Cyber Essentials - control access to your data and services
This blog is the third in a series that will each address one of the five Control Themes
underpinning the UK NCSC Cyber Essentials accreditation program.
In my previous blog in this series, I looked into what is required to ‘secure your devices and software’. In this blog I will go through the steps needed to address the third Control Theme; Control access to your data and services.
This control theme is all about making sure that everyone in your organisation (i.e. staff, customers and partners) has the access they need and no more than is required. This means that:
Every user accesses your organisations data and services using a unique user account and password.
User accounts are not shared between users or within a team
No unauthenticated or unauthorised user has access.
It is probably worth briefly talking about the difference between authentication and authorisation; ‘authentication’ is the process of confirming the identity of an individual. This is usually done with a user name and password, but there are other methods. For example, if you use a smartphone that has a fingerprint scanner that allows you to quickly ‘unlock’ the phone, that is also a form of authentication. ‘Authorisation’ follows authentication and is the process of deciding what rights an authenticated individual has, i.e. what they are ‘allowed to see and do’.
This theme is sometimes referred to as ‘User access control’, but it is important to note that a distinction is made between ’ordinary’ users who are accessing your organisations services and data in order to carry out their role, and ‘administrative’ users who have the ‘authorisation’ necessary to access and control the setup and configuration of the IT systems and equipment that support and deliver those services and data.
This is different again to the case where different users have different levels of access to sensitive data. For example if your organisation has a sales tracking and forecasting system, senior sales staff will have the additional authorisation privileges required to see (and probably change) all data within that system, but this does not make them an ‘administrative’ user by the Cyber Essentials definition.
If an ‘administrative’ account is compromised by a hacker, then because of the privileged level of access and control that an ‘administrative’ user has, the hacker will be able to do far more damage to your organisation than an ‘ordinary’ user. For that reason, the controls required for ‘administrative’ accounts by the Cyber Essentials standard are stronger than those required for ‘ordinary’ user accounts.
The Cyber Essentials standard requires that all access to sensitive business information must only be allowed after the user has been authenticated and authorised. Access must require a user account where a password or other means of authentication is necessary to ‘log-in’. It also must require that the user has appropriate authorisation. This applies to both ‘ordinary’ and ‘administrative’ users.
Before a user can have an account it must be setup for them and the standard states that before an account is setup, there must be a formal, documented process of approval. This is often a part of what is referred to as the ‘Joiners’ process. The process must ensure that the creation of a new account is formally approved by an individual within the organisation who is in a leadership role.
As part of that process, for administrative users, you must formally document and track which users have administrative levels of access and to which systems they have that access.
Where a user within your organisation changes role, their new role may need new levels of access authorisation, and may not need some or all of the levels of authorisation that were required in their previous role. For this reason, you should have a documented process to review and (as required) change the authorisation granted to a user that has changed role. This is often part of what is referred to as the ‘Movers’ process.
For administrative accounts, the Cyber Essentials standard requires that that process must be extended to include regular reviews to confirm that any ‘administrative’ level of access granted to a user is still required. This is to address the scenario where a user changes role within your organisation and the new role does not require all of the ‘administrative’ access that was required by the old role. This extension to the process is sometimes referred to as ‘User Re certification’ or ‘User Re-authorisation’.
It is not necessary, but I would recommend that you also carry out the same process for all ‘ordinary’ user accounts, to ensure that the ‘Movers’ process has in fact been carried out in all cases.
When a user leaves your organisation you must make certain that they are unable to access any of your systems. Therefore the standard requires that you delete or disable their user accounts. This means not just their primary windows user account (Active Directory), but also any secondary systems that maintain their own user databases (whether or not those systems also use Active Directory for authentication). This is often part of what is referred to as the ‘Leavers’ process.
Note also that just changing the password is not good enough, there is the potential for a password reset mechanism to be available.
I recommend that, where possible, you should have a policy to disable accounts not delete them. There are a number of reasons for this, but from a security perspective a deleted account can be recreated and potentially masquerade as the original, sometime also inheriting authorisation privileges that have not been completely removed from secondary systems.
The Cyber Essentials standard requires that ‘administrative’ accounts should only be used for administrative activities. More specifically the standard requires that you ensure that administrative accounts are not used for web browsing or for downloading email. It is not necessary for these requirements to be technically enforced, but they must otherwise be addressed by good policy, process and regular staff training. In practice this means that staff who have roles that require them to have administrative access will most likely need to have two accounts setup, the first for ‘normal’ use (i.e. web browsing and downloading/reading email) and the second for administrative use only.
It is common (but not necessary to meet the standard) for organisations to use a naming convention to remove any confusion, for example the administrative user ‘John Smith’ might have the normal account ‘johnsmith’ and the administrative account ’johnsmith-admin’. This makes it clear the purpose of the account.
It is also common (but again not necessary) for organisations to use policy enforcement mechanisms to force the admin specific account to look different, e.g. by setting the desktop background to a specific image. This makes it harder for a user to accidentally forget that they are still logged in using their administrative account.
Finally, the standard requires that, where possible, two-factor authentication (2FA) is used to secure administrative accounts. It is not necessary to purchase additional equipment or software to meet this requirement, but where equipment and/or software does allow for it, you must use it.