Least Privilege

The principle of least privilege states that users, processes, and systems should be granted only the minimum access rights needed to perform their function, and no more. Over-privileged accounts are a major source of breach impact: if an account with excessive permissions is compromised, the attacker can do far more damage. Implementing least privilege requires regular access reviews, just-in-time access provisioning, and role-based access control (RBAC).

Why it matters for your website

• 1Foundational principle in modern security — harder to retrofit than to build in from the start
• 2Reduces breach impact by limiting what attackers can access if they get in
• 3Required control in ISO 27001, NIST CSF, and most compliance frameworks