Limiting Access Is the First Step to Securing Networks

February 1, 2016

As part of our continuing series on the NIST Framework, we completed our review of the “Identify” category last month. Now, let’s consider NIST’s advice for how best to “Protect” networks, starting with access control.

At the heart of this important topic is establishing everything that needs to be locked down, as to whom, and against what. Everything that requires protection commonly includes data, computers and applications; from whom includes insiders and outsiders, and extends all the way from honest employees to malicious hackers; what is being controlled, despite the category’s name, extends well beyond access and equally includes restricting the ability to modify resources.

Let’s break this down a bit. While data access restrictions are meant to lock down the ability to view sensitive information (such as trade secrets and customer data), controlling data modification assumes authorized access to the information, but limits or prohibits the ability to alter it (think of a website that anybody can view, or documents with “read only” permissions of “look, but don’t touch”).

Turning to the devices themselves, computer access restrictions include physical protections against human tampering (starting with your server room), as well as restricting which computers can talk to each other (air-gapped networks offer a great example). Then there’s the separate ability to modify computer hardware, whether by unscrewing the back and swapping out parts or, more simply, by adding or disabling a peripheral device like a printer.

Finally, there are considerations relating to applications, which range from a company’s ability to track and abide by the number of software licenses it purchased, to a hacker’s ability to modify firmware and security settings.

To accomplish the essential goal of access control, NIST focuses on five objectives:

Establishing verifiable identities, issuing trusted credentials, and de-provisioning access when required.
Controlling physical access. For more on this topic, see the July 2015 Cyber Tactics column, “Securing the Physical Side of Cybersecurity.”
Managing remote access, while taking into account teleworkers, mobile devices, Web platforms, as well as trusted vendors and business affiliates.
Restricting permissions, by providing users only with those abilities they require (this is the concept of least privilege) and dividing roles and responsibilities so more than one person is needed to perform certain critical functions (this is the concept of separation of duties, and it’s not limited to nuclear launch codes).
Protecting network integrity which, for larger systems, likely will include some form of network segmentation (partitioning) and network segregation (restricting the devices that can communicate with one another) to prevent lateral movement should part of the network become compromised.

As you can gather, there is a lot underlying each of these points. To gain a more in-depth understanding of access control, consider supplementing the Framework by reading NIST’s Security Controls and Assessment Procedures for Federal Information Systems and Organizations. But please, if you access it online, don’t try to modify it. Doing otherwise might lead to an understanding of how the FBI enforces access control!

Steven Chabinsky is global chair of the Data, Privacy, and Cyber Security practice at White & Case LLP, an international law firm. He previously served as a member of the President’s Commission on Enhancing National Cybersecurity, the General Counsel and Chief Risk Officer of CrowdStrike, and Deputy Assistant Director of the FBI Cyber Division. He can be reached at chabinsky@whitecase.com.

You must login or register in order to post a comment.

ON DEMAND: DevSecOps creates an environment of shared responsibility for security, where AppSec and development teams become more collaborative. With the right training and tools, developers can become more hands-on with security and, with that upskilling, stand out among their peers... however, they need the security specialists on-side, factoring them into securing code from the start and championing this mindset across the company.

ON DEMAND: The insider threat—consisting of scores of different types of crimes and incidents—is a scourge even during the best of times. But the chaos, instability and desperation that characterize crises also catalyze both intentional and unwitting insider attacks. Learn how your workers, contractors, volunteers and partners are exploiting the dislocation caused by today's climate of Coronavirus, unemployment, disinformation and social unrest.

Security Magazine

2020 December

This month, Security magazine brings you the 2020 Guarding Report - a look at the ebbs and flows security officers and guarding companies have weathered in 2020, including protests, riots, the election, a pandemic and much more. Industry experts discuss access management and security challenges during COVID-19, GSOC complacency, the cybersecurity gap, end-of-year security career reflections and more!

View More Create Account

Limiting Access Is the First Step to Securing Networks

Recent Articles by Steven Chabinsky

Who's Responsible for Cloud Security?

Clear, Purge & Destroy: When Data Must be Eliminated, Part 2

Clear, Purge & Destroy: When Data Must be Eliminated

Bug Bounty Programs: An Emerging Best Practice

Managing Supply Chain Risk

Security Magazine

2020 December

Limiting Access Is the First Step to Securing Networks

Recent Articles by Steven Chabinsky

Related Articles

Report Abusive Comment