Access Control Policies are integral to an organisation’s security strategy. These policies can be as simple as implementing authentication to access a particular resource or as comprehensive as policies defining what users can access. However, these policies must be based on the principle of least privilege to ensure that sensitive information doesn’t fall into the wrong hands.
The principle of least privilege is relatively simple in theory. Abiding by the principle means that users and programs should only have access to the resources that they need in order to accomplish their tasks. When privileges are restricted to the bare minimum, it limits the amount of damage that can be done by an external attacker or an insider threat. However, in practice, this is far more complex to implement.
There are many different kinds of access control policies that can be applied depending on the structure of the organisation in question. Two of the most common models described in the Trusted Computer System Evaluation Criteria (TCSEC) are Discretionary access control (DAC) and Mandatory access control (MAC).
Discretionary access control (DAC) is commonly implemented in civilian organisations and smaller government departments. These policies restrict access based on the identity of users or certain groups. Additionally, users in control of a resource can grant or revoke access for other users without the assistance of an administrator.
However, this in itself is a security risk.
Let’s assume that your company has a discretionary access control policy and gives each employee free rein to all systems and data. Not only that, but employees can grant access rights to other users whenever they choose. If a hacker manages to take over an account or an employee goes rogue, they could wreak tremendous havoc against your organisation and leak highly sensitive information.
They could steal all of its data, or delete it. If they infiltrate the system further and obtain elevated privileges, they could lock everyone out and change their passwords. The more extensive these privileges are, the more extreme the destruction could be.
Most Employees Don’t Need Much Access
There’s no guaranteed method of keeping disgruntled employees or hackers from attacking your organisation. However, adopting the principle of least privilege can mitigate these risks.
The principle of least privilege is most effectively adopted by introducing some form of mandatory access control (MAC). With mandatory access control, the security policy is enforced among all users and resources; these are assigned sensitivity labels that form the basis of access control decisions. MAC policies are primarily adopted by military and intelligence departments, where security classifications are assigned to specific resources that determine if a user can access these based on their security clearance.
For example, the Australian government assigns protective markings to denote information sensitivity. Only those with the required security clearances can have ongoing access to specific resources. This is demonstrated in the table below:
| Protective Marking | Impact if Compromised | Security Clearance Required |
| UNOFFICIAL | No business impact | No security clearance requirements for access |
| OFFICIAL | 1 low business impact | No security clearance requirements for access |
| OFFICIAL: Sensitive | 2 low to medium business impact | No security clearance requirements for access |
| PROTECTED | 3 high business impact | Ongoing access requires a Baseline security clearance or above |
| SECRET | 4 extreme business impact | Ongoing access requires a Negative Vetting 1 security clearance or above |
| TOP SECRET | 5 catastrophic business impact | Ongoing access requires a Negative Vetting 2 security clearance or above |
However, while MAC policies are useful for military and intelligence organisations that deal with sensitive information regarding national interests, many civilian organisations have very different needs. In particular, there is a need for information to be protected while avoiding the burden of cumbersome security policies.
This is where role-based access control (RBAC) policies are most effective. Role-based access control (RBAC) is a popular model that is ideal for structuring access control policies within both small and large organisations. With RBAC, users are allocated roles based on the access rights that they need. Where this differs from DAC is that RBAC does not permit users to grant or revoke access rights to other users at their discretion. Instead, RBAC policies grant access based on organisation-specific protection guidelines and employee roles.
For example, a banking system may have specific roles such as banker, accountant and secretary, so access privileges will be granted based on what each role requires. The benefit of this approach is that access is given to users based on the principle of least privilege, where access is only granted when it is necessary for the user’s job functions. Implementing RBAC as opposed to MAC also reduces administrative burden as it does not require multiple levels of security clearances and classifications.
Following this approach will significantly limit what any single person can access, without causing any major obstructions to the organisation’s workflow. Each person will still be able to access the tools, files and folders that they need.
However, if an attack occurs, the damage will be far more limited. The attacker may only be able to steal a small number of files or obstruct some parts of the system. Following the principle of least privilege can be the difference between a potentially ruinous attack and one that is merely a nuisance.
Keep Your System Flexible & Dynamic
Circumstances change, so your access management system needs to change along with them. If you wish to adhere to the principle of least privilege without causing disruptions, then your organisation needs to be able to adapt to new events quickly. Following these principles can be challenging at first, but the security benefits are immense. Protect your organisation and consult Gridware, to see how we can help you more effectively administer your user access.
