One of my favorite scenes in Thor: Ragnarok was when Thor attempted to escape the junk planet. He made it to the Quinjet and tried many different activation codes (access) such as: "Thor", "Son of Odin," and "Strongest Avenger" (twice). None worked. It was only when he said “Point Break” did the Quinjet start. Point Break was the activation code that Tony Stark had assigned him back from the 2012 Avengers movie.
Unauthorized access to sensitive information is one of the most significant threats that enterprises face. Whether it's an external attacker exploiting vulnerabilities, or an internal employee with malicious intent, the potential for data breaches is a constant concern.
Automated access management involves the use of technology to streamline and enhance the process of granting and revoking access to various enterprise assets, including databases, applications, networks, and sensitive information. This process is especially critical during key events like onboarding new employees, granting elevated rights, or modifying existing roles within the organization.
Implementation Group 1 (IG1), aims to shield enterprise assets by methodically ensuring users are granted suitable access. It's essential for every organization to adopt this protective measure.
Why is an Access Granting Process Crucial?
Organizations, irrespective of their domain or size, rely heavily on data. Mismanagement of access to this data can not only derail operations, but also inflict grave financial and reputational damages. A meticulous access granting process acts as the gatekeeper, ensuring data is accessible only to those with a genuine need.
Steps to Implementing an Effective Access Granting Process
- Adopt Role-Based Access Control (RBAC): Categorize clear roles and designate access permissions aligned with these roles. For instance, while a finance executive may have the ability to budget data, a marketing executive might not.
- Formalize Access Requests: Every access request should be logged, specifying the rationale, the systems or data in focus, and the access duration.
- Structured Approval Channels: Design a layered approval system, particularly for high-stakes data. Access requisitions should be scrutinized and greenlit by pertinent authorities, like department heads or IT personnel.
- Grant Temporary Access Judiciously: For transient needs, allocate access for a fixed span. After this period, permissions should automatically lapse.
- Routine Access Scrutiny: Undertake regular assessments of individual access permissions, ensuring they mirror their evolving roles and tasks.
- Promote Awareness & Capacity Building: Cultivate a well-informed workforce, conscious of data security essentials. Periodic orientations can underline the perils of unwarranted access and the ethos of the access granting protocol.
Here’s a link to the Account and Credential Management Policy Template for CIS Controls 5 and 6 provided free of charge from the fine folks at the Center for Internet Security: https://www.cisecurity.org/insights/white-papers/account-and-credential-management-policy-template-for-cis-controls-5-and-6
Here’s some details on this specific Control/Safeguard. If you want more detail, DM me.
CIS Control 6 – Access Control Management
Use processes and tools to create, assign, manage, and revoke access credentials and privileges for users, administrators, and service accounts for enterprise assets and software.
Implementation Group 1
CIS Safeguard 6.1 - Establish an Access Granting Process
Establish and follow a process, preferably automated, for granting access to enterprise assets upon new hire, rights grant, or role change of a user.