Access Controls are the most basic and critical best-practice to get right for cybersecurity. These are required by just about every cybersecurity regulation for good reason. If a malicious actor gets domain admin privileges, your network is toast. Digital Identity Guidelines (NIST SP 800-63) were published in June 2017. These essentially break down the digital ID process into three stages which are then rated on security. This is a very detailed and effective guide on how to securely identify, authenticate, and assign privileges to users. Access controls dictate who has access to what information, applications, and resources within a network. There are a handful of different models of Access Controls but in a realistic, modern-day implementation role-based and attribute-based are the only two you should consider.
Role-Based Access Controls (RBAC) are the dominant method of AC used today. Administrators define roles then specify access control rights for those roles. Each user then gets assigned a role, effectively bucketing a set of privileges with a single attribute. Role hierarchies can also be defined. This means that a role can automatically be assigned the privileges of roles below it in the hierarchy. For example, an “administrator” role would be above a “general user” role. The “administrator” role would be granted all privileges that the “general user” role has in addition to its administrator privileges. This helps reduce redundancy and helps reduce the number of rules needed . Click here for a technical guide on implementing RBAC.
Attribute-Based Access Controls (ABAC) are more advanced than its role-based counterpart but in return allows more finite control and scalability. Although currently less adopted than RBAC, this method is poised to snag a vast majority of popularity over the next few years due to its advantages.Key Benefits of ABAC include :
- Dynamic. Permissions are evaluated at the time of an actual request.
- Contextual. Environmental conditions are considered
- Fine Grained. More detailed rules can be formed due to using specific attributes
This is arguably the most obvious and fundamental part of user access and authentication. Password rules should be spelled out within your cybersecurity policies. Strong password requirements:
- 8 to 12 characters, the more the merrier
- Don’t use easily guessed or default passwords such as “password”
- Do not use personally identifiable information such as birthdate, phone number or maiden name
- Don’t use simple adjacent keyboard combinations, for example “qwerty”
- Require a combination of letters, numbers, symbols, upper and lower-case letters.
An understanding of how passwords are cracked will help you truly grasp how to make them secure. Check out this password cracking guide to see how it’s done.
Utilizing multiple forms of authentication is undoubtedly more secure than just a single password, no matter how secure it is. Besides the fact that MFA is vastly more secure than a simple password login it is becoming a specific standard in compliance regulations. Section B of the Digital Identity Guidelines mentioned earlier covers authentication in great detail. Best Practice Tips for Access Controls and Authentication:
- NEVER use the default admin account. When you initially login to an environment create new admin accounts and disable the default admin account. If you can’t disable it, change the password immediately.
- Regularly review and clean up your AC rules to reflect any changes to your business process. Eliminate deprecated controls to reduce unnecessary risk.
- Regularly change passwords.
- Regularly clean up active directory entries. For an example, if an account is no longer going to be used, purge it.
Sources:  Goodrich, Michael T., and Roberto Tamassia. Introduction to Computer Security. Addison-Wesley Educationa, 2011.  Chandra Sharma, https://www.slideshare.net/chandramsharma/attribute-based-access-control