Locking Down the Network With Access Controls

Once your network is configured, you and your employees will start using it in a way which results in sensitive information residing on servers and workstations. One of the best ways to protect this information is enforcement of the principles of least privilege and need-to-know.

Least privilege dictates users should have only the rights and permissions necessary to do their jobs. For example, a network administrator will probably need full access to servers and network devices using an administrator-level account. However, business users are granted access to servers only at a level necessary to access shares or applications.

Need-to-know supports least privilege by ensuring that once users gain access to an application, for example, they only see information related to their jobs. ePHI security is a good example of this. The HIPAA requires that users may only see information on patients they directly work with. So a nurse working in a hospital, for instance, shouldn’t see records for patients not under her care.

In another example, there is no reason for someone working in building services to have access to employee payroll information.

Both least privilege and need-to-know are implemented and managed via administrative, technical, and physical access controls. Each of these is further divided into preventive, detective, and corrective.

Administrative controls are management policies and procedures designed to protect against unwanted employee behavior, including:

• Separation of duties (preventive)
• Business continuity and disaster recovery planning/testing (preventive, detective, corrective)
• Proper hiring practices (preventive)
• Proper processing of terminations (preventive)
• Security reviews and audits (detective)
• Mandatory vacations (detective)
• Background investigations of current employees (detective)
• Rotation of duties (detective)

Corrective controls across all three categories (administrative, technical, and physical) are covered in the series on Incident Management.

More detailed information about each of these administrative controls, see the Security Administrative Controls series.

Logical controls, also called technical controls, are used to provide access to your organization's data in a manner that conforms to management policies. This includes enforcement of separation of duties. Controls in this category include:

• Access control software
• Malware solutions
• Passwords
• Security tokens
• Biometrics
• Encryption

For a detailed discussion of logical access controls, see Logical/Technical Security Controls – Part 1 and Part 2.

Physical controls rely on the proper application of physical barriers and deterrents to control behavior. It's through the use of physical controls that an organization controls physical access to facilities and systems. They also assist in maintaining the operating environments necessary to continue information processing and delivery activities. Physical security controls include:

• Alternate power sources (preventive)
• Flood management (preventive)
• Data backup (preventive)
• Fences (preventive)
• Human guards (preventive)
• Locks (preventive)
• Fire suppression systems (preventive)
• Biometrics (preventive)
• Location (preventive)
• Light sensors (detective)
• Vibration/sound sensors (detective)
• Motion sensors (detective)
• Video surveillance (detective)

For a detailed discussion of these controls, see Physical Security Controls – Part 1 and Part 2.