A company's security team configures network firewall rules so that only a dedicated jump server's IP address can initiate RDP connections to production servers. This is an example of which security principle?
By restricting RDP access to only the jump server, the company is following the principle of least privilege, giving only the minimum access needed.
Why this answer
Restricting RDP access to only a dedicated jump server's IP address ensures that no other hosts or users can directly initiate remote desktop connections to production servers. This enforces the principle of least privilege by granting only the minimum necessary network access (the jump server) required for administrative tasks, reducing the attack surface and limiting lateral movement.
Exam trap
The trap here is that candidates confuse 'least privilege' (limiting access to what is necessary) with 'defense in depth' (multiple layers), because both involve restricting access, but least privilege focuses on the minimal permissions while defense in depth focuses on layered controls.
How to eliminate wrong answers
Option B (Defense in depth) is wrong because defense in depth involves multiple layers of security controls (e.g., firewalls, IDS, encryption) working together, not a single access restriction. Option C (Zero Trust) is wrong because Zero Trust assumes no implicit trust and requires continuous verification of every request, whereas this rule is a static IP-based allowlist that does not verify identity or session context. Option D (Separation of duties) is wrong because separation of duties divides critical tasks among different people to prevent fraud or error, not restrict network access to a specific source IP.