CIS Control 14: Controlled Access Based on the Need to Know

The focus of this control is to ensure users are only allowed access to information they are authorized or needed to perform job duties. There are several layers to this complex problem, beginning with network segmentation, and growing to data classification and Data Loss Prevention (DLP) products.

The CIS states this Control is critical:

“Encrypting data provides a level of assurance that even if data is compromised, it is impractical to access the plaintext without significant resources; however, controls should also be put in place to mitigate the threat of data exfiltration in the first place. Many attacks occurred across the network, while others involved physical theft of laptops and other equipment holding sensitive information. Yet, in many cases, the victims were not aware that the sensitive data were leaving their systems because they were not monitoring data outflows. The movement of data across network boundaries both electronically and physically must be carefully scrutinized to minimize its exposure to attackers.”

The journey of implementing the CIS Controls continues with controlling access using Access Control Lists (ACL). Organizations are directed to protect all information stored on systems using native ACL methods. These methods include network layer access controls, file level permissions, and other application centric controls. The specific sub-controls that are part of Implementation Group 1 (IG1) are:

• 14.6: Protect Information Through Access Control Lists

Managing ACL or Dynamic ACL (DACL) is a complicated task at all levels of IT operations. The best approach is to have a clearly defined access policy and to conduct repeated internal audits. Some organizations take an approach to deny all access, and then open up access as needed. This approach is good for file systems or databases, but is harder when looking at network based ACL. To automate the audit process, Tenable Security Center can be configured with custom audit files to review configurations and report on the status. This customization is a very advanced process, and should be done with aid of professional services.

The organization should take their time during this process and review all the access requirements at each level. In some cases, several controls come together to create the completed security control. For example, access to a database system starts at the network layer, but restricts access based on IP and TCP ports. User and services accounts are needed, which may lead to file level permissions. Finally, data level ACL must be created. If any one step in the ACL is misconfigured, the system could have too much access or no access at all. Use the data collected in Controls 1 & 5 to help establish the requirements and begin documenting access requirements.