When designing an architecture for an organization, how do organizations best meet the needs to define reasonable permissions?
As a security practitioner, what measures would you implement to ensure that staff can perform their job duties, but minimize the risk of unauthorized use or disclosure?
Mohammed Syed says
When designing the architecture for an organization, leadership defines the business objectives that must be understood as requirements and priorities. Conduct work supports the achievement of business outcomes. Organizations need to do the primary job and make sure that others are doing what they have been assigned to accomplish the organization’s mission and goals.
For IT employees properly perform their regular duties and minimize the risk need to implement a security policy based on the result of the risk assessment, which provides an accurate picture of the security need in the organization. Make design policy identify the sensitive information and critical system which come under the more risk, define institutional security goals and objectives, and ensure the necessary mechanism for accomplishing the goals and objectives. The need to design legal and regulatory concerns, organizational characteristics, contractual stipulations, and environmental issues per user input can be incorporated into policy development and designs to set up adequate security policies. First, set up the goals and objectives that direct staff to perform their required duties. To minimize the risk, implement various security policies and equipment such as duties swapping, separation of responsibilities, use of biometric latest devices, and other security policies to restrict unauthorized use and disclosure. More than another aspect of system security, network security to protect information requires specific procedural and behavioral activities. Information security needs the data files to be correctly created, labeled, and stored securely. When the number of files that each employee uses, these tasks constitute a significant policy so only appropriate staff can access information security procedures at all levels of organizational hierarchy final consideration to make the best policy to restrict unauthorized access disclosure.
Shubham Patil says
Mohammed,
Great points, I agree that in an organizational security policy, management establishes how a security program will be set up, lays out the program’s goals, assigns responsibilities, shows the strategic and tactical value of security, and outlines how enforcement should be carried out. This policy must address relative laws, regulations, and liability issues and how they are to be satisfied. The organizational security policy provides scope and direction for all future security activities within the organization.
Oluwaseun Soyomokun says
Mohammed, the first point that I found fascinating in your writing is that it specifies the scope of responsibility to develop the goals and objectives that will guide employees in carrying out their obligations. Furthermore, the importance for an organization to implement various security rules and equipment to limit unauthorized use and disclosure, such as role switching, separation of responsibilities, adopt Cryptographic system that combines all cryptographic protections, and other security measures, and ensure the network has a security control, necessitates precise procedural and behavioral activities to secure information, more than any other area of system security. To guarantee information security, data files must be appropriately prepared, tagged, and stored.
Kelly Sharadin says
In order for organizations to define reasonable permissions when designing enterprise architecture, they must first perform a business impact analysis (BIA). A BIA will enable the organization to identify crown jewels and other critical assets as well as assign appropriate data classification labels to assets. Once the BIA informs the organization of business-critical assets, a risk assessment will prioritize security controls required to safeguard the business. Access control and identity management are key elements of an enterprise security architecture.
As today’s businesses need to be agile and adopt technology at a rate that presents security teams with challenges when keeping pace with modern business needs. To that end, I believe a data-informed policy-based access control (PBAC) model driven by the BIA and risk assessment would allow users to have the necessary privileges to securely perform business objectives. An enterprise security architecture using PBAC could be achieved by deploying golden images based on departmental needs with approved software or by device access control lists to permit or deny users from accessing sensitive subnets.
Anthony Wong says
Kelly,
Great post, I think we share very similar ideas when it comes to designing and implementing security architecture. I would add that there are popular architecture models like TOGAF that can considered throughout this process as well. Overall, it will be a collective effort with management to ensure the requirements are met and the architecture is built out properly.
Kelly Sharadin says
Hi Anthony,
Valid point about architecture frameworks! A lot of documentation builds and feeds into one another. Personally, although it can be a resource drain, I like to document as much as possible. Robust documentation helps identify configuration drift and fast-track repeatable processes.
Kelly
Kyuande Johnson says
When designing an architecture for an organization ensure that Senior Management is involved and supports the changes being made. Miscommunication can create many issues within an organization. Having clear expectations and plans in the beginning ensures that personnel are working together and improves the overall efficiency of the project. To ensure proper permissions are in place, the organization must identify all of the company assets. Asset identification plays an important role in an organization’s ability to quickly correlate different sets of information about assets. It’s more effective when an organization has an idea of everything in its environment. How does an organization implements permission when they have no idea of what to place permissions on? The next step is to classify the organization’s data. Classifying data assist security professionals in determining what protections to place on data. Data classifications can range from public, private, and restricted. Each one of these classifications has different protection mechanisms and certain users have access to certain data. When onboarding employees, the HR department should communicate with the IT department to determine what exactly the user needs access to in order to perform their job duties. Utilizing platforms such as Active Directory to centralize user’s rights.
