"Stinginess with privileges is kindness in disguise." - Guide to VAX/VMS Security, Sep. 1984

In the annals of computing history, few quotes have encapsulated the ethos of early cybersecurity quite like the aphorism, "Stinginess with privileges is kindness in disguise," which appeared in the September 1984 issue of "Guide to VAX/VMS Security." This pithy phrase, attributed to an unknown author, has stood the test of time, remaining as relevant today as it was in the dawning era of digital networks.

The sentiment behind the quote is a core philosophy of zero-trust security, a principle that has gained traction in recent years, particularly as corporate networks become increasingly complex and decentralized. The "zero-trust" concept, as advances by Forrester Research analyst John Kindervag, posits that all users, whether inside or outside an organization, should be considered a potential threat. Therefore, access to critical systems and data should be restricted to the bare minimum required to perform a job function. When applied to privilege management, this means stinginess, or parsimony, is not a negative characteristic but a virtue.

Rewinding back to 1984, the context for this quote was the modular, multi-user VAX/VMS operating system. Designed by Digital Equipment Corporation (now part of HPE), VAX/VMS was a powerful and flexible system, but its power came with potential risks. Multitasking and shared resources meant a single compromised account could wreak havoc on an entire network. Thus, the advice to be stingy with privileges was not a suggestion but a necessity.

Thirty-seven years later, the threats facing networks have evolved, but the underlying principle remains the same. Today's large-scale breaches often begin with a targeted attack on a single, privileged user account. Recall the 2017 NotPetya attack, which initially exploited a vulnerability in a Ukrainian accounting software company's update system. By gaining administrator-level access to just a few servers, the attackers were able to quickly spread malware across entire corporate networks, causing billions of dollars in damage.

To mitigate these risks, organizations are increasingly adopting privilege management solutions. These tools enforce the principle of least privilege (PoLP), which states that users should only be granted the privileges necessary to complete their job duties. By implementing PoLP, organizations can significantly reduce their attack surface, limiting potential damage in case of a security incident.

However, being stingy with privileges isn't just about defending against external threats. It's also about protecting against insider threats, whether malicious or negligent. According to the 2020 Verizon Data Breach Investigations Report, insider threats account for 30% of data breaches. By tightly controlling privileged access, organizations can deter and detect both accidental and intentional misuse of sensitive data.

The 1984 guide to VAX/VMS security may seem like a relic from a bygone era, but its core message is as relevant today as it was then. Stinginess with privileges, once seen as a paranoid extreme, is now recognized as a fundamental tenet of cybersecurity. As our networks grow larger and more complex, and the stakes become increasingly high, the phrase "Stinginess with privileges is kindness in disguise" serves as a reminder that security is not a set-it-and-forget-it task, but an ongoing commitment to vigilance and parsimony.