Privacy-first eSigning
Seamless Identity Check
Digital Twin
Lifecycle Updates
Simple API Integration
Real estate
Financial Services
Healthcare
Education
All industries
Sales
HR
Procurement
Legal
Legal Validity
Blog
News
While it may sound somewhat oppressive, the “rule of least privilege” is actually designed to enhance privacy and minimize potential security issues. However, while it’s certainly a good starting point, it’s fundamentally a set of rules for an issue that should not exist in the first place.
The “rule of least privilege” aims to limit privileges of data access to the minimum required. However, there’s still data access and that’s not enough to protect your data privacy. This makes it a far inferior choice to fully encrypted providers without any encryption backdoor.
There certainly are instances where the rule of least privilege offers an adequate measure or protection – for example with customer support for a software application. To understand why it’s likely enough for a generic application but certainly insufficient for any personal data, we need to understand what the rule really means.
Here’s What the “Rule of Least Privilege” Means
First formulated by Jerome Saltzer in 1974 for the monthly computer journal ACM, the rule of least privilege has only increased in importance since. Its definition is as follows:
Every program and every privileged user of the system should operate using the least amount of privilege necessary to complete the job.
For computer programs, that means limiting access to their resources via code. For example, a web browser should not have access to system settings such as power management, for example, as it’s not required for the task the web browser is designed for.
For humans in computer-related roles, the meaning is much the same: For example, it means that a software developer working on frontend design should not have access to customers’ financial information, as it’s simply not required to fulfill their role and only poses potential privacy and security risks.
Fundamentally, the rule aims to ensure that there is no unnecessary risk of interference – whether willing or unwilling – between different areas of work.
Here’s How the “Rule of Least Privilege” Conflicts With Your Data Privacy
As good as the rule sounds, there are real issues that can affect your privacy quite significantly.
| Problem with the “rule of least privilege” | Resulting issue for the user |
| Is means there’s a way to access your data | Privacy can be breached |
| It’s not clearly defined | Inconsistent privacy depending on the choice of provider |
| It’s prone to human error | High chance of unwanted access by someone on the providers’ side |
| Companies define roles and privileges | Dependence on a well-meant definition of roles and privileges on the provider side |
| Being too restrictive leads to problems | Likely to be more exposed than strictly necessary |
| Following the rules creates more work and is therefore costly for the employer | High likelihood of minimal privacy with low-cost providers |
Let’s have a closer look at these issues with privileges and how they can affect the privacy of your documents.
“Least privilege” by definition means there’s a way to access your documents
The mere fact that there’s a “least privilege” means that there is someone with that privilege, technically able and legally entitled to access your data. As good as limiting privileges sounds, the fact that there even is the option to do so, resulting in a breach of your privacy, is concerning to say the least.
Whoever obtains that “least privilege” obtains access to your sensitive information. Whether that’s an admin officially “required” to have access, or a foreign government requesting access: If there’s a way to grant the “privilege” of accessing your data, there’s a risk of that privilege being (ab)used.
“Least privilege” is not universally defined
Even though it’s a well-established principle, there is no 100% clear-cut definition of “least principle”. Yes, it’s meant to be the minimum amount of privileges necessary to perform the task at hand – but those tasks are being performed by humans, not machines, and can therefore vary in their requirements.
Your sensitive documents could be completely private with one provider while openly visible to the same role in another provider. You’ll likely never have complete insight into the roles and access privileges of any eSignature provider you work with, and are therefore depending on a strict interpretation of the “Rule of least privilege” on the providers’ side.
It’s prone to human error
Privileges are role-defined and time-sensitive, both of which require human supervision to ensure correct granting but then also revoking access when necessary. If a support staff member moves into development, they might not require access privileges anymore. Once a systems admin is finished with an audit, their access privileges will have to be removed timely. There are endless scenarios where keeping track of correct privileges is prone to human error, making the entire setup very unreliable.
Unless your eSignature provider consists of only very diligent staff members, you’re at risk of having your documents exposed. Even though automation can help keep track of correct privileges, chances of your most sensitive documents being compromised and visible to more people than the definition requires are high.
Companies define their roles, and therefore privileges
If every IT employee is an admin, privileges are a free-for-all. If your eSignature provider fails to properly define roles, or simply defines that all IT employees require maximum privileges to do their job, the rule of least privilege quickly becomes a farce.
As a user, you have to trust your provider to define roles and privileges in a way that benefits your privacy. They are under no obligation to follow what’s considered high standards or what you would ideally expect from them to protect your privacy.
It’s easier for companies to grant more privileges than strictly necessary
If an employee is held up in their task because of a lack of privileges, it quickly becomes a significant issue to the business. If you multiply that risk by 1,000 employees, it’s clear why it’s easier to be generous with privileges rather than risking lower productivity.
As a user, you want your eSignature provider to work efficiently in order to provide you with the lowest possible price for their service. This quickly leads to a difficult question: How much potential invasion of privacy is a really low monthly price worth to you?
It creates more work (and therefore cost)
Especially in large providers with hundreds or even thousands of employees, properly defining and managing privileges quickly becomes a huge, complex task. Every role needs to have a clear definition of “least privilege” required to work properly, and any change in role or sometimes even task requires someone to adjust the privileges accordingly.
Are you willing to pay (via your subscription price) for any number of IT Managers to simply ensure your privacy is adequately protected? If the answer is no, by opting for an eSignature provider that works based on the “rule of least privilege”, the price you pay can quickly become the ultimate price: The exposure of all your sensitive documents.
Here’s Why You Should Only Trust Providers With the “Rule of No Privilege”
As we’ve seen above, there are many scenarios where the rules about privileges are not quite clear-cut for any kind of provider. Assuming your eSignature does have your best interest in mind, they could still opt for overly generous privileges in order to save on staffing cost which results in a lower price for you. And while you’d enjoy a lower price, is it worth paying for it with your privacy?
With ever-growing technological complexity and increasingly complex business structures, it’s impossible to know what any eSignature provider deems a required privilege for any given role.
The only way to go, therefore, is to remove that choice altogether. And that is where full end-to-end encryption comes in.
There is no scenario where your eSignature provider “needs” access to your documents – they should be following the “rule of no privilege”. Whether they are of a sensitive nature or not, your documents are for your eyes (and the eyes of the recipient) only. By encrypting the documents on your local device and only decrypting them once they’ve reached your recipient, you remove any temptation for the provider to even glance at them. Oh – and you prevent a whole host of other potential privacy issues as well.
One important thing to keep in mind is that not all encryption is created equal: There are varying levels of encryption, some of which are actually mere marketing terms to make users feel safe. If you’re serious about protecting your privacy, asymmetric end-to-end encryption is the only way to go.
The Bottom Line
There are too many unknowns when it comes to how your eSignature provider handles the well-established “principle of least privilege”: Even with the best of intentions, someone working there will have insight into your documents. And as more and more of our lives (and therefore sensitive information) is going digital, the risk of exposure grows by the day.
Think of the ramifications when (and it’s only a matter of time) some of your documents are compromised, whether through a hack or a request from a foreign government – what would the consequences be for you and your business?
Don’t risk your privacy: Opt for full end-to-end encryption and rest assured that, no matter the scenario, your sensitive data will not be exposed to anyone. In a world of ever-increasing digital risk, it’s the only valid choice not only for your business but also for your peace of mind.
