difference between need to know, least privilege and confidential

Depending on how you look at it, they are shades of the same thing. The confusion comes in when the same terms are used for other things, too.

The principle of "least privilege" states that one should only have access to what they need and nothing more. Extend this idea to "confidentiality of data" and you end up with "need to know".

To put it another way, to keep data confidential, you need to make sure that only those who need access to that data have access, and no one else. Again, it's a form of "need to know" and "least privilege".

I would not say that the 3 ideas are the same idea, but to achieve "confidentiality", you end up needing to employ "least privilege", and by extension, "need to know".

BTW, the quote you have is dealing with the application of "least privilege" as its own idea apart from "need to know", which is valid. Least privilege can be applied to access and capability as well as to the confidentiality of data.

Let's say James Bond has "secret" clearance. That's his privilege. Should he have "top secret"? No. For a variety of reasons, even though he's James Bond, he has the least privilege he needs: He doesn't need to know "top secret" things, so his (least) privilege level is set to "secret."

Now, suppose Bond is battling evil in Jamaica. He gets to know rather a lot about Jamaica because of his "need to know." Does he also get to know "secret" information about Cuba? No. At present, he doesn't need to know that.

And by the way: His "license to kill"? That's more about a capability, and thus more like, say, getting write access to a file; and, thus, more an aspect of his privilege rather than his "need" to exploit it in a certain place. Indeed, if James shot someone in Cuba while on a mission regarding Jamaica, M would probably be pretty pissed unless James could prove that the Cuba killing was essentially to his "needs" regarding his Jamaica work.