The ability to determine who should and shouldn’t have access to what data, is an integral part of any data security strategy, or at least it should be. Unfortunately, many organizations still don’t have the control that they need to keep their data secure.
Many don’t have a complete inventory of what data they store, let alone a clear understanding of how that data is being accessed. According to a recent study, almost 20% of organizations have over 1,000 sensitive folders open to everyone, and about the same amount have over 1,000 folders with inconsistent permissions.
Organizations are storing increasingly more sensitive data in the cloud, which is hardly surprising given that cloud solutions are affordable, scalable and convenient. However, if not configured properly, they can leave your sensitive files exposed to the internet. For example, in recently times we’ve seen a large number of data breaches caused by poorly configured, or “leaky” Amazon S3 buckets. According to recent statistics, 7% of all S3 buckets have unrestricted public access.
With statistics like these, it’s really not surprising why data breaches continue to make the headlines. Sensitive data is what most cyber-criminals are looking for, and without the appropriate access controls in place, we’re just handing it to them on a plate.
What Are Access Permissions?
Access permissions are described by an access-control list (ACL), where each list item specifies how a given subject can interact with a given object. Or in less abstract terms, what operations can a given user, program or process, perform on a given file or folder.
What Are the Different Types of Access Control?
There are various techniques for controlling access to sensitive data, although Role-Based Access Control (RBAC) and Attribute-Based Access Control (ABAC) are the most common. RBAC is where access is granted based on a subject’s role, which may include their user type, job title, department, physical location, or time spent with the company. ABAC, on the other hand, uses “IF, THEN” statements to enable fine-grained access control.
For example, IF user_type = admin AND department = IT, THEN grant read/write access to the “backups” folder. ABAC will provide the most precise level of control, however, the additional layer of complexity could result in blind spots. As such, RBAC is probably the most suitable approach, although a combination of RBAC and ABAC can be used if necessary.
Most Dangerous Incorrectly Set Permissions
Often, individual permissions do not present massive problems, the biggest and most dangerous incorrectly set permissions are often set through inheritance issues and group participation. Generally, there are two main types of permissions that may be damaging to an organization:
- Everyone has the right to access and modify files and folders, creating numerous users with excessive permissions and increasing the potential attack surface for an insider threat or data breach.
- Incorrectly set database permissions could also lead to data leakage.
Often, we find that misconfigurations are one of the biggest causes of dangerous permissions. Sunshine Behavioral Health LLC, for example, recently reported the data leak of over 93,000 patient files due to misconfigured Amazon S3 buckets.
Why You Should Review Access Control Permissions Regularly
As businesses grow and evolve, access control permissions can quickly spiral out of control. Users change roles all the time, or leave the business, and their access control needs to be changed to reflect this. Without regular reviews of your access control permissions you would not be able to spot these use cases and your potential attack surface could grow exponentially. Your access control permissions should be reviewed regularly as part of a bigger risk assessment process. Some of the things to look for include:
- Which of your users have access to your most sensitive data?
- Of these users, how many of them require this access as part of their role requirements?
- How many permission changes are occurring and are these changes creating excessive permissions?
- Which of your users are creating and modifying sensitive data?
Ideally, you should be restricting permissions as far as you possibly can to reduce the risk of data breaches.
How to Manage Access Control Permissions
Managing your access control permissions on an ongoing and proactive basis can help you prevent excessive permissions and permissions sprawl and help you protect data. There are a number of things you can do to ensure that access control permissions are managed correctly.
1. Classify Your Data and Determine Who Has Access
Whichever approach you use, it is important to spend some time thinking about how your data should be organized in order to reduce the complexity of the controls your setup. Once you have decided on a classification schema, you will need to go through your existing repositories with a fine-tooth comb and make a note of what data you have, and how it should be classified.
This might seem like a daunting task, as many organizations will have huge archives of unstructured data which they have accumulated over a number of years. Fortunately, there are tools available which will help to make the process less painful. A data classification tool will automatically scan through your repositories, discover and classify a wide range of data types including; social security numbers, biometric data, medical records, payment card details, and any other types of data that are covered by GDPR, HIPAA, PCI, and so on. These solutions will also provide a detailed summary of files containing sensitive data that have excessive permissions, thus giving you the visibility, you need to setup access controls in a fast and efficient manner.
OK, so let’s dive a bit deeper into what categories we should setup, and the types of data that belong in each category.
2. Categorize Access Control
While administrators have the freedom to setup any categories they want, the most common categories will include Public, Private and Restricted. It’s unlikely that they will need more than three categories, although there are some grey areas, as I will illustrate below:
Public data can include any data that is available to the general public. However, that doesn’t mean that the general public will have write access to the data, just that they can view the documents without restriction. If the public are allowed write access to a given piece of data, there’s no point in assigning access controls to it. Public data may include job postings, product listings, sales information, and so on.
Private data is data that is not available to general public by default, although public access can be granted under certain conditions. This could include information that is behind a paywall, or data that can be presented to clients upon request. However, private data may also include business-specific information, which cannot be disclosed to the public, such as product designs, intellectual property, company profits, or any information that could damage the company’s reputation or lead to a loss of revenue, were it to be disclosed to the public.
Restricted data is data that, were it to be disclosed to the public, could result in fines, lawsuits or a serious loss of business. Data protection regulations, such as GDPR, HIPAA, and PCI-DSS, require that safeguards are put in place to ensure that confidential data is not exposed to the public, and a failure to comply with these regulations can be costly. For example, under the GDPR, fines can amount to as much as €20 million, or 4% of global annual turnover (whichever is higher).
As you can see, different types of data have different levels of sensitivity, and it can be tempting to setup lots of different categories to cater for the many different types of data. However, it is important to find a balance, as too much granularity will add complexity, which could in turn make it harder to determine whether a user should or shouldn’t have access to a given piece of data.
3. Implement the Principle of Least Privilege (PoLP)
The “principal of least privilege” is a very important principle in data security. Regardless of whether we are talking about a user, a program, or a process, they must only be granted access to the data they need to perform their role. In addition to preventing regular employees from snooping on data that is not relevant to their job function, implementing least privilege security will help to prevent malware attacks spreading laterally across the network.
Monitoring Access Permissions
Setting up access controls is one thing, but you will still need a way to monitor them and ensure that the controls you have setup are not being manipulated in some way. While it is theoretically possible to manually scrutinize the native server logs to look for unauthorized permission changes, this would not be the recommended approach, as the process will be complicated and inefficient. Instead, you would be better off installing a third-party change auditing solution like LepideAuditor which will automatically aggregate event logs from multiple sources and present the relevant information via an intuitive console.
A specialized auditing solution will also help to detect and manage inactive user accounts, which hackers will try to exploit in order to navigate their way around your system undetected. It will also provide you with real-time alerts and pre-defined reports to give you the visibility you need to adequately protect your sensitive data.
You might have the best security technologies that money can buy, but when it comes to securing your sensitive data, access controls are everything. In summary, you need to know where your sensitive data resides, as well as who currently has, and should have access to it. You will also need to know when access permissions are changed, and by who.