. This generally includes IT staff. Revoke administrative rights from as many users as possible. Document any exceptions with a business need.
Scenario - Alice, a system administrator has decided to revoke local admin rights from the majority of her company's employees. This is because they do not need admin rights to complete their assigned work. Their work generally includes responding to emails and creating word documents. Because admin rights were revoked they can no longer change important settings on their workstations. They can not install software without Alice's permission either.
Discover Our NIST SP 800-171 Solutions:
For contractors seeking compliance
For IT service providers
Supply Chain Verifier
For contractors seeking to verify partner compliance