SANS 20 Critical Controls #9: Controlled Access Based on Need to Know

Companies often don’t enforce strict access controls for their internal users. It is important to grant access to sensitive data based on the need to know. This way, only those users who really need to have access to sensitive data will have those privileges, instead of granting sweeping privileges to a user over all types of data. By limiting access to sensitive data to only a select group of users, you will limit your vulnerability, due to the reduced exposure of sensitive data. Separation of duties is a key component of compliances mandates such as Sarbanes-Oxley.

The first step you must take is to identify your sensitive data, by establishing a data identification scheme. A multi level data sensitivity classification based on the sensitive level of the data is especially useful. To ensure that access rights are being currently managed, you must perform detailed and frequent auditing of the access to all types of data. You must also set up an alert mechanism so administrators are quickly alerted to an attempt to access a file or data in a database without appropriate privileges.

The first step in controlling access based on the need to know principle is to separate administrator accounts from non-administrative accounts. You must also clearly define the procedures when an administrative account should be used instead of a non-administrative account.

You can also consider implementing a product such as Oracle Database Vault, to control and manage privileged user’s access to application data. System administrators and database administrators are pretty strict about not giving administrative access to other users. However, these privileges users often have unlimited access to sensitive application data. Proper separation of duties will prevent the privileges user’s access to sensitive data.

Leave a Comment

Your email address will not be published. Required fields are marked *


Contact Us

If you have an urgent question regarding your software licensing or a software audit, please contact Miro right away.

(732)738–8511 x1208
Use the chat box on the right

About Us

Miro is a leading global provider of software asset management services, specializing in license management, audit advisory, negotiation tactics, support management, and cloud services. We help our clients maximize ROI on their software license investments, stay in compliance, and minimize the impact of audits. Miro's performance guarantee promises that our long-tenured, diverse, and passionate team of expert analysts provides insightful and actionable advice to help our clients achieve the best possible outcomes.