Which security practice minimizes user access to only what is necessary?

The concept of least privilege is a fundamental principle in security that is designed to minimize the potential for harm and reduce the attack surface in an organization. Under this principle, users are granted only the minimal level of access necessary for them to perform their job functions. This means that if a user does not need access to a particular resource or level of data to complete their tasks, they do not receive that access.

Implementing the least privilege approach helps in mitigating risks associated with unauthorized access and potential exploitation. For instance, if an account that has access to sensitive information is compromised, the attacker will only be able to access the information that the legitimate user had access to, limiting the potential damage.

Other practices mentioned, such as mandatory access control and role-based access control, have their distinct uses in security architectures but are not specifically focused solely on the minimization of access. Mandatory disclosure, on the other hand, is not typically relevant to user access management in the context of security practices and generally refers to legal or regulatory requirements to disclose certain information rather than controlling how much access users have. Thus, least privilege stands out as the most directly applicable practice for minimizing user access to what is strictly necessary.