Principle of minimum access

This is the security paradigm which states that users and applications should have only the bare minimum of privileges to support their intended roles.

For example, an administrator would be able to install software on a system. A data entry operator should not be installing software, and in fact should only be running the program required to complete their job. By granting a user access rights beyond those which are needed by them, you risk instability in your system, as users can perform unintended actions.

With regards to software, you should ensure that applications are only accessing resources on your system that you consent to. For example, an anti-virus package needs to run with privileges that allow it to view the entire contents of the computers storage device. However, you would question whether a contact management system or web server should have those rights: you would remove any permissions from these applications so that they run with the bare minimum of access that they require. In the event of a malware attack on the application in question, it is now far less likely that sensitive data can be accessed by the rogue application.