Critical Control 9 - Controlled Access Based on the Need to Know
Last Updated: 2011-10-14 02:03:33 UTC
by Johannes Ullrich (Version: 1)
For the full description, please see: http://www.sans.org/critical-security-controls/control.php?id=9
Whenever we are talking security, and assigning access control lists, the principle of least privileges comes up. Our firewalls should block all ports, but the once we need to do business. The same is true for file access control lists (ACLs). We should only allow read, or write, access to files as needed.
The principle of least privileges is very fundamental to information security, and closely related to the idea of "the need to know". This term tends to be used more in government and military contexts, but it is very valid in commercial networks as well.
For example, in order to obtain certain information, a user needs a certain "clearance" (usually a position in the company) AND a need to know the information. In a hospital setting for example, all nurses likely are considered trusted enough to read any patients information. However, they still only should access information for patients they deal with.
Fine grained access controls like this are critically linked to the correct labeling of data. In most cases I have seen, the labeling of data is actually the main problem. Consider a spread sheet with patient data in a hospital. In order to provide proper access control, the access control system needs to take into account which patients are listed in the spread sheet, then later it will compare that list to a list of patients a nurse is associated with before providing access. Realistically, this is not going to happen. Data needs to be properly segmented and once data of various classifications ends up in the same spot (like an Excel spreadsheet), it is usually too late.
As a start, one should probably first define different rolls in the organization, and figure out what each roll needs to know to get their work done. Later, the rolls may be refined and access control may be further restricted. The same is true for data labels. Initially, you may break data down in rough categories and as your system is refined, you may want to come up with closer categories.
But don't rush this. Nothing is more frustrating then security getting in the way of normal business processes and this is probably the fastest way to loose steam for your initiative. This control should be considered a control for a more mature organization that already covered most other controls. Start this one slowly, and consider implementing detective controls first before implementing enforcement.
For example to go back to our hospital case. If you come into the emergency room bleeding, your priority is that the nurse will have fast and proper access to your medical record. You getting proper help fast is more important (at least at that time) then your patient record confidentiality. Instead of focusing on enforcing access controls, a hospital may deploy log analysis to monitor nurses who accessed more files then others, or for example to review who accessed the records of a celebrity visiting the hospital.
Johannes B. Ullrich, Ph.D.
SANS Technology Institute