CHAPTER 16: IDENTITY AND ACCESS CONTROL

Identity and access controls help organisations authenticate and authorise users, and ensure staff, contractors and systems can access only the information they are permitted to. Such controls should cover IAAA: identification, authentication, authorisation and accountability.

When implementing identity and access controls, it is essential you follow two key security principles:

1. The ‘need to know’ principle – granting users access to only the information required to perform their role effectively; most users do not need access to HR or financial data, for instance.

2. The principle of least privilege – granting users only the privileges necessary to perform their role effectively; for example, normal users do not need to install software, but may have to run backups.

Bear in mind that the controls – and these principles – must be applied to both logical and physical access. Even if your focus is cyber security, scenarios such as an intruder gaining physical access to your server room most certainly constitute a cyber security breach. (Physical security is discussed further in Chapter 21.)

Also, given these principles, you will always have individuals who require administrator privileges to carry out their role. Make sure these users also have a standard user account to perform day-to-day tasks with, and only use their administrative account when they need their administrator privileges. This minimises the risk of an administrative account being breached.

Authentication factors

For both physical and logical controls, there are three possible factors for authentication:

1. ‘Something you know’ – for example, a password, passcode or PIN number.

2. ‘Something you have’ – for example, a mobile phone (to send a one-time password to).

3. ‘Something you are’ – for example, a fingerprint (for biometric access control).

For improved security, it is best to deploy multifactor authentication (MFA), which uses at least two of these factors. It is good to deploy MFA where it is available, but not to ask all users to input the second authentication factor every time they access a service. Usability must always be balanced against security, so only ask for the second factor where the risks are higher, for example:

• When accessing sensitive data;

• When performing administrative tasks;

• When making changes to an account, including password changes;

• When accessing the organisation’s networks remotely; or

• When attempting to make a large payment.

Also check whether you have any legal or contractual requirements for MFA.

Password best practices

Without question, the most common authentication factor is passwords. Unfortunately, when left to their own devices, people tend to choose weak ones, which practically defies the point of having the access control at all. This links to the discussion in Chapter 5 about how security can be both a feeling and a reality, and how the two often do not overlap: having a password might make you feel secure, but if it is ‘123456’ – one of the most commonly hacked passwords – the reality is a very different matter.

A good password policy, enforced through technical controls, goes a long way towards ensuring more secure passwords. It should:

• Require a minimum length of at least eight characters;

• Stipulate that a mix of upper- and lower-case letters, numbers and special characters are used;

• Prevent common passwords from being used (online data sets with the top 100,000 most common passwords can easily be downloaded for free, so you can blacklist them);

• Prevent users from reusing old passwords;

• Regularly require users to change their password (for example, every three months); and

• Lock accounts out after ten unsuccessful login attempts or fewer.

Note that this is not the only way of setting up a good password policy, and some of these points are more debatable than others. For instance, some experts argue that it is better to stipulate a higher minimum length – say 12 characters – but not require any password complexity, feeling that this combination makes for more secure passwords. Their reasoning is that such passwords are difficult to crack through brute force – each additional character increases the number of possible combinations exponentially – yet are easier to remember, particularly when people come up with passphrases by putting together three or four random words (‘chestprinterhorsemattress’, for example). This further helps security in that people are less likely to write their passwords down.

Other access controls

Of course, passwords and other authentication factors are not the only access controls available. Many network security controls also contribute to logical access control, including network segmentation and firewalls. Encryption also plays a role in access control.

More specific to access control alone, it is important that you automatically generate access logs and regularly review them for abnormal behaviour. This might be, for example, login attempts at unexpected times or from unexpected geographical areas, a large number of failed login attempts, or login attempts where only the first step of MFA was successful.

Finally, make sure you implement adequate physical access controls. These might include primitive locks, PIN pads, card readers, and even security guards and/or CCTV.