When designing an architecture for an organization, how do organizations best meet the needs to define reasonable permissions?
As a security practitioner, what measures would you implement to ensure that staff can perform their job duties, but minimize the risk of unauthorized use or disclosure?
Scott Radaszkiewicz says
When designing an architecture for an organization, how do organizations best meet the needs to define reasonable permissions?
In designing the architecture for an organization I believe one of the key elements to keep in place is a role based system. Roles allow users to be granted access to system resources based on a role they are assigned. This allows for quick and easy assigning of access to users, as well as removal. For instance, let’s say each organization has a managerial role. A user could be placed into the managerial role and they would have all needed access and permissions to to their job. Should that person leave the organization, the user is removed from that role, and all access granted to that role is removed. Assigning explicit permissions to a user makes this task cumbersome.
Audits of resources are much simpler to conduct when you’re looking only at role based access. An audit of any role would show the users who are in that role and would then convey the access.
Scott Radaszkiewicz says
As a security practitioner, what measures would you implement to ensure that staff can perform their job duties, but minimize the risk of unauthorized use or disclosure?
As a security practitioner, the most important thing to keep in mind when implementing access to resources is the principle of least privilege. The principle of least privilege basically says that you should only give access to resources that are needed for a person to do their job. For instance, the accounts payable person should have access to only the information in the system relating to accounts payable tasks. And that information should also be limited by the function of their job. If they are not responsible for maintaining certain data fields, then they should not even have write access to that data.
Coupled with this is the fact that permissions tend to spread. A person could work in one department and move within the company to another position. It’s key to ensure any access to prior job resources are removed, as long as they are no longer needed. Periodic audits of users and resource access is crucial to maintaining this structure.
Jonathan Duani says
Scott,
Totally agree with your statement the most important privilege is least privilege. When you are looking into this stuff it is important to only make sure that person only has the right amount of privileges. I think a lot of places have to do a better job of this., I see it all the time especially where I work where people move to different departments and they still have accesses they do not need anymore.
Dima Dabbas says
I think organizations can best meet their needs in defining reasonable permissions through assigning users to groups that contain role based permissions. Every user within the organization should have the appropriate permissions to enable them to perform their daily tasks. They should not have more permissions than that but rather apply the principle of least privilege where users have just the right permissions that they need for their job. However, I think assigning roles should be based on the group instead of assigning roles to users individually. When a new employee starts working in the organization, they are added to the group that best fits their job and title. The group contains the role that the user will inherit. This makes it a lot more convenient when new employees come onboard or when employees leave the organization. In the case of an employee termination, the only thing that will need to be performed is removing the user from the group that contains the role. There might be situations where a user might not fall under any group based on their job duties, if that is the case then the user will be assigned their individual role without being added to any group.
As for the measures that can help ensure that staff can perform their job duties and minimize the risk of unauthorized disclosure, I think that it is very important to apply the principal of least privilege that was just mentioned as well as separation of duties, and security awareness training. Separation of duties can help ensure that not one person is performing tasks that may be handling sensitive data but rather gives other individuals the chance to work with this data as well. Separation of duties helps in performing audits on the individuals which helps in confirming that the individuals are handling the data correctly. Security awareness training is another important element that many organizations lack. If your organization deals with sensitive data, then employees should be provided with security awareness programs that make them more knowledgeable of security and know that they are an important resource to the organization. These awareness programs can help employees be more careful in their daily jobs.
Frederic D Rohrer says
” I think that it is very important to apply the principal of least privilege that was just mentioned as well as separation of duties, and security awareness training. ”
I agree that these mentioned are an essential tool in decreasing frequency of security incidents, especially security training and awareness. This is usually an aspect that is overlooked, in my experience, because security teams think that training equals disclosure of security mechanisms. However most, if not all, people do not have any malicious intent and are keen on reporting bad behavior even within their own ranks – that is if they like their place of employment.
Duy Nguyen says
When designing an architecture for an organization, how do organizations best meet the needs to define reasonable permissions?
