Best Practices: Access Control – Use it or Lose It

By Rick Norman, Director, Coalfire

Several times throughout the year we hear about data breaches in industries such as healthcare, retail, banking, critical infrastructure, and manufacturing.  Typically a breach occurs because a malicious software program (malware) or a person gained access to information not intended by the data custodian.  This could have come by malware downloaded into a trusted environment by a business or IT user with elevated privileges; or deliberate actions by an attacker to exploit web applications or network vulnerabilities exposed to the Internet.  There are many approaches to tackling this problem, and defense-in-depth is certainly the best way to go, but in general, if attackers do not have access to the data they cannot get it out of the organization.

Your organization may be subject to state, federal or industry regulations, such as California’s SB 1386, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) or the Payment Card Industry Data Security Standard (PCI DSS) that makes your IT group long for the days of 2400-baud modems, standalone terminals without cut-and-paste functionality, and USB access for “ease” of data portability. Well, those days are over for most companies, so we have to face the reality of securing customer data with the right amount of security—not too much—not too little, but just right for the business. Let’s look at practical options for controlling access to assets that can make a difference in the bottom line of an organization.

Implement Consistent Policies, Processes and Procedures for Account Provisioning
An organization’s security administration or provisioning team is the first-line of defense for ensuring management’s intent is properly executed.  Develop consistent, repeatable processes and procedures based on the principle of least-privilege and assign unique accounts for all personnel who must have access to data to perform their job duties.  This applies to end users as well as system administrators.  System administrators will require greater access rights than the typical end user, but knowing “who” has “what” access to “which” assets, regardless of their role, is vital to properly securing information.  Also, do not limit the scope of account provisioning to systems, applications or databases only, which includes virtual environments.  Ensure the provisioning process includes all critical infrastructure components, such as firewalls, routers and switches, to name a few.  Even if another group is responsible for the technical account administration of the infrastructure devices, make sure that access requests follow the same provisioning process.

Perform Periodic Access Reviews
Perform these reviews on at least an annual basis. Some regulations require quarterly access reviews to ensure that inactive accounts over 90 days are disabled or deleted. Review access control lists to ensure that account access is appropriate and management-approved.  The term “recertification” is usually applied to this type of review to re-certify management’s intent for access once approved remains valid.  There are solutions in the market that can assist with automated account recertification, especially if using a third-party identity management solution that contains records of all user accounts.

Record (Log) Access to Assets and Regularly Review
After going through the work of setting up consistent processes and procedures for granting access and periodically reviewing access to those assets, the next item on the agenda is to record who accesses the assets.  This is a frequently overlooked step in the defense-in-depth approach because we sometimes forget mistakes are made and access is granted incorrectly.  Also, when the control was designed, it was possible that not all attack vectors were taken into account, or the environment has now changed such that access is available to those whom were not previously allowed.  Logging access and periodically reviewing access logs validates that controls put in place are operating as management intends and not solely as designed.

Take Corrective Action
Now that management’s intent has been implemented, user account reviews are conducted and access to assets is consistently logged and regularly reviewed by security or appropriately-trained personnel, the next step is to take corrective action and remove or restrict access not approved by management.  Plugging control gaps not identified at the time of control creation, or gaps created by environmental changes not identified during the design process, is crucial to ensuring that access to assets is appropriate.

Those charged with the responsibility to oversee, design, develop, implement, or test access controls and mechanisms play a vital role in the protection of an organization’s assets.  Preventing data loss begins with controlling access to vital resources and assets through the effective implementation and operation of well-designed controls, whether automated or manual – control access or risk losing the assets.