The Principle of Least Privilege states that a user (or service) should be given the absolute bare minimum privileges required in order to fulfil its function.

On the surface, how could this possibly be bad? If I have everything I need in order to do my job then by definition I have everything I need. Likewise, if my app has all the privileges it needs in order to function correctly then, again, by definition it can function correctly. Right?

For the purpose of this post I'm going to focus on application security. The parallels between that and user-level permissions are obvious, so I'll leave you to draw your own conclusions.

Where this all falls down is in defining "least privilege" in a sensible manner. How do we normally decide what privileges an application will require? When we decide on what the application will do, of course. And how do we decide what an application will do? We gather our requirements, of course. And when do we do this? We (of course, of course) gather all our requirements up-front, because that's how we roll.

To rephrase that:

  1. We gather our requirements up-front.
  2. We know these requirements to be inaccurate, incomplete or just plain wrong.
  3. We set our security policies according to these requirements.
  4. We have our policies "signed off" by some governance group or other.
  5. We send our security requirements off to our sysadmins to implement in the form of AD security groups etc.

In other words:

We send our known-broken security requirements, based on our known-broken application requirements, off to be set in stone before we ever even ship our application. Now try telling me that it makes sense. Of course, we can change security policies after they've been written - and constitutional reform is theoretically possible, too, but how long did it take for women to get the vote?

If you're going to set strict security policies for your app then your development team should be responsible - and held accountable - for setting sensible policies and updating them quickly according to changing requirements. If you're going to wrap security policies in endless red tape then don't be surprised when 1) people ask for more privileges than they need just to avoid administrative pain; and 2) your project ends up with a sub-optimal result because of a bunch of stupid security work-arounds that decrease your overall security anyway.

TL;DR: Hire smart people. Trust them. Get out of their road. Hold them accountable.