With outputs of the asset inventory process, an organization can have a whole organizational view of which information is most critical, who, what, and how it’s accessed. Once this is completed, an organization can better determine the policy type that would best suit their needs. Based on the principles of least privilege, the organization would need to define the minimum permission users would need to perform their work. Under this access strategy user are granted read, write, and execute privileges to data, application, systems, processes and devices that is only necessary for them to complete their job. Additional dependencies can also be added to further the risk reduction goal such as role-based, location, and time of day.
As a security practitioner, what measures would you implement to ensure that staff can perform their job duties, but minimize the risk of unauthorized use or disclosure?
In addition to the above strategy for least privilege, an organization could also deploy other governance techniques to further its risk management such as separation of duties and forced time off. The purpose of this strategy is to disseminate a critical task or process to multiple people. Separation of duties helps to mitigate risks by not having one person have the privilege or access to do everything. Controls such as least privilege and separation of duties in addition to mitigating malice intent also reduce risk by reducing an organization threat surface. Restricting access to information, application and processes reduce entrance into the enterprise network in event of an incident such as compromised credentials.
Folake Stella Alabede says
When designing an architecture for an organization, how do organizations best meet the needs to define reasonable permissions?
To start with, I think what might be classified as Top secret and proprietary/confidential might be a defining factor in assigning permissions.
Irrespective of classification, The Role Based Access Control model is one of the most ideal industry standard approach to granting permissions. RBAC is often implemented using groups, so a new employee is assigned to the group where his job function belongs, and a user can belong to multiple groups or roles.
If Government agencies/organizations will tend to focus more on data confidentiality, they should define permissions that will be strict with regards to confidentiality. From reading Chapter 8 of the CISSP study guide, I think such an agency might lean towards the Bell-Lapadula Model, which employs the Mandatory access control concept and blocks lower classified subjects from accessing higher classified objects; but while this model ensures the confidentiality of documents-it does not address integrity and availability of objects. (this made me pause and think of why the US DOD who developed the Bell-Lapadula model would develop a model that addresses confidentiality but not integrity and availability at the same time ??)
Also, if a business will tend to focus on integrity/availability of data, they should define permissions that will address data integrity/availability. The Biba Model, Clark-Wilson model and some others are designed to protect integrity.
I’m trying to think of a business that would focus majorly on availability and what might impact this with regards to defining permissions. What comes to mind is Amazon online services, YouTube, Facebook, Instagram etc. YouTube was down yesterday and while I’m not sure how much that cost google, research shows that the 2018 amazon prime day DDOS that lasted about an hour? cost amazon about $75 million in lost sales. How can permissions be defined that would protect Availability?
Also, is there any model that would protect the CIA triad all at the same time ? instead of protecting just one or two of the triad ?
Folake Stella Alabede says
As a security practitioner, what measures would you implement to ensure that staff can perform their job duties, but minimize the risk of unauthorized use or disclosure?
Most often, I’ve seen that when users are transferred, their previous roles are not removed/reviewed. Again, some organizations (and I think size is a major factor here) have people wearing multiple hats, so one employee has multiple roles, they have to ensure that these roles don’t have conflicting duties and there is still a compensating control in place to check this.
Another situation is where supervisors actually are asked to review the roles of the people who report to them, and the supervisor come back that some of the users on the list should not have access to that resource/application. On digging further, we find that employee A (e.g – a Cost Analyst who is a manager) has been at the organization for many years and has had to move around and had some privileges (Not necessarily conflicting) assigned to him over the course of the years. Employee B (is a new hire – for a Cost Analyst manager position), needs access, and the IAM was told to clone Employee A.
The supervisor is asked to review roles, and while Employee A still needs all the privileges he currently has, Employee B does not need to have all the privileges.
I think organizations are doing good with terminated employees who are removed from the network in a timely manner, but they need to pay more attention to New user access and transferred employees, and the issue of creeping privileges/privilege creep (a user account accumulating privileges over time as job roles and assigned task changes). Creeping privileges result in excessive privilege.
I think administrative controls that occasionally remind employees of NDA’s and also address confidentiality might also help as well. I can think of some situations where some employees have access to information they don’t need but due to some reasons they do, employee trainings could help address this.