Anthony Wong says
Kyuande,
I definitely agree that senior management’s involvement and support is critical to successfully implement a well designed security architecture. I also agree that understanding what assets the organization have is important since it will determine the security controls that will need to be implemented. For more sensitive information, the organization may decide to implement a logging / SIEM solution to track the changes made.
Shubham Patil says
Kyuande,
I agree that, Data classification helps ensure that data is protected in the most cost-effective manner. Protecting and maintaining data costs money, but spending money for the information that actually requires protection is important.
Vraj Patel says
Hello Kyuande,
That was a great post. I agree that businesses must first identify their assets before implementing proper permission. Knowing how many assets a company has allows them to identify adequate controls to secure those assets and to properly monitor those devices for any unusual activities.
Mitchell Dulaney says
Kyuande, you’re right that enterprise architecture planning, as with most organizational initiatives, needs to be approved and actively supported by senior management. They set the tone and communicate the objectives of the architecture planning process to the rest of the company, and setting uniform goals and expectations for the project for all stakeholders are critical to its success.
Anthony Wong says
For designing an enterprise architecture, the organization must identify all of their assets and the importance / value of each one. Additionally, the organization needs to understand the function of the system to determine which employees needs access and what kind of access to perform their daily job functions. It is important to discuss this with the system owners and other stakeholders to fully understand the requirements. Once this exercise is complete, the organization should follow a zero trust model and the principle of least privilege.
Based on the assessment above, security policies and security groups can be implemented to manage the access to the systems. Furthermore, the organization can leverage their data classification policy to determine different types of access requirements needed to read/write/edit certain types of data. A type of model that is commonly used is role-based access control to help restrict access.
Shubham Patil says
Anthony,
A role-based structure is easier on the administrator because it allows to create one role, assign all of the necessary rights and permissions to that role, and plug a user into that role when needed. Otherwise, would need to assign and extract permissions and rights on all systems as each individual came and left the company.
Vraj Patel says
Hello Anthony,
I do agree that implementing a security policies and security group does helps in providing the least privilege to the users. Furthermore, having a data owner evaluate the access provided to users on a regular basis would be beneficial in detecting any users who have permission to roles that they are not authorized to have.
Tal Eidenzon says
Hi Anthony,
I think you are correct about the importance of implementing a security policies and security group, but in today’s rapid expansion into the Remote Work, it gets really tricky when endpoints go offline.
Thanks,
Tal
Mitchell Dulaney says
Anthony – you are right that system owners need to be interviewed as a part of any enterprise architecture planning. They should know what data is a part of their systems, what business function and processes are carried out by their systems, and therefore, who needs access to their systems and what level of access those individuals need.
Vraj Patel says
Enterprise architecture is the process of analyzing, planning, designing, and implementing enterprise analysis to ensure that business plans are implemented successfully. A person with a responsibility of maintaining the enterprise architect ensures the software and hardware used within the organization are the latest and capable of supporting the business requirements. By defining the enterprise scope, determining the future strategic directions for the business, identifying the enterprise architecture needed in the future, and doing a gap analysis, companies may meet the requirements of enterprise architecture. The Data Owner may ensure that the staff has enough resources to fulfill their jobs with minimal information by identifying the business processes, which could prevent the unauthorized use or disclosure of business information.
Oluwaseun Soyomokun says
Great point Vraj, Organization can satisfy the requirements of enterprise architecture by defining the enterprise scope, selecting the future strategic directions for the firm, identifying the enterprise architecture and technology needed in the future, and conducting a gap analysis. Also, a policy to prevent prevent the unlawful use or exposure of business information, the Data Owner can ensure that the workforce has adequate resources to complete their responsibilities with little information.
Shubham Patil says
Vraj,
The data owner (information owner) is usually a member of management who is in charge of a specific business unit, and who is ultimately responsible for the protection and use of a specific subset of information. The data owner has due care responsibilities and thus will be held responsible for any negligent act that results in the corruption or disclosure of the data
Antonio Cozza says
Good callout on the due care responsibility that data owners are liable to, Shubham. Due care is associated with actions after events occur. They are also responsible for due diligence, which is preemptively ensuring that processes and tasks are carried out properly and according to plan while adhering to policies, procedures, and best practices. This duo holds upper management responsible for the end result.
