Access control best practices take into consideration the following security principles:
|Principle of least privilege
||The principle of least privilege states that users or groups are given only the access they need to do their job (and nothing more). Common methods of controlling access include:
When assigning privileges, be aware that it is often easier to give a user more access when they need it than to take away privileges that have already been granted.
- With implicit deny, users or groups which are not specifically given access to a resource are denied access. Implicit deny is the weakest form of privilege control.
- Explicit allow specifically identifies users or groups who have access. Explicit allow is a moderate form of access control in which privilege has been granted to a subject.
- Explicit deny identifies users or groups who are not allowed access. Explicit deny is the strongest form of access control and overrules all other privileges granted.
|Need to know
||Need to know describes the restriction of data that is highly sensitive and is usually referenced in government and military context. Important facts to know about need to know include:
- Even if an individual is fully cleared, information is still not divulged to persons who simply don't need to know the information to perform their official duties.
- Need to know discourages casual browsing of sensitive materials.
- In a classified environment, a clearance into a Top Secret compartment only allows access to certain information within that compartment. This is a form of MAC.
|Separation of duties
||Separation of duties is the concept of having more than one person required to complete a task. This helps prevent insider attacks because no one person has end-to-end control and no one person is irreplaceable. Important facts to know about separation of duties include:
- System users should have the lowest level of rights and privileges necessary to perform their work and should only have them for the shortest length of time possible.
- To achieve a separation of duties, a business can use the principle of split knowledge. This means that no single person has total control of a system's security mechanisms, so no single person can completely compromise the system.
- In cases of sensitive or high-risk transactions, a business can use two man controls. This means that two operators must review and approve each other's work.
||Job rotation is a technique where users are cross-trained in multiple job positions, and where responsibilities are regularly rotated between personnel. Job rotation:
- Cross trains staff in different functional areas in order to detect fraud.
- Exchanges positions of two or more employees to allow for an oversight of past transactions.
- Can be used for training purposes.
||Defense-in-depth is an access control method which implements multiple access control methods instead of relying on a single method. Multiple defenses make it harder to bypass the security measures.
Creeping privileges occurs when a user's job position changes and they are granted a new set of access privileges and their previous access privileges are not removed or modified. As a result, the user accumulates privileges over time that are not necessary for their current work tasks. The principle of least privilege and separation of duties are countermeasures against creeping privileges.