A company implements a policy where each employee is granted only the permissions necessary to perform their specific job role. For example, a marketing specialist has read-only access to the customer database and cannot modify financial records. Which security principle is primarily being applied?
Trap 1: Defense in depth
Defense in depth uses multiple layers of security controls (e.g., firewall, antivirus, encryption) to protect assets, not specifically limiting permissions per role.
Trap 2: Zero Trust
Zero Trust is a security model that assumes no implicit trust and continuously verifies every request, but it is broader than just limiting permissions.
Trap 3: Separation of duties
Separation of duties involves dividing critical tasks among multiple individuals to reduce risk of fraud or error, not about limiting individual permissions.
- A
Defense in depth
Why wrong: Defense in depth uses multiple layers of security controls (e.g., firewall, antivirus, encryption) to protect assets, not specifically limiting permissions per role.
- B
Least privilege
Correct. Least privilege is the security concept of granting users only the permissions they need to do their job, which matches the scenario of restricting access based on job role.
- C
Zero Trust
Why wrong: Zero Trust is a security model that assumes no implicit trust and continuously verifies every request, but it is broader than just limiting permissions.
- D
Separation of duties
Why wrong: Separation of duties involves dividing critical tasks among multiple individuals to reduce risk of fraud or error, not about limiting individual permissions.