The recent arrest of US Air Force airman Jack Teixeira following his illegal sharing of classified information just to show off to his buddies shone a spotlight on the conversation surrounding access control. In Teixeira’s case, all the ingredients necessary to protect the classified information were in place, but sadly they appear to have been ignored and abused by Teixeira and his superiors.
In the mythical land of Nirvana, where everything is perfect, CISOs would have all the resources they needed to protect corporate information. The harsh reality, which each CISO experiences on the daily, is that few entities have unlimited resources. Indeed, in many entities when the cost-cutting arrives, it is not unusual for security programs that have not (so far) positioned themselves as a key ingredient in revenue preservation to be thrown by the wayside — if you ever needed motivation to exercise access control to information, there you have it.
Having access controls in place to guard the numerous categories of data within an entity is paramount. What those charged with protecting data need (as aptly laid out by Joseph Carson, chief security scientist and advisory CISO at Delinea, with whom I chatted at the recent RSAC 2023) is to “know the road and not the content.”
Let’s look at a few of the options available to CISOs for assessing who gets access to what.
Role-based access control
In a great many cases, it makes complete sense to have role-based access afforded to an individual employee, contractor, or vendor, based on their role, if three conditions are met.
- Does the task or role absolutely require access to be granted to the data in question?
- Does the individual have sufficient authorisation to require this level of access?
- Is the level of access clearly defined, with guard rails (policies) in place?
Policy-based access control
As organisations mature, they create policies that serve to form the corpus of policy-based controls. In other words, if nothing is written down in advance that would justify the individual gaining access to sensitive information or the individual does not meet requirements under a set policy, they’re not getting access until they satisfy the requirements.
Individual: Often these are viewed as binary equations identifying the rules by which the identified individual may be allowed access. For example, aligned policies based on geography, job role, project assignment, vetting, etc., that may determine the criteria which need to be in place prior to allowing access boil down to a waterfall of yes/no decisions.
Informational: Similarly evolving policies that govern the data in question. Some are non-negotiable and serve as minimal governmental requirements that must be complied with. While data policies should exceed compliance requirements, the age-old infosec adage remains valid: “Compliance does not equal security.” Security should be more than filling out the compliance bingo card.
Who owns these policies? The answer isn’t IT or infosec. Company-wide cyber policies may be owned by the entity which is ultimately responsible for the function — finance, HR, legal, etc. The infosec team is there to assist, support, and implement the policies. And also to advise on compliance, exceptions, and anomalies and then work to ensure action is being taken to mitigate any identifiable risk.
Attribute-based access control
For those who thought they were finished with Boolean logic in secondary school, its back — and attribute-based access control (ABAC) is a prime example of the practicality of utilising the logic in decision trees to determine access permission. The adoption of ABAC allows access to protected information to be “hyper-granular.”
An individual’s access may be initially defined by one’s role and certainly fall within the established policies. Then with ABAC, files, documents, and portions of documents, may be accessible or denied based on established criteria to include data tags. The attributes assigned to an individual are the key, and then policies and tools associated with enforcing the correct level of access are applied.
For example, in the national security world, an attribute may be the level of one’s clearance classification. An individual has been vetted to be allowed access to information up to the SECRET level. ABAC would have portions of a given file/document at the TOP SECRET level remain encrypted yet would allow the individual access to the information at the SECRET level or below.
“Elevate the application, not the user,” commented Carson within this context. He continued that the goal should be to evolve to “just in time, operational data access” as compared to persistent and always-on access. In this manner, the information is exposed only when and as needed.
In sum, CISOs or those whose duties include information security, be they resource-starved or with a full cupboard, the one concept which must be embraced, regardless of the size of their entity or their sector is the “principle of least privilege.” With this as the guiding principle, one can build an effective data control model based on an individual’s role, the appropriate policies, and the ultimate coda, “need to know.”