In vision and policy documents on information security and plans for improving information security, I regularly come across the winged term “Need-to-know. The term is often taken so much for granted that it is not even explained. Usually it is also mentioned indiscriminately that the ’least privilege principle’ is applied.
But what do these phrases in guiding documents mean for the functioning of the organisation? Need-to-know means that people are given exactly the information they need to perform their tasks. Information you don’t need to know - you don’t need to know - and you shouldn’t have access to it.
Least privileged is another approach to the same principle. It is not based on the information you don’t need to know, but on the access to that same information.
To illustrate: Need-to-know says you are not allowed to look into personnel files, least privileged that you are not allowed to look into the personnel system.
Both principles lead to the need to:
- Know exactly what tasks a person is performing.
- Know exactly what information is needed to perform that task.
- Knowing exactly where that information is and how you have organized access to it.
Looking at these three necessities, it becomes clear that for most organisations, this pinches everywhere. People perform multiple tasks that change regularly in the heat of the battle. It is often not clear in advance what information is needed for a task and most organisations cannot tell you exactly where what information is and in what different ways you can access it.
Implementing a need-to-know system would mean having records that say exactly what the person’s tasks are. On the other hand, there must be an inventory of all the information that is available, including what task this information is used for and in what way. These two records are then linked together through an intelligent system so that the person, through an access control system, is given exactly the access rights to the information needed to perform the task. For this to work, the person changes and the information changes must be implemented in the administration systems in a timely and accurate manner. The result is an ever-changing rights environment in which (almost) all persons have a unique set of access rights.
Of course, this can be set up technically and organisationally, but:
- It is difficult to manage and is very labor intensive to maintain.
- Monitoring the rules and risks is complex. Advanced analysis tools are necessary to maintain an overview.
- Both the required systems and the required organisation will lead to high costs.
Of course, you could approach it the other way around: know-everything. This means that I make all information available to everyone. This has one big advantage, no one will come and complain that they are not allowed something. But the disadvantages are very large:
-
Being able to access everything does not mean that I can find everything. There are so many information trees that I can’t see the forest anymore.
-
Laws and regulations do not allow this in certain situations.
-
Access management becomes easy, but it is counterbalanced by measures to protect the information from misuse and mistakes.
As always, the truth lies in the middle, need-to-know is too expensive, know-everything too risky. Starting from ’need-to-NOT-know’ is possibly a solution. Need-to-not-know implies that individuals get access unless. So, unlike need-to-know, you don’t have to determine what someone is allowed to access, but you have to determine what someone is not allowed to access. This requires a different view of both your information and the people who should have access to it. Risk-aware thinking is at the core here:
- If you are not at risk, don’t restrict access.
- If the risk is small, weigh up whether the measure to restrict access is not more costly than the damage caused by the risk.
- If the risk is significant, ensure that the information is protected.
Again, this will lead to a situation where a determination must be made as to whether a particular risk exists, after which access is restricted or not. But the risks that an organisation faces are generally more manageable and determinable than the number of task-person combinations that occur in the organisation.
©Steven van der Linden, March 2020