Let’s start today’s blog with a hearty pat on the back and a big ol’ KUDOS! You get it! You can’t protect what you can’t see. You don’t need to write it on the chalkboard 100 times…unless you’re a huge Bart Simpson fan, then go ahead. Of course, we’re not done with gaining visibility into your environment as you’ll see in future posts. So sorry, not sorry.
Now that you have your data inventory, it’s important to know who can access your data and what level of access they have. Establishing and maintaining data access control lists, i.e., access permissions, is a significant step in reducing your attack surface. The less access users have, the less risk you have when one of their accounts gets compromised. And yes, I wrote “when” not “if.” It will happen, it has already happened, or worse, it’s happening now!
Keeping a least privileged model is secure by design. Just like if you’re old enough to remember Network Firewalls. They came out of the box with a Deny All policy perspective. No traffic was allowed in or out. You then open specific ports/protocols to allow ONLY the type of traffic that is necessary for the business.
Data should be protected in the same manner. No one should have access to data unless there is a business need for it and that need is being exercised. Time and time again, folders upon folders of data are provided to departments of people with full read/write access and most people don’t ever touch that data. And we haven’t even gotten into sensitive data yet!
Understanding who HAS access to your data, who IS accessing your data, and HOW are they accessing your data will help you build, maintain, and review data access control lists and keep your data safe from those bad peeps out there trying to get it.
Here’s the CIS definition of this Control/Safeguard. If you want more detail, DM me.
CIS Control 3 – Data Protection
Develop processes and technical controls to identify, classify, securely handle, retain, and dispose of data.
Implementation Group 1
CIS Safeguard 3.3 - Configure Data Access Control Lists
Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications.