Skip to main content

Access Management and Operational Controls

Limiting Access & Damage

Apply the Need-to-Know & Least Privilege theory:

  • Limit access to data and systems; ensure users only access what they require.
  • Not only preventative, but they also restrict the severity of incidents.

Separation of Duties

  • Ensures no single individual controls all critical function elements.
  • One person assigns permissions; another carries them out.

Is an employee handling an end-to-end critical process alone? Risky! Covering tracks, like erasing logs, becomes easy.

Job Rotation

  • Rotate employees among different tasks or jobs.

These policies, combined, curb fraud. Collusion forced as the end-to-end process cannot sit with one person.

Monitoring Privileged Operations

Privileged Entities

  • Trusted entities that can misuse power.
  • Vital to supervise privilege assignment and its usage.

Monitor: WHO has the privilege, WHY, WHEN, and HOW they use it. Catch attacks and prevent power abuse.

Information Lifecycle

  1. Creation: By users (e.g., a new file) or systems (e.g., system logs).
  2. Classification: Classify data as soon as possible so we know what to do with it. 
  3. Storage: Secure data according to its classification.
  4. Usage: Refers to data in use or in transit over a network.
  5. Archive: Retain data as mandated by laws or regulations.
  6. Destruction: Obliterate data so it's unreadable.

Secure Provisioning

  • Ensures resources are securely deployed and maintained throughout their lifecycle.
  • Example: VM Template and Docker Applications: Ensure container images are free from malicious content.

Service Level Agreements (SLAs)

  • Stipulate performance expectations, such as maximum downtimes.
  • Penalties imposed if the vendor fails to meet these expectations.
  • Typically used with vendors.
  • SLAs demand accountability if agreements aren't met.

Internal SLAs and OLAs

  • SLAs can also exist within entities inside an organization.
  • Alternatively, Operational Level Agreements (OLAs) can be used internally.

Virtual Assets & Security

Types of Virtual Assets

  • Virtual Machines (VMs)
  • Virtual Desktop Infrastructure (VDI)
  • Software-Defined Networking (SDN)
  • Storage Area Network (SAN)

Hypervisors

  • Primary component managing virtual assets.
  • They present an additional target for attackers.

Ensure both hypervisors and VMs are regularly patched as this is a high-value attack vector. 

Security Concerns with Virtual Assets

  • Storing data in the cloud heightens risks.
  • Necessary security steps depend on the data's value.
  • Cloud providers typically offer security recommendations.

Shadow IT, like employees using Dropbox instead of OneDrive, poses a risk. Consult CASB.

Cloud-Based Services & Responsibility

  • When using cloud services, be clear on who's responsible for maintenance and security.
  • In the IaaS model, the Cloud Service Provider (CSP) offers minimal maintenance and security.

For more on the divisions of responsibility, see Shared Responsibility Model.

Back to top