SANS 20 Critical Controls #9: Controlled Access Based on Need to Know

Companies often don’t enforce strict access controls for their internal users. It is important to grant access to sensitive data based on the need to know. This way, only those users who really need to have access to sensitive data will have those privileges, instead of granting sweeping privileges to a user over all types of data. By limiting access to sensitive data to only a select group of users, you will limit your vulnerability, due to the reduced exposure of sensitive data. Separation of duties is a key component of compliances mandates such as Sarbanes-Oxley.

The first step you must take is to identify your sensitive data, by establishing a data identification scheme. A multi level data sensitivity classification based on the sensitive level of the data is especially useful. To ensure that access rights are being currently managed, you must perform detailed and frequent auditing of the access to all types of data. You must also set up an alert mechanism so administrators are quickly alerted to an attempt to access a file or data in a database without appropriate privileges.

The first step in controlling access based on the need to know principle is to separate administrator accounts from non-administrative accounts. You must also clearly define the procedures when an administrative account should be used instead of a non-administrative account.

You can also consider implementing a product such as Oracle Database Vault, to control and manage privileged user’s access to application data. System administrators and database administrators are pretty strict about not giving administrative access to other users. However, these privileges users often have unlimited access to sensitive application data. Proper separation of duties will prevent the privileges user’s access to sensitive data.

Leave a Reply

Your email address will not be published. Required fields are marked *

*