Controlling access to organisational data
Control user access
It is estimated that 90% of cyber data breaches are caused by an organisation’s own staff. Most of those are caused by negligence, ignorance or error, however it must be noted that some are caused intentionally. A malicious insider threat can be an existing member of the workforce acting for their own benefit, or an ex-member of the workforce abusing their former access.
With this in mind, it makes sense to limit access to your most sensitive, important and valuable information, also to know who has that access and to monitor and control it.
Identifying users and restricting access is good practice for all organisations. The more access, the more risk, so it is recommended that accounts are configured with in depth permission settings that only allow staff to access information that they need to perform their role but no more. This is known as the rule of least privilege.
It is best practise that all staff should use a standard user account to carry out their normal day-to-day work and a separate administrator (admin) account should be used to install and remove software, and other administrative tasks. Admin accounts typically have the greatest level of access to information, applications and settings and will cause the most damage if accessed by attackers. An attacker will have the same privileges as the account you are logged in as and if that is an admin account, they will be able perform actions such as install malicious software, delete files and access sensitive data. For this reason, administrative accounts must be restricted, kept track of and not used to carry out everyday tasks.
Account separation
No one, not even home users, should use administrator accounts for everyday computer use, such as web surfing, emailing or office work. Instead, those tasks should be carried out by a standard user account. By default, user accounts in Windows and Mac have administrator privileges, meaning they allow you to install, modify or delete software. This level of access carries security risks as unfortunately, you have the ability to do things that you never really intended to do, some of which can cause major problems with the computer. It’s quite easy for an administrator to accidentally delete an important system file or change a setting that renders the PC unstable or un-bootable. If you work for a small business or for yourself, you might not realise that you are permanently logged on with an administrator account.
If you’re a Windows or Mac user who has administrative rights, you should create a separate administrator account, and downgrade your regular account to standard-user account even when you’re the only person who uses the computer. You can still perform administrative tasks by typing in the password to the admin account.
Even if you are a sole trader or work in a single person company you still need at least two accounts on your computer.
PIMS and PAMS
Many organisations use identity and access management (IAM) strategies or tools as part of their security practices. It determines how they manage user identities, authenticate users, and control access to their company resources. Privileged identity management (PIM) and privileged access management (PAM) are well recognised elements of these strategies.
Privileged Identity Management (PIM) is about protecting the passwords and other access credentials of important people within a company who have access to sensitive information and critical systems. PIM helps ensure that these privileged accounts are only accessed by authorised individuals, and not by hackers or other malicious people who might want to use this access to steal sensitive data.
Privileged Access Management (PAM) is a broader term that includes PIM. PAM is all about managing and monitoring access to important systems, applications, and data. This includes controlling who can access these resources, and tracking what they do when they access them. PAM is important because it helps prevent the abuse of privileged accounts and detect and respond to potential threats.
Together, PIM and PAM are important tools for keeping sensitive information and critical systems secure, and for ensuring that only the right people have access to them.
Just enough or just in time
When an employee using a regular user account needs to download or update software or change the configuration of a setting, they will need to enter an administrator password. If they do not have administrator permissions, they will need to ask someone with those permissions to assist them by providing the password in order to complete their proposed task. This is an example of ‘just enough’ or ‘least privilege’ access control.
An alternative way to manage this situation is to use a method called, ‘just in time’ where a single account can be elevated to administrator for a period of time.
Some organisations believe they have a secure PAM solution using ‘just in time’ to manage their user access control. However, privilege access management systems can be configured in many different formats and even if there was one way to configure the platform securely, there would be five other ways that are not compliant with Cyber Essentials.
If an app allows users to elevate their account privileges for their own purposes, to install or update software, download apps or configure changes, how long is an acceptable amount of time? Sometimes those elevated privileges are not revoked until the machine is turned off and in the case of a laptop, that could be several days. Performing day-to-day work on an administrator account for days or even hours is a security risk.
Another example where the ‘just in time’ model may present a security risk is when a user wishes to download some software from a link in an email. With the ‘just enough’ model, that user would need to type in an admin password or ask someone with administrator privileges for a password. The act of doing this may raise the question, ‘what is this?’ and could be the difference between denying the request and falling victim to a phishing attack.
Just enough for Cyber Essentials
‘Just in time’ is not a principle that is compliant for Cyber Essentials. There are many people that argue it is secure with the issue being the acceptable time frame for a user account to have admin privileges. For Cyber Essentials, however, no amount of time is acceptable. Organisations are required to use the ‘just enough’ model which uses the rule of least privilege.
In line with this model, the number of accounts with privileged access should be limited to the absolute minimum and not used for day-to-day use. By following a process for the creation, use and monitoring of user and admin accounts, staff will be prevented from checking emails and browsing the web while logged into an admin account and protected from accidentally installing malware from phishing emails or malicious websites.
To limit any potential issues from former employees, immediately remove or suspend accounts that are no longer being used, it is also good practice to limit or block the use of USB and other portable removable media and devices.
It’s a good idea to have a comprehensive policy that details the processes for creating, and controlling accounts with special access privileges including how and when to revoke access to information in a timely way when a member of staff changes role or leaves the organisation.
Consider:
A user account creation process
It might be that only once someone has signed their paperwork and received clearance (if appropriate) they are issued with a computer user account. Even if you are a sole trader, understanding the reason behind these processes will help secure your organisation if new employees or third parties access your information.
Develop a movers, leavers or joiners process
When someone joins your organisation, their account permissions are recorded and approved. When they leave, their account is disabled (or removed).
Create a set of rules around administrator accounts
Clarify who has the administrator accounts* and ensure that these accounts were not used for emails and web browsing. Regular account activity is risky on an administrator account as any compromise can happen with a higher set of permissions, meaning there is potential for greater harm to your system. Staff should have separate user accounts if they are expected to perform both administrative and routine functions and they should log in with their standard user accounts for day-to-day tasks. Administrator accounts should be used only to install or modify software and to change system settings.
*It is often necessary to use a combination of policy and staff training to achieve this requirement.
More guidance about answering the Cyber Essentials assessment questions for single person organisations is in development.