Antonio Cozza says
Good points Vraj. In addition, enforcing a strict need-to-know basis and carrying out the architecture design with least privilege in mind will aid in preventing unauthorized usage and/or business information disclosure, which can in part be promoted and delegated by data owners to data custodians.
Shubham Patil says
An enterprise architecture encompasses the essential and unifying components of an
organization. It expresses the enterprise structure (form) and behavior (function). It embodies the
enterprise’s components, their relationships to each other, and their relationships to the
environment. When developing an architecture, first the stakeholders need to be identified, the people who will be looking at and using the architecture. Next, the views need to be developed, which is how the information that is most important to the different stakeholders will be illustrated in the most useful manner. To set a reasonable level of permissions, organizations use security effectiveness approach that deals with metrics, meeting service level agreement (SLA) requirements, achieving return on investment (ROI), meeting set baselines, and providing management with a dashboard or balanced scorecard system. These are ways to determine how useful the current security solutions and architecture are performing.
Many organizations are just getting to the security effectiveness point of their architecture,
because there is a need to ensure that the controls in place are providing the necessary level of
protection and those finite funds are being used properly. Once baselines are set, then metrics can
be developed to verify baseline compliancy. These metrics are then rolled up to management in a
format they can understand that shows them the health of the organization’s security posture and
compliance levels. This also allows management to make informed business decisions. Security
affects almost everything today in business, so this information should be readily available to
senior management in a form they can use.
As a security practitioner, I would follow the A role-based access control (RBAC) model to minimize the risk of unauthorized use or disclosure. This model uses a centrally administrated set of controls to determine how subjects and objects interact. The access control levels can be based upon the necessary operations and tasks a user needs to carry out to fulfill her responsibilities without an organization. This type of model lets access to resources be based on the role the user holds within the company. The RBAC approach simplifies access control administration by allowing permissions to be managed in terms of user job roles. An administrator wants to give a user the least number of privileges they can, but just enough for that user to be productive when carrying out tasks. Management will decide what a user needs to know, or what access rights are necessary, and the administrator will configure the access control mechanisms to allow this user to have that level of access and no more, and thus the least privilege.
Oluwaseun Soyomokun says
Excellent points Shubham, To reduce the risk of unauthorized use or disclosure, organizations use a security effectiveness approach that deals with metrics, meeting service level agreement (SLA) requirements, achieving return on investment (ROI), meeting set baselines, and providing management with a dashboard or balanced scorecard system, as well as implementing a role-based access control (RBAC) model.
Vraj Patel says
Hello Shubham,
That’s a great post. I agree that using a role-based access approach reduces the risk of unauthorized access or disclosure. The role-based access approach gives an administrator additional visibility into their network, allowing them to identify the roles that are used throughout the company and any roles that may cause segregation of duties conflicts if they were allocated to other roles.
Mitchell Dulaney says
Hi Shubham, I would also choose to implement role-based access control. RBAC has become the de facto industry standard access control model for a mature information security program. It reduces the overhead of managing access controls for every individual, and allows auditors and security analysts to more easily review the access required for each job title within the organization.
Mohammed Syed says
Yes, role-based access control is based on a user’s role and if the user moves from the IT department to another department loses access to employee performance reports. However, again access to current department data only.
Oluwaseun Soyomokun says
Enterprise Architecture (EA) is a formal description and plays an important role in an organization business process to oversee the planning and governance approach in managing the complexity and constant changes, and to align the organization toward a common business goal. Today, as organizations constantly adjust their activities to meet ever-changing circumstances, continuous business transformation is taking place with newer technology growth and security controls. However, planning and steering this transformation can be a daunting task, but the EA processes, provide direction and support for its operation, and the access control and security metrics used to carry out specific tasks while implementing the policy and regulations for the business models. Enforcing Security policy and models expresses exactly what the security level should be by setting the goals of what security mechanisms are supposed to accomplish for the organization.
Shubham Patil says
Oluwaseun,
I agree with the points you made, Security starts at a policy level, with high-level directives that provide the foundational goals for a system overall and the components that make it up from a security perspective. A security policy is a strategic tool that dictates how sensitive information and resources are to be managed and protected.
Oluwaseun Soyomokun says
Shubham, the appropriate security control should begin with policy and high-level directives that establish the system’s general goals and the components which are instruments to manage and secure sensitive data and resources.
Antonio Cozza says
Nice points Oluwaseun, I like that you specifically mentioned an enforced security policy; a policy alone is a somewhat meaningless document if it is not alive within the procedures throughout an organization and being driven by the policy from the top down consistently and regularly so that it is integrated into normal operations.
