What are User Access Controls?
User Access Controls are the most critical and basic best practices for cybersecurity. These are required by every cybersecurity regulation. If a malicious actor gets domain admin privileges, your network is in danger. The Digital Identity Guidelines (NIST SP 800-63) break down the digital ID process into three stages.
This is a detailed guide on how to securely identify, authenticate, and assign privileges to users. Access controls dictate who has access to what information, applications, and resources within a network. There are a handful of different models of access controls but you should only consider role-based and attribute-based to get started.
Role-Based Access Controls
Role-Based Access Controls (RBAC) are the dominant method of AC used today. Administrators define roles and specify access control rights for those roles. Each user then gets assigned a role, effectively bucketing a set of privileges with a single attribute. You can also assign role hierarchies for the privileges of roles below it in the hierarchy. For example, an “administrator” role would be above a “general user” role. The “administrator” role would be granted all privileges that the “general user” role has in addition to its administrator privileges. This helps reduce redundancy and helps reduce the number of rules needed. Click here for a technical guide on implementing RBAC.
Attribute-Based Access Controls
Attribute-Based Access Controls (ABAC) are more advanced than their role-based counterpart. In return, it allows more finite control and scalability. Although this is currently adopted less than RBAC, this method has gotten popular due to its advantages.
Key Benefits of ABAC
Permissions are evaluated at the time of an actual request.
Environmental conditions are considered
More detailed rules can be formed due to using specific attributes
For a complete guide on How to Implement ABAC, click here.
This is the most fundamental part of user access and authentication. Password rules should be spelled out within your cybersecurity policies.
Strong Password Requirements
- 8 to 12 characters, the more the merrier
- Don’t use easily guessed or default passwords such as “password”
- Do not use personally identifiable information such as birthdate, phone number, or maiden name
- Don’t use simple adjacent keyboard combinations, for example, “qwerty”
- Require a combination of letters, numbers, symbols, upper and lower-case letters.
An understanding of how passwords are cracked will help you truly grasp how to make them secure. Check out this password cracking guide to see how it’s done.
Utilizing multiple forms of authentication is undoubtedly more secure than just a single password, no matter how strong that password is. MFA is becoming a specific standard in compliance. Section B of the Digital Identity Guidelines mentioned earlier covers authentication in great detail.
Best Practice Tips for Access Controls and Authentication
- NEVER use the default admin account. When you initially login to an environment create new admin accounts and disable the default admin account. If you can’t disable it, change the password immediately.
- Regularly review and clean up your AC rules to reflect any changes to your business process. Eliminate deprecated controls to reduce unnecessary risk.
- Regularly change passwords.
- Regularly clean up active directory entries. If an account is no longer going to be used, delete it.
How Sedara Can Help You
Sedara has an experienced team that will enable you to take your cybersecurity and compliance to the next level with 24/7/365 monitoring, detection, and response. If you are looking for expert help for your organization, discover how Sedara can help you.
Subscribe to Sedara Declassified to get timely updates on new and evolving threats–and what to do about them–just like our clients do.