Elizabeth V Calise says
Like some of my classmates, I think a role-based system would help organizations meet the needs to define reasonable permissions. The permissions assigned to employees will be based on their job title and responsibilities. When comparing to an individual system, you have the ability to really tailor the permissions and there is a lot more flexibility when giving permissions. However, it is harder to maintain permissions this way and becomes more prone to errors. This is because when you have to track each individual’s permissions and check they have the right permissions assigned to them, the possibility of error increases and the task becomes tedious. Also, this system is more labor intensive. Looking back at the role-based system, there is less prone to error, and it is easier and quicker when assigning permissions. However, role-based system does not have the granularity of permissions. To go back to the pros of role-based system, employees can only access the information that is necessary to effectively perform their job duties. The access can be based on several factors, such as authority, responsibility, and job competency. Access to computer resources can also be limited to specific tasks such as the ability to view, create, or modify. With hundreds or thousands of employees, security is more easily maintained by limiting unnecessary access to sensitive information based on each user’s established role within the company. Other pros are: reducing administrative work and IT support, maximizing operational efficiency and improving compliance.
Some measure I think an organization should implement to ensure that staff can perform their job duties but minimize the risk of unauthorized use or disclosure is least privilege, segregation of duties, awareness training, reviewing audit logs or having the tools to look at events. The principle of least privilege creates better security because it revokes high-level powers to employees whose roles do not require it. Also, minimizes the attack surface, limits malware propagation, creates better stability by limiting the effects of changes, and improves audit readiness. Then segregation of duties means that an individual or small group of individuals should not be in the position to control all components of a process. This allows oversight and review to catch errors. It helps prevents errors/mistakes or even fraud/theft.
Scott Radaszkiewicz says
Elizabeth, agreed on the error avoidance concern with role based access. Without role based access, things can get out of hand. Even if you have to create a role that only one person is in, it’s easier than managing user access individually. It is so cumbersome not using role based access. The only time I”ve see it not used is in small places, where there are less than 20 people. Then, the creation of roles sometimes out weights the use of them.
Jonathan Duani says
When I am designing an architecture for an organization, I would first meet with the company and have a meeting have them explain to me the different tasks, roles, and group in the organizations. Then from there I would work in conjunction with the organization to properly create groups, and design permission tailor maid to the organization. I would not work with default groups and permission in the server to make sure security is in mind the whole time.
I would make sure that proper access controls are in place within the organization to make sure that everyone can access what they need to access in accordance to their role, but not more than they need to have access too. This will allow everyone employee to do their job without them gaining unnecessary access.
Frederic D Rohrer says
When designing an architecture for an organization, how do organizations best meet the needs to define reasonable permissions?
Reasonable permissions is defined by applicable legislature, HR recommendations and security standards. Finding reasonable permissions requires consideration of the organization itself; based on number of employees, silo, risk assessments and available resources. The permissions should be designed to provide maximum security while not strangling productivity and morale.
An example to basic permissions would be the following:
* Restrict employees access to data and only allowing it on a need to know basis.
* Requiring strong passwords
* Using multi-factor authentication
However, when dealing with a larger organization, need to know basis can often vary quickly. In that case access should be hierarchical and role based. Role-based access control (RBAC) uses three rules to insure that access is only granted to authorized users and only for permitted actions.
1. A user can only use permissions which are granted per their access role
2. A user’s role must be authorized by another party
3. A user can only use the permissions which they are authorized for, based on role and authorized permissions that are part of that role and are applicable to that system or data (lattice-based).
These three rules, together with lattuce-based access control (object oriented) ensure that users can only perform actions for which they are authorized on the systems for which they are authorized for.
As a security practitioner, what measures would you implement to ensure that staff can perform their job duties, but minimize the risk of unauthorized use or disclosure?
One major risk is internal compromise, whether accidental or deliberate. In many cases someone with a lot of access will compromise from top to bottom. In order to prevent top-to bottom compromise, access control should be restrictive from both bottom to top and top to bottom. For example, a system administrator should not have access to user accounts on their system. User account data and application data should not be stored on the system drive but should be separate.
Scott Radaszkiewicz says
Frederic, I’m glad you highlight that reasonable permissions should not strangle productivity or morale. Each organization much understand their need and the impact their policies and procedures have on the business. If a policy is very restrictive and cumbersome, and it’s impeding the work of the business, then it has to be looked at. Maybe there are legitimate reasons for this, but understanding all business process and doing a total audit will help the company understand what needs to be protected, and how they can protect it.