Vraj Patel says
Hello Oluwaseun,
Enterprise Architecture (EA) gives information technology a roadmap for fulfilling future business requirements. It monitors business processes and conducts gap analyses between existing and future technology statuses, supporting companies in improving information technology as needed to meet future business requirements.
Antonio Cozza says
When designing an architecture for an organization, how do organizations best meet the needs to define reasonable permissions?
As a security practitioner, what measures would you implement to ensure that staff can perform their job duties, but minimize the risk of unauthorized use or disclosure?
When designing an architecture for an organization, one should first understand all of the relevant processes related to it, including the roles of personnel required to both implement and ensure the consistency in efficacy and compliance for the architecture. Once the architecture strategy has been properly planned, documented, will be in compliance, will promote optimizing over time and improving processes, then implementing it must be done by ensuring that only the people who need to be in control of certain aspects of the architecture are the only ones who in fact are. These different roles can then delegate down tasks in an efficient manner and mitigate unnecessary risks presented by not structuring safely. As a security practitioner, I would implement a couple different security principles and technical controls to combat risks of information disclosure and unauthorized use. First, I would implement an access control mechanism to safeguard and protect the integrity of files, tools, and network locations to which only certain individuals should retain access. Next, depending on the funds, scale, and structure of the business, I would implement DLP solutions to protect against information disclosure, with network DLP throughout, host-based DLP on more sensitive endpoints, and also use email DLP. Access would be granted to individuals on a need-to-know basis, with regularly scheduled privileged access review to ensure the principle of least privilege is being maintained.
Mitchell Dulaney says
Hi Antonio, I agree that access control mechanisms are critical to maintaining the confidentiality and integrity of data owned by the organization. I think that as part of security architecture planning, managers should meet and decide upon an access control model that works best for their data and processes. They might decide to build their access control model around the Bell-Padula model if confidentiality is the priority, or Biba if integrity is most important.
Mohammed Syed says
Nice, also we know enterprises architecture create several governance systems, and the architecture board serves as governance form, ensuring IT initiative align with EA. When we make EA, Identify and profile extended with the team’s participants. Assign proper roles to core team leads and, define the schedule, timescale, duration, and deal with critical issues such as facilities and equipment.
Mitchell Dulaney says
To define the reasonable permissions required for different roles in an organization, all of the business functions, the processes that contribute to those functions, and the roles that perform those processes must be identified and clearly defined. This effort can only be successful with the support and involvement of senior management, and would also include middle management’s evaluation of their business units and the processes they are responsible for as well as interviews with staff members who actually perform those processes. Once this evaluation has bee completed, then it is possible to identify which permissions to which resources are required for each role in order for the to do their job effectively. For the information security program to be successful, the resources being used by those roles should be classified based on criticality and sensitivity, and access levels that can be assigned to roles need to be defined.
I would follow a number of principles as a security practitioner to ensure that the reasonable permissions assigned to each role are maintained without unauthorized access or changes to data. First is the principle of zero trust – I would design our security architecture such that whenever an end user attempts to access a resource, they must be authenticated, their authorization must be checked, and their authentication and authorization statuses must be continuously monitored for any changes. Second is the principle of least privilege. That is to say, any role should only have access to data it needs to perform its job effectively. To accomplish this, regular reviews need to take place of the roles in the organization, the processes they are responsible for, and the access levels they are granted. Any changes since the last review would be documented, and if there are resources employees in those roles no longer need access to, they would be promptly removed. Finally, I would implement strict separation of duties requirements, so that no one person is capable of completing all major steps in critical business processes. This would limit the potential damage to the organization if those processes were performed incorrectly, and would mitigate the risk of one person granting themselves access to resources they do not need.
Mohammed Syed says
Yes, Mitchell. we should understand zero trust architecture and what equipment, services, and infrastructure we have. Verify the control plane and data plane with policy enforcement. Also, verify policy decisions, inspection logging, monitoring, and visibility.
Tal Eidenzon says
I would reference NIST Special Publication 800-207, find the use cases that are closest to the business line of the organization, and then work with leadership across the organization to guide them in establishing the levels of access that each team/role will need. With this information, we would build out the AD groups, following the least privilege principle. With the expanded remote employee policies that COVID sprung upon the workforce, the network topography expanded very quickly. As a result, managing endpoints from a central node becomes a challenge because at any moment, the endpoint can be disconnected from the network.
The answer to this problem is endpoint agents; these are services that are running in the background and are maintaining a strong security posture even when the endpoint is disconnected from the network. Zero Trust principle combines these concepts and verifies the identity and the defined permissions for each user/endpoint/action.
Thanks,
Tal