When designing an architecture for an organization, how do organizations best meet the needs to define reasonable permissions?
As a security practitioner, what measures would you implement to ensure that staff can perform their job duties, but minimize the risk of unauthorized use or disclosure?
Vincent Piacentino says
These are the measures I would employ to ensure that staff can perform their job duties but minimize the risk of unauthorized use or disclosure.
The Zero Trust Model provides explicit verification of entities, least privilege, and limits access. Zero Trust ensures strict controls are in place to manage the level of access granted.
Zero Trust architecture provides:
• Strong authentication – Strong multi-factor authentication and session risk detection as the pillar of access strategy to minimize identity compromise.
• Policy-based adaptive access – Enforces acceptable access policies with a reliable security policy engine providing governance and insight into differences.
• Micro-segmentation – Comprehensive distributed segmentation using software defined micro-perimeters.
• Data classification and protection – Discover, classify, protect, and monitor sensitive data to minimize exposure from malicious or accidental exfiltration.
Also, the use of Role-based Access Control (RBAC) will limit access to sensitive information to only people with permissions for their role along with regular account reviews to verify permissions and disable\delete accounts. I would also employ DLP to ensure that sensitive information is not exfiltrated. This and other software and hardware solutions comprise a “Defense-in-Depth” security posture.
Mei X Wang says
Hi Vincent, good job on explaining the Zero Trust Model. I completely agree with your takeaways. Zero Trust Model is a model that will ensure least privilege and protect the confidentiality of the organization’s assets by only granting access when needed to perform job duties. Organizations should always have different controls in place to provide defense in depth, in case the first layer of security is exploited.
Vincent Piacentino says
Thanks Mei!
Too often, users retain permissions they no longer need and this requires regular auditing. Thorough account reviews to disable and\or delete accounts after 60 days should be clearly stated in a security policy.
Vanessa Marin says
Love your post. TRUST NO ONE is the model we need to go by. 🙂
It’s super interesting that in my In the News post on President Biden’s order to revamp the US government’s’ cybersecurity framework includes a bullet point specifically mentioning the implementation of Zero Trust security. Actually nearly all your points are mentioned in the article. So you’re right on point in your analysis.
Vincent Piacentino says
Thank you, Vanessa!
Zero Trust is the only way to trust. Hell, I don’t trust myself. LOL
I like to think of it as a large bouncer at a club, saying, “Who are you? You want access to where? Nah, buddy, I don’t think so!” Then he picks you up and throws you out into the street.
This country needs to approach cybersecurity in a much more militaristic way and start to treat is as life or death national security, because it definitely is!
Jerry Butler says
Hi Vincent,
I like the idea of the Zero Trust Model, today a lot of IT admins work depending on trust and yet its known that employees are the biggest risk to the organization.
So, i agree with you; Zero trust provides explicit verification of entities, least privilege, and limits access.
Krish Damany says
Most businesses tend to not create an entire Enterprise Architecture from scratch, but to use a template and modify it to best fit the needs of the organization. The Open Group Architectural Framework, or TOGAF, was created for the purpose of helping businesses have a standardized method for EA by giving information on standards and compliance methods, tools and software, and a common vocabulary. According to TOGAF, they are used in 790 different organization. By adhering to a method such as TOGAF, businesses can make sure they are using amongst the best methods to keep up a large enterprise and have effective communication between the business itself and its IT infrastructure.
As a security practitioner, staff needs to have awareness first and foremost. Security awareness and training is an important part of an organization and is used to make sure its staff understands best practices to stay safe with the information and data they have access to on a daily basis. Along with awareness, we can implement access controls to help make sure that the policies and procedures of the organization are being held up. This includes physical, technical, and administrative controls, and will work with awareness to best mitigate risk that comes from working with potentially confidential information.
Vanessa Marin says
I think it’s more common to come into an established architecture rather than building one from scratch. I wonder how approaches change, if they even need to, in order to mature or revamp an existing infrastructure. I expect, revamping could even be more expensive than starting from scratch. The effort also seems bigger because now you have to consider systems in use, existing data and existing policies that will need extensive review. Analysis of the current state is a bug part of deciding how to move forward.
Would you agree?
Vanessa
Krish Damany says
Hi Vanessa,
I agree 100% that creating an enterprise architecture should start with an established template rather than starting from scratch. If many organizations under TOGAF have similar policies and procedures, it seems like it would be a waste of time to make something from scratch and hope it works better than the established template.
Jerry Butler says
Hi Krish,
I like the idea of using TOGAF to get a base template. which can be used and customized to build a brand new architecture on a secure template. Not to mention, it also saves time because security architectures are not easily to build from scratch.
Mei X Wang says
For an organization to design an architecture that would best fit, they would first need to communicate with the stakeholders involved based on their concerns for the system, which can include performance, functionality, security, maintainability, quality of service, usability, cost, etc. To find a framework that can work for that specific organization, the framework’s core objectives and the stakeholder’s wants must be adequately addressed.