Jonathan Duani says
Frederic,
I like how you brought up the fact that even if there are specific permission that seem correct could actually impede the productivity of the company. I actually see this a lot at work. In our current department a lot of the stuff we do we need to go to other teams to get done when we could very well do it ourselves. It sometimes kills days of productivity where we could complete the same task in under minutes if we just had the correct access.
Dima Dabbas says
Frederic,
I like how you included that there is always the risk of internal compromises. There is no way to prevent internal compromises from happening completely but there are ways to mitigate them and reduce the impact that they may have on the organization. As most of us mentioned, access control and applying the least privilege principal will definitely help mitigate internal compromises by making it more difficult since not all employees will have the same privileges.
Ahmed A. Alkaysi says
Access can be managed multiple ways in order to meet the needs defining reasonable permissions. Discretionary Access Control (DAC) can be used which allows a business owner enable and restrict access, Mandatory Access Control (MAC) which provides access based on the objects and user classification levels, and Role Based Access Control (RBAC) which manages access through the use of groups and users in the groups. Generally RBAC is better used in a standard organization as it is much easier to restrict access by group and adding the users to the relevant group based on their role.
As a security practitioner, measure such security training and awareness, principle of least privilege, and segregation of duties are common concepts that can be implemented in order to reduce the risk unauthorized access and/or disclosure. Least privilege refers to providing only the privileges necessary to the role. Segregation of duties means splitting up the responsibility of a job or process into roles more than one person must complete.
Brock Donnelly says
Designing the architecture for an organization seems daunting. An exhausting amount of reviews, discoveries, and interviews would need to be conducted to ensure the organizations best needs are reached with reasonable permissions. Thought the organizational reviews and discoveries a classification for their data set would be revealed. Whether there is one or multiple classifications, a large organization would likely adopt a role-based access system. Managing an access control list in a large organization would quickly get overwhelming and would not likely provide the proper flexibility. A role-based system would provide flexible controls to a large organization. It would allow for external contractors collaborations and automated employee turnover. As well as ease of use for an ever-changing environment.
The best way to ensure users remain within these roles while still being able to perform their respective duties is the principle of least privilege. Least privilege is best defined as an action that restricts a user or process’s ability to operate with bare minimum privileges necessary to perform its function within their defined parameters. The least privilege approach would mitigate the risk of attackers gaining access to critical systems while also restricting lower level access. Compromising a low-level user account would hold no value to an attacker. Least privilege will shrink your attack surface.
Rommel R. Miro says
When designing an architecture for an organization, how do organizations best meet the needs to define reasonable permissions?
The professional deigning the architecture for the organization will need to have a very clear understanding of the organization itself, its goals, roles, expected functions and intended application or use of resources or data. The permissions that need to be set must be customized accordingly to their respective groups within the organization. Care must be taken to ensure that permission for external entities or objects are not left with default or catch-all settings.
As a security practitioner, what measures would you implement to ensure that staff can perform their job duties, but minimize the risk of unauthorized use or disclosure?
By using least privilege principle, an employee is able to perform their task with the least amount of rights needed, nothing more, nothing less. By doing this, the employee is given exactly just what is needed to perform their tasks. The organization must constantly monitor and review these permissions for needed adjustments. There must be established protocol for removal, modification and addition of access. This is also because the data itself can also change as much as the roles and duties themselves. This, together with separation of duties, should be able to serve as a starting point to minimize the risks mentioned above regarding unauthorized use or disclosure. The separation of duties will act like a check and balance so power or authority is not concentrated within a single entity.
Sheena L. Thomas says
Mel, I totally agree separation of duties is a starting point to minimize the risk of unauthorized used and disclosure. Next I would move on to encryption at rest and in transit to prevent unauthorized disclosure of data. Provisions put in place for employee role changes, making sure that users only have access to what they need to preform their job.
Ahmed A. Alkaysi says
Thanks for sharing Mel, It is extremely important for organization to identify their business objectives, processes, and what the roles will accomplish. These will become a blueprint in determining how to structure the roles in terms of privileges, access to the objects, and what methodology (DAC, RBAC, MAC) will be used to control access.
