Pääsyoikeuksien hallinnointi - pääsyoikeuksien rajaaminen

Limiting access rights in accordance with the principle of least rights can reduce both intentional and unintentional actions, as well as the risks caused by, for example, malware.

Security-classified information in information systems is separated according to the principle of least rights by means of user rights and system handling rules or by other similar procedures.

Separation can be carried out:

• separation at the logical level (e.g. servers virtualization and restricted network disk folders)
• with reliable logical separation (e.g. approved encrypted virtual machines on customer-specifically reserved physical disks of the disk system, and approved encryption of data or communication on shared network devices)
• with physical separation (physical disks reserved per data owner devices) (also suitable for higher security categories)

Especially in the main identity management systems (e.g. Microsoft 365, Google), administrator accounts have very significant rights. These accounts are often the target of scammers and attacks because of their value. For this reason, it is useful to dedicate administrator accounts to administrative use only, and to not use these accounts for everyday use or, for example, when registering with other online services.

The need-to-know principle grants access only to information that an individual needs to perform his or her task. Different tasks and roles have different information needs and thus different access profiles.

Separation of tasks means that conflicting tasks and responsibilities must be separated in order to reduce the risk of unauthorized or unintentional modification or misuse of the organisation's protected assets.