When you walk into a bank can you walk right into the vault? Of course not, most of the employees cannot walk into the vault. Why? The answer is because those individuals are not authorized and have no business being in the vault. Therefore the bank does not grant the access to the vault.
This is a simple explanation but an accurate one to the next control of the Critical Security Controls. Control fourteen is Controlled Access Based On The Need To Know. We have all heard this phrase through TV, movies, books, work to the point of it being cliché but it’s accurate. “This mission is classified on a need to know basis only.”
This concept applies to Information Security and Access Management. Like most security concepts it’s very easy to say but hard to be disciplined around the actual practice. Don’t give more access than a user needs based on his/her role.
Here’s what the control says –
The processes and tools used to track/control/prevent/correct secure access to critical assets (e.g., information, resources, and systems) according to the formal determination of which persons, computers, and applications have a need and right to access these critical assets based on an approved classification.
The prior thirteen security controls I have written about led up to this one. In order to know how to grant the access you first must know your environment and users. The inventories you have created should be far more detailed than just a list. They should contain business rules and definitions. Working with HR your employees roles should be well defined. Your CIO should have the technical access level laid out. Each department should have their business rules for accessing applications and resources.
Bring all those together to build an access and authorization business map and you can start to understand who and what gets the access to do their jobs. Naturally when you have rules to grant you have rules against granting access or as the business world calls it, segregation of duties.
- Accounts Payable cannot have Accounts Receivable access
- Development cannot access production.
- Users cannot approve their own service tickets.
- Only the sales team can access Salesforce.
The access management world gets as complex as your business rules to run it. The bulk of this control is knowing. What do you know? How to you control the knowledge? Who defines all the rules? Who decides who has the need and who doesn’t?
How It Could Be Exploited
Hackers prey on the overwhelmed, the under educated, the naive and the lazy. This control is about discipline and a security program as the assertive leader rather than a check box add-on.
Two of the largest breaches ever, a retailer and health care organization, did not have proper controls and discipline around need based access. They did what many do and revert down to giving full admin rights rather than scaled down, custom crafted access accounts, probably because it was easier. What happened? When those accounts were compromised the hackers hit the jackpot. Those accounts could go and do everything. No layer of protection to slow them down.
You give the bank custodian keys to the offices, not to the vault or safe rooms.
End of line.
Binary Blogger has spent 20 years in the Information Security space currently providing security solutions and evangelism to clients. From early web application programming, system administration, senior management to enterprise consulting I provide practical security analysis and solutions to help companies and individuals figure out HOW to be secure every day.