Views:
FRAMEWORKS AND STANDARDS

Control 06: Access Control Management

An overview of CIS control 6, its purpose, and how to implement the control.

Published Date: October 21, 2024

Product Line: CIS Controls

Audience: Executives, Security Administrators

Get your copy of the CIS Controls V8.1 here.

Overview

Access control management is a process which involves monitoring what permissions user accounts are granted. This control moves away from securing an account as seen in control five and instead dives into the attributes of the accounts themselves. With this control, organizations are ensuring no user has more access to assets than they should, which in turn protects organizations from unauthorized access to internal resources.

Access Schemas and Role-Based Access

Access control schemas are “models” used to grant authorization according to specific rules and standards. Role-based access control is one type of access control schema that grants authorization to users based on their assigned roles. In other words, think of roles as departments, where each role will have certain permissions assigned to them that all users in that role will inherit. An example of a role can be “Finance” where all users in this role are granted permission to write/read/execute financial documents and have access to other financial information/software.

Consider the following when implementing role-based access control:

  • Need to Know: employees only have access to information relevant to their work.
     
  • Principle of Least Privilege: users are given the minimum number of permissions needed to do their work, nothing more.
     
  • Privacy Requirements: ensure data and sensitive information is kept secure from unauthorized individuals.
     
  • Separation of Duties: permissions can allow separate departments to do their work without the interruption or accidental disruption of another employee from a different department.

How to Properly Set Up Account Access/User Permissions

  • Creating a User: When creating new user accounts, ensure the user is given only the minimum permissions they need for their role.
     
  • Roles/Access: Users should be assigned roles that correspond to their level of access needed.  
    • To learn more about Roles from IBM, click HERE
       
  • Consistency: users assigned the same role have the same level of access.

Techniques, Tips, and Tricks for Implementing Access Control Management

  • Access Revoking Process: create a process, possibly automated, that disables accounts immediately after they are no longer needed and/or revokes roles/permissions from users who change or leave a role.
     
    • Note: disabling accounts can be preferred over deletion if an audit trail needs to be maintained. 
    • This applies to contractors as well.
       
  • Access Granting Policy: create a policy for assigning role permissions to new users entering a role, a user that changes roles, and more to keep consistency. (This can be automated)
     
  • Multi-factor Authentication (MFA): using multiple separate devices and methods to authenticate a user helps ensure the user is who they say they are and helps to prevent unauthorized access from a single point of entry. 
     
    • Note: using MFA with a one-time-only password is recommended for increased security.
    • Use MFA for remote network access, admin accounts, and public-facing resources. 
    • Visit Microsoft.com to learn more about implementing MFA with Outlook.
       
  • Audit for Service Accounts: ensure no information like clear text authentication tokens is left in code residing on dormant accounts and validate nothing on these accounts accidentally gets posted to public cloud repositories.
     
  • Restrict Use of High-Privileged Accounts: accounts used for high-level access or actions should not be used for day-to-day use like web surfing.
     
    • IT Admin should monitor for email and browsers running on high-privileged accounts or with high-level privileges.
       
  • Remove Default Local Admin Permissions: many new laptops or PCs will automatically give administrator privileges to a new user to create their account and personalize their system. These privileges should be revoked as to not provide users with more access than they need.
     
  • Keep Inventory of Authentication/Authorization Systems: keep track of what tools, processes, and techniques (like MFA), the organization is using and validate they work properly.
     
  • Centralize Access Control: utilize a directory service or single-sign-on provider to manage access control to enterprise assets.
     
  • Use Jump Boxes: network segmentation can improve an organization's security and prevent attackers from obtaining access to all systems from a single compromised device. A jump box helps to protect accounts and services by cutting them off from the internet, other network-connected devices, and externally facing resources to further restrict access to assets. 
     
    • To learn more, google “Jump Box DMZ” and click images to get a clear visual of this topography.

How to Maintain Role-Based Access Control

To ensure proper implementation and upkeep of role-based access control for organization assets, IT Admin should work diligently to document roles and the specific permissions assigned to each role. Moreover, access control reviews can be conducted to check assets have the correct privileges assigned to them.

Keywords: Control 6