There are many ways access can be controlled through the organization’s security architecture, one of the first models built that can be used to address confidentiality/access control is the Bell-Lapadula Model. The Bell-Lapadula Model addresses who can and cannot access the data and what operations can be carried out based on three main rules: simple security, star property, and strong star property.
-The simple security rule: states that a subject at a given security level cannot read data that resides at a higher security level.
-The *-property rule (star property rule) states that a subject in a given security level cannot write information to a lower security level.
-The strong star property rule states that a subject who has read and write capabilities can only perform both of those functions at the same security level; nothing higher and nothing
392
lower.
Although security architecture frameworks have been expanded and built out to address different gaps in access control, The Bell-Lapudula model can be used as a baseline on how access is defined based on permission levels. “A system that employs the Bell-LaPadula model is called a multilevel security system because users with different clearances use the system, and the system processes data at different classification levels”
Vanessa Marin says
Great post Mei!
I have to agree with you that a thorough understanding of the stakeholder needs is really going to drive IT security. It’s critical to have these conversations early on before making decisions on infrastructure, network security and risk management. Prioritizing business needs so they can then align the IT controls is crucial. Even before choosing a framework to go by. Like anything in Cybsec and IT Audit, the most important buy in is that of the board or key stakeholders as they will be the main support in the IT effort to secure the enterprise.
Vanessa
Vanessa Marin says
When designing an architecture for an organization, how do organizations best meet the needs to define reasonable permissions?
The first step is to determine what the needs are according to the business. You need to determine the purpose for the architecture effort. If you have the luck to design a system architecture from scratch you need to meet with internal and external stakeholders and determine the requirements for each when it comes to data, systems, integrations, programs, etc. This method is known as Content and Development Governance Structure. One can follow the MITRE Systems Engineering guide to reference collective experience of other engineers in terms of implementations best practices.
As a security practitioner, what measures would you implement to ensure that staff can perform their job duties, but minimize the risk of unauthorized use or disclosure?
There are many frameworks to pull from in order to create a security architecture”
– Department of Defense Architecture V2.02 DoDAF
– The OpenGroup Enterprise Security Architecture (TOGAF)
– Federal Enterprise Architecture Framework (FEAF)
– National Institutes of Standards and Technology – SP800-160 Vol 1
– Sherwood Applied Business Security Architecture (SABSA)
While sticking to any one framework may seem like the direct approach it is actually recommended to combine frameworks in order to meet the specific and unique needs of the business.
Measures I would implement would be access controls. segregation of duties. multi-factor authentication, single-sign-on, data classification as the driver for system criticality, segmentation of networks, role based access, least privilege practices and other controls that limit access to data.
Eugene Angelo Tartaglione says
From working along side some of my companies Security team and asking them questions about permissions here and there through out the different organizations, I have noticed a common practice. Users are normally given the least number of privileges to be able to successfully do their job. What one of my organizations did was they set up permissions in AD teams. Users were given access to certain Servers, systems, buildings, rooms depending on the group they were a part of. This actually went a lair deeper for some groups where there were sub-groups assigned depending on the job title they had. For example, Client Services – support staff compared Client Services – Manager on Duty. Or Operations – Network analyst compared to Operations – Network Engineer. One job to the other within the group gave users to different applications, rooms, etc depending on their needs.
On the other hand of this I have seen how this can go wrong, a different company had a similar setup, but did not remove users’ access if they changed roles within the organization. Only removed access if users were terminated / leave. I know this is the case for I have switched roles three times and have kept all my access I was granted from previous roles. This is a major concern for if I do not need the access anymore it should be removed to cut down on the chance of a potential issue arising.
Krish Damany says
Hi Eugene,
I think your organization’s approach to principal of least privileges is a common one and a smart method. Placing users into already established active directory groups seems like a much easier process than manually giving each individual user a specific set of permissions. If a user does require more permissions than the active directory group, then that can be added later on a case by case basis.
Amelia Safirstein says
Many new organizations start with an ad-hock security setup. They’re focused on just surviving the start-up phase and they do the bare minimum to secure their systems with little to no security built into the enterprise architecture. retroactively building a formal enterprise architecture that includes security can be disruptive and difficult for the business. When possible, businesses should start early with formal enterprise architecture, following a framework like TOGAF.
As a security practitioner, I would implement least privilege, segregation of duties, mandatory vacation where applicable, multifactor authentication, strong password requirements, mandatory security training, and role-based access. I would regularly discuss the access needs of different roles with managers to ensure that security settings did not impede upon projects or tasks.
Jerry Butler says
I would deploy Role-based Access Control. This helps to restrict network access based on a person’s role within an organization and it helps determine what levels of access that employees have to the network.(Access can be based on the need to know)
It’s also makes it fast and easy to give access to new employees and as well at disable accounts when employees are terminated.
Furthermore, through RBAC it’s easy to manage what users can do on a granular basis for instance you can seperate admin users from normal access.
Amelia Safirstein says
Role-based access control is a great option. Ease of use with tools like this is so important in ensuring that the admin is able to keep up!