São Paulo/SP - June 22, 2023 - Application of Access Management in Information Security processes
* Leandro Zilli
Overview
Information Security plays a key role in several work fronts, including Access Management. This process can sometimes be performed in conjunction with the Information Technology area, but a well-trained and qualified Information Security professional can effectively assist in the management and mitigation of risks related to the topic.
In this article we will address two fronts regarding access management for Information Security: Physical Access and Logical Access.
Physical Access
In physical access, the approach must be from the inside out, first understanding which areas/assets must be considered so that security barriers and processes are implemented, allowing access to be carried out in a controlled manner and by who really has the right.
Taking this approach into account, offices may have restricted work areas (Telecom rooms, sensitive information processing area), where controls such as the use of biometrics or badges and access profiles must be applied, which must coexist according to the business strategy. As for badges, they must distinguish employees from others, such as visitors/service providers, in the latter case, it is necessary to apply more restrictive access, terms of responsibility and, where applicable, monitoring at all times when they are in the environment.
Other important points are the periodic review of these accesses for proper adequacy, as well as assigning a person responsible for these areas to work together with Information Security in risk management. It is necessary to have an effective process if the office is located in condominiums, as access management must be well executed in the office environment and reflected in the access management of the entrance that is under the responsibility of the condominium, since it is a place where people and visitors from other companies can transit through the floors.
The location of these more sensitive areas must be strategic, in such a way that access is carried out in a single way, mitigating the risk of improper access (sometimes even through the external environment).
As a complementary control, it is important to have a CCTV (Closed Circuit Television) monitoring all the premises, especially the restricted work areas.
In Data Centers there are more robust controls and well-designed processes, as it is a place where several companies have important information and assets (physical or logical) and the expectation is for a place with restricted access and a high level of security. In addition to access controls and camera monitoring (CCTV), there are processes in which access to the environment is only granted through several steps, starting with the provision of visitor data (registration form, documents) by eligible persons previously informed by the customers to the Data Center management, where as soon as authorized, other steps are applied in person, from identification at the guardhouse to passing through inspection and metal detectors - the visit may be accompanied by a Data Center employee throughout the period of stay on site.
Logical Access
In logical access, controls must be established and implemented to protect and provide access to information and other associated assets in order to meet security and business requirements, ensuring access to whom it is due and mitigating the risks of unauthorized access.
The entire access cycle must be executed in such a way as to provide traceability, whether in granting, maintaining/adapting and revoking, starting with the creation of credentials.
Credentials must be created in a way that makes it possible to associate them with the person responsible for the credential, where there is a need to create generic credentials, their criticality, formalization/documentation and access control for their use, for example , with the option of using a credential vault, allowing traceability of its use. As well as the cases of third parties (service providers), it is necessary to have a person in charge within the company and terms of responsibility and non-disclosure (NDA – Non-Disclosure Agreement).
The granting of access must be done through a tool that makes it possible to formalize the request and promote approval stages (Manager, HR, IS). The execution stage must be carried out by dedicated and trained professionals, to avoid deviations or errors in this stage.
Use a tool AMI (Identity and Access Management) may assist in the process of provisioning accesses in an automated way, requiring a prior process for mapping accesses according to the business strategy.
Regarding approval flows and access to system functionality, the SoD matrix (Segregation of Duties) can promote controls to avoid conflicting access/permissions, such as the possibility to request, approve and implement some functionality, preventing a credential from having exclusive and complete control over transactions and business processes. Together with the SoD matrix, the implementation of access profiles allows meeting security and business requirements, identifying profiles, assessing risks and carrying out periodic reviews.
In situations where access is granted with elevated privileges (administrative profiles), these credentials must use additional controls in their use, such as the use of MFA (Multi-Factor Authentication), even more so if the credential is from third parties (service providers), generic or native to the system.
The blocking and deletion of disconnected and third party credentials is necessary, being a documented and traceable process. In cases of dismissal or termination of a timely contract, there must be a synergy between the manager/person in charge, HR and Information Security, to carry out the blocking and its formalization as soon as possible, mitigating the risks to the organization's environment.
For purposes of revalidation and evaluating the effectiveness of managing access to credentials, the periodic process of reviewing access should assess whether access reflects current needs and whether credentials of terminated employees or third parties who are no longer working in the organization should be blocked.
To support and carry out more proactive actions, DLP tools can be used (Data Loss Prevention) and SIEM (Security Information and Event Management), which provides rules to mitigate data leaks and misconduct, managed by a team such as the SOC (Security Operations Center) – being able to comply with laws and regulations such as the LGPD (General Data Protection Law).
According to the 2022 Global Threat Scenario Report by Fortinet, approximately 44% of the initial access methods are through the use of valid credentials, as per incident investigation by the Incident Response team of the FortiGuard in 2022, which identified access through legitimate credentials, which may be linked to an invasion, with the possible reasons for this type of access being the collection of this credential in activities prior to this invasion or through the acquisition of credentials (purchase) due to result of other incidents.
The application of access management can be reflected on several fronts, as a good example access and interaction regarding the source code, which can be managed and monitored from developer tools regarding the activities to be performed, mainly in situations where there is access by more than one person. Another point regarding the development processes, in the segregation of the Production, test/approval and development environments, replicate regarding the accesses, where those who develop, do not test and those who test, do not implement in production.
FINAL CONSIDERATIONS
As can be seen, the subject is of great relevance and extensive, requiring efforts from all.
There are three fundamental factors for good information security management: People, Processes and Technologies. Processes must be well planned and executed, where technologies act as important tools to support these processes.
About people there is a maxim that they are the weakest link, but if they go through two essential and periodic stages through information security awareness and training, enabling the understanding of risks and threats, learning what safe procedures and practices must be carried out, such as protection against phishing and handling information correctly, resulting in an employee less likely to fall into scams and to follow information security policies, being one of the fundamental lines of defense in combating incidents, risks and threats.
We at SAFEWAY have the expertise and can meet your needs, through qualified professionals and services, working on several fronts in terms of Access Management.
*Leandro Zilli is a GRC Consultant at Safeway
HOW CAN WE HELP?
THE SAFEWAY is an Information Security consulting company recognized by its clients for offering high added value solutions through projects that fully meet the needs of the business. In 15 years of experience, we have accumulated several successful projects that have earned us credibility and prominence among our clients, which largely constitute the 100 largest companies in Brazil.
today through 25 strategic partnerships with global manufacturers and our SOC, SAFEWAY is considered a one stop shopping with the best technology, process and people solutions. We have both the technical skills and the necessary experience to assist your company in structuring processes, controls and technologies related to physical and logical access management, respecting the context, particularities and regulations of your industry. If you want more information, contact one of our specialists!
Let's make the world a safer placero!