Steve Pote says
If you have something that works…write it down so you can do it that way all the time. If yo monitor it and it doesn’t work make change and record that. An oversimplification maybe, but ~having process~ is the basis for whatever else you build. This works if your design is to adopt a primary software vendor’s best practice or a roll your own based on business specifics.
Least privilege…until folks squawk, review, make changes, record…the above paragraph. I have trouble getting specific without a business vertical. Almost non_existent measures are good for a doughnut shop but a city (like, say Baltimore…) should lock down more and tolerate more balking….
Scott Radaszkiewicz says
Steve, I think you make a great point. One major piece to process is reviewing it for effectiveness. I see all too often policies and procedures put into place that don’t work. When you ask about them, staff do it because “they were directed to”. Policies and procedures should be reviewed periodically to ensure they are working, and working the way they were designed, and more importantly, still a benefit. If a policy is in place, but it no longer needs to be, get rid of it!
Jonathan Duani says
I totally agree guys. I see this all the time at work. Policy and procedures are enforced and it makes things actually more complicated and ineffective. I think managers who are enforcing polices needs to make sure that they are actually helping the company and not just killing workflow and morale.
Elizabeth V Calise says
Steve,
I really like the comment, If you have something that works…write it down so you can do it that way all the time. If you monitor it and it doesn’t work make change and record that.” Going a bit off topic, I think you make a good point about people need to be writing things down. Too often, people tend to keep things in their head vs documenting and that tends to lead to issues down the road (especially when employees with the knowledge retire.
Also, I agree with your oversimplification comment. I think it is quite hard to have a process you use for various things. I agree with you that there could be a basis for vendor’s best practices. I think one can have basis process but a process that can adapt to individual project/design/implementation needs. There needs to be flexibility because if you enforce a process, it could easily be ineffective and can lead to consequences down the road. People need to think more and ask themselves, “Does this process make sense?”
Oby Okereke says
When designing an architecture for an organization, how do organizations best meet the needs to define reasonable permissions?
An organization is best positioned to meet the needs of reasonable user permission by applying two components – Identity and access management. In essence, identity management deals with the classification of users and assets that will interact with the designed architecture. This will also allow security policies to be applied and enforced in a more granular manner and as well as drive the implementation of a more simplified permission access points (logical or physical) to the organization’s architecture.
With identity management in place, one can apply the access policy to the identified users and assets. Access management will assign the applicable access right based on job roles and responsibilities. A good example that readily comes to mind is granting access to an organization’s payroll application to only users in the accounting department. It would be hard to simplify this permission process if the users have not been identified earlier on in the process. This makes it possible to apply the role-based access control (RBAC) and the likes of least privilege.
Sheena L. Thomas says
When designing an architecture for an organization, how do organizations best meet the needs to define reasonable permissions?
When designing an architecture, I think the organization should first define permissions based security policies and compliance. I also think permissions should be defined based on data classification, access to the data (who and how the data should be accessed), and your role within the company. If you don’t need access to a system or data, then rights/permissions should reflect your role.
As a security practitioner, what measures would you implement to ensure that staff can perform their job duties, but minimize the risk of unauthorized use or disclosure?
I would implement role based access. Access to data and systems will be based on their role within the company.
Protecting the confidentiality of the data through Encryption is paramount to minimizing the risk of unauthorized used or disclosure of data. Encrypting data in transit and at rest, access controls, authentication, policies and procedures will also minimize the risk of unauthorized access and/or disclosure.
I was also thinking, developing a provisioning and deprovisioning policy and data destruction policy and procedures are other factors that can assist in minimizing the risk of unauthorized access and disclosure.
Another important factor that should be considered is role changes. What polices are in place to ensure that if a user switch positions, their access reflects their current role.
Ahmed A. Alkaysi says
Hi Sheena, totally agree regarding defining the permissions based on data classification. Before even talking about providing access to any resources within the organization, the organization must classify all their data. Based on the data classification, business processes, and roles/responsibilities, then the organization can restrict access in an appropriate manner. Without classifying the data, the organization is at risk of divulging confidential and PII information to those that do not need it.
