The Center for Internet Security (CIS) publishes Critical Security Controls that help organization improve cybersecurity. In version 8, Control 6 addresses access control management (in previous versions, this topic was covered by a combination of Control 4 and Control 14).
Control 6 offers best practices on access management and outlines security guidelines for managing user privileges, especially the controlled use of administrative privileges. Best practices require assigning rights to each user in accordance with the principle of least privilege — each user should only have the minimum rights required to do their assigned tasks. This limits the damage the account owner can do, either intentionally or accidentally, and also minimizes the reach of an attacker who gains control of an account.
Unfortunately, organizations tend to grant accounts more privileges than they need because it’s convenient — it’s easier to add an account to the local Administrators group on a computer, for instance, than it is to figure out the precise privileges that the account needs and add the user to the proper groups. In addition, they often fail to revoke privileges that users no longer need as they change roles within the organization, often due to lack of communication and standard procedures. As a result, businesses are at unnecessary risk for data loss, downtime and compliance failures.
To mitigate these risks, CIS Control 6 offers 8 guidelines for establishing strong access control management.
6.1 Establish an access granting process.
Having a defined process for granting access rights to users when they join the organization and when their roles change helps enforce and maintain least privilege. Ideally, the process should be as automated as possible, with standard sets of permissions to different assets and devices in the network associated with different roles and even different levels within a role.
6.2 Establish an access revoking process.
Organizations often fail to revoke access rights that are no longer needed, exposing themselves to attack and exploitation. For instance, if the account of a terminated employee is not disabled or deleted promptly, that individual or anyone who compromises the account’s credentials could exploit its privileges.
Revoking access is also often needed when a user changes role within the organization. This applies not only in cases of demotions, but also for lateral moves and promotions. For instance, a user who shifts from sales to marketing may no longer have a legitimate business need to access data and applications used by the sales team; similarly, an experienced individual who shifts to a management role will likely need to have some of their old rights revoked and some new ones added.
6.3. Require MFA for externally-exposed applications.
Multifactor authentication (MFA) is a best practice because it renders stolen credentials useless to attackers. With MFA, users must supply two or more authentication factors, such as a user ID/password combination plus a security code sent to their email. Without the second factor, a would-be adversary will be denied access to the requested data, systems or services.
Control 6.3 recommends requiring MFA for all externally exposed (internet-facing) software applications, such as tools used by customers, business partners and other contacts.
6.4 Require MFA for remote network access.
This safeguard builds upon the previous one, recommending MFA whenever users try to connect remotely. This practice is particularly important today, since many organizations have many remote and hybrid workers.
6.5. Require MFA for administrative access.
According to Control 6.5 of CIS, the admin accounts an organization has also require the extra security of MFA, because these account grant privileged access to IT assets, often including not just sensitive data but the configuration of core systems like servers and databases.
At a higher level, organizations need to track all their authentication and authorization systems. The inventory should be reviewed and updated at least annually. In addition to being valuable for security, this inventory can also help the organization achieve regulatory compliance.
6.7. Centralize access control.
Centralized access control enables users to access different applications, systems, websites and tools using the same credentials. Single sign-on (SSO) is an example of centralized access control.
A number of providers offer centralized access control and identity management products designed to help businesses simplify user access, improve security and streamline corporate IT operations.
6.8. Define and maintain role-based access control.
Trying to assign each user the right access individually through direct permissions assignment, and keep those rights up to date over time, is simply not a scalable approach to access control. Instead, Control 6.8 recommends implementing role-based access control (RBAC) — assigning access privileges to defined roles in the organization and then making each user a member of the appropriate roles. Roles and their associated rights should be reviewed and updated at least annually.
Summary
Controlling access rights is vital to securing sensitive data, applications and other IT assets. Key access control processes include workflows that enable users to make access requests and data owners to approve or deny them, and processes that enable data owners to regularly review and modify access rights to their data.
Privileged accounts require special attention because they inflict serious damage if they are misused by their owners or compromised by attackers. Netwrix PAM solution simplifies privileged access control by dynamically granting admins exactly the permissions they need to complete a particular task and automatically removing those rights immediately afterward. Therefore, organizations can remove virtually all of their standing privileged accounts, dramatically reducing their attack surface area and avoiding the overhead and liability of traditional vault-centric solutions. Plus, the Netwrix PAM solution is cost effective, intuitive and easy to deploy.