Dima Dabbas says
Sheena,
Great points, as you mentioned encryption is important to implement to reduce the risks of sensitive data being disclosed to unauthorized data, Encryption makes it more difficult for unauthorized users to break and read the actual data itself. It is very important for decision makers within the organization to encrypt all data regardless of where the data is. All data needs to be protected whether it is in rest, in transit or in use.
Oby Okereke says
As a security practitioner, what measures would you implement to ensure that staff can perform their job duties, but minimize the risk of unauthorized use or disclosure?
Due to the security risks associated with the day to day use of information system and assets, it is inherent that adequate measures be put in place not only to minimize the risk of unauthorized use or exposure/disclosure of information but also to ensure that staff can perform their assigned ob duties.
Several measures that readily come to mind are; Security Awareness Training, and the implementation of a DLP tool. One can never overemphasize the importance of a security awareness training. It is a well-known fact that most data leaks and losses emanate largely from within the security perimeters of an organization thus users who pose the highest threats must be made to understand the role of security awareness training. Security training expands users’ knowledge of security risks and the forms these risks take as well as forming the baseline of any implementation of a security program with its concomitant controls. This training of course should be offered annually because even the most knowledgeable of users fall prey to the bad actors as they soon forget or may not be aware of new threats which are ubiquitous.
A DLP tool will help protect sensitive data from being accidentally handled or misused.It takes the guesswork away from staff because even if they falter and misuse data,a DLP tool can act as a safety net. Also it is important that users are cleared and assigned to roles in which they should have access to based on the data classification.
Jonathan Duani says
Oby
I like the different perspective you took on the question and didn’t just list different controls and why like most of us did you actually gave real world example of a tool that could be useful in this scenario. I think looking into a DLP is a great idea
Jonathan Reid Kerr says
As a security practitioner, what measures would you implement to ensure that staff can perform their job duties, but minimize the risk of unauthorized use or disclosure?
With security being a growing concern for many, the need to prevent the unauthorized use of systems or disclosure of privileged information is crucial. I’ve already seen what poor balancing can do; prevent employees from doing their job.
One of the first things that come to mind is education and training. I’ve always been an advocate for training and education and I believe it is the key to limiting unauthorized disclosure or access. There are many times where employee’s are not sure what is allowed and what isn’t, leaving them to make their own decisions. However, education and training is not enough on their own. Being able to properly identify the type of information and the systems an employees needs to access is key. Through proper identification of information and systems, along with an assessment of employees roles and levels of access goes a long way in preventing unauthorized use or access to systems.
A combination of properly roles and education can help to limit risks while allowing employees to perform their jobs with as little restrictions as possible.
Oby Okereke says
Hi Jonathan:
Your post resonates so much with me. We really can never overemphasize nor de-emphasize the importance of education and training with regard to unauthorized data disclosure and access. My major concern with training is how relevant are the training to the particular environment. Is it constantly being updated to be at par with the spate at which the bad actors are coming up with new trickery. It may sound like an overkill but the standard practice of an annual security training that we find existing in most organizations does not cut it for me.
Ahmed A. Alkaysi says
Hi Jon, I really like how you brought up that poor balancing can prevent people from doing their job. The purpose of controlling access isn’t to just restrict at a maximum level, it is to identify who needs it, and who doesn’t. Users that do not have sufficient access to perform their jobs is a business risk all in itself.
I will take it a step further regarding education and training. This material shouldn’t just be coming from the InfoSec team. Each department should be required to provide education on what access is required to perform their roles. It shouldn’t be a word-of-mouth thing. There needs to be a documented that is reviewed and updated frequently describing the roles, functions, and access required to perform duties within the department.
Jonathan Reid Kerr says
When designing an architecture for an organization, how do organizations best meet the needs to define reasonable permissions?
From my own experience, employees should first need to be classified based on their roles within the organizations. This includes classifying information and access if such a thing is not already done. Since different employees may need difference levels of access, proper classification of what information employees need and which systems they need to access help to define what their reasonable permissions are. After their roles are defined, the level of information required should be limited by the role that each employee has. Through role-based access, an organization could more precisely assign reasonable permissions to their employees. Without identifying levels of information and system access, there is no way to adequately assign the proper permissions for any role in an organization.