This blog post is part of the Zero Trust Journey series, where we present simplified ways to implement a Zero Trust architecture. If this is the first you read the subject, we recommend you check out the initial steps.
The third phase of the Zero Trust journey encompasses the identification of maturity, gaps, and potential risks associated with inventories, data flow, and work in the organization. Besides that, in this phase, minimal access privileges will be defined for each user, service, or device that requests access to an asset.
A convenient way to put access control into practice is by using frameworks. For example, by meeting compliance requirements and international security standards or by obtaining certifications, the organization will automatically advance toward implementing Zero Trust. This is where ISO/IEC 27002 comes into play.
Next, we’ll dive a little deeper into ISO/IEC 27002 and explain how it can be applied to constructing access control on a Zero Trust journey.
Applying ISO/IEC 27002 to the Creation of Access Controls
Designed to be a “reference in selection of controls into the implementation process of an information security management system based on ISO/IEC 27001”, the ISO/IEC 27002 addresses practices in common with the Zero Trust principles.
Besides the orientations in the document, ISO/IEC 27002 aims to establish the premise that “everything is prohibited unless expressly permitted”, replacing the idea that “everything is permitted unless expressly prohibited”.
But what do you need to do to implement it in your Zero Trust strategy? First, you need to meet a series of requirements. Then, address the responsibilities of the users and of the access control to the system and applications. Last, you need to choose the right technologies to implement the project.
In the first part of the content, we’ll analyze the requirements for access control specified in ISO/IEC 27002, bringing them into the Zero Trust context.
Requirements for Access Control Based on ISO/IEC 27002
This is one of the most important steps in this moment of the journey because it’s when we define the access control policy, including networks and network services. So let’s take a look at these requirements.
Access Control Policy
According to the ISO/IEC 27002, an access control policy must be established, documented, and critically analyzed, based on the information security and business requirements described below.
Security Requirements for Individual Business Applications
This item includes the classification of information, restriction, and sharing conditions in tune with business needs and procedures that we addressed in previous phases of this journey.
It’s important that all classification results are updated according to the value, sensibility, and criticality along their lifecycle since a business is a living organism that will evolve, bringing changes to the way information must be treated.
Policy for Dissemination and Authorization of Information
This is the establishment of rules for disseminating information. For example, the dissemination of data classified as highly critical, if allowed, is an action that requires authorization and procedures for the authentication and validation of the user and device configured in the Zero Trust architecture.
Consistency Between Access Rights and Classification Policies
The classification of a piece of information is based on its sensibility and operational criticality. Thus, the information classification policies of systems and networks must be coherent with the security levels of the classified asset.
For example, if an asset is essential to the operation of the business, the protection level and access controls for it must be enough to ensure its confidentiality, integrity, and availability.
Compliance and Contractual Obligations Related to Access Protection
Specific controls for conformity with laws and contractual obligations, alongside the individual responsibilities to apply them, must be defined and documented.
Considering our Zero Trust journey, the role of data stewards in this kind of monitoring is fundamental since it ensures data usage following access permissions and its role in the mission context.
Access Rights Management
According to ISO/IEC 27002, its recommended that access rights be managed in a distributed environment and connected to a network capable of recognizing every connection type available.
One of the core tenets of the Zero Trust architecture is visibility. So, the more observability features technology offers, the more will be the team’s efficiency in monitoring connections, analyzing event data, and creating access control rules.
Segregation of Access Control Functions
The segregation of access control functions is, basically, the attribution of tasks and functions like access requests, authorization, and administration not only to one person but to a group.
This distribution of functions is relevant in the Zero Trust context as it’s a measure that helps to prevent lateral movement from a malicious actor since no administrative user has wide permissions and privileges to be exploited.
Requirements for the Formal Authorization of Access Requests
To make the correlation between users and their responsibilities and actions possible, it’s indispensable that each one has a single user ID, which must be granted by a formal enrollment and revocation process that includes documentation and issuance rules.
This practice is also a requirement for a Zero Trust strategy, starting with a formal process for the creation of user IDs with minimal privileges in a way that each user only has access to the functions, resources, and assets needed for the task at hand.
Requirements for the Periodic Critical Analysis of Access Rights
An efficient Zero Trust architecture demands that the owners of the assets carry out, at regular intervals, critical analysis of the user’s access rights. Frequency is crucial to ensure that unauthorized privileges aren’t obtained.
It’s recommended to do this kind of analysis every time an employee is promoted, reassigned, or dismissed or when starts to perform different kinds of work in the organization.
At this point, there’s something we should observe: the higher the criticality or sensibility level of the assets involved, the more frequent the critical analysis should be. System users like “sysadmin”, “administrator”, “root”, “apache” and “nginx”, to name a few, require this level of care.
The reason is that they hold privileges that interact directly with the operating system and even with identity management. The appropriation of accounts like these by a malicious actor is a real risk to the whole business.
In these cases, you should consider monitor or even deactivate the user, besides not allow remote access to those accounts. Remember that access policies should apply not only to persons but also to user accounts used by systems.
We must stress that recurrent critical analysis is needed to both ensure that access remains restricted to the correct users and keep access control updated and aligned with your Zero Trust strategy.
Revocation of Access Rights
To refrain workers who had their activities, contracts, or agreements terminated from corrupting or compromising the integrity, confidentiality, or availability of the company’s assets, access rights must be revoked or adjusted. With gradual privilege revocation, this can be done as soon as termination occurs, or even before.
Archival of Relevant Event Logs
All significant events related to managing user IDs and secret authentication information must be archived following the access control directives established in the Zero Trust strategy.
With those archives, the security team and the data stewards will have the essential observability resources that can be used for auditing and vulnerability analysis related to access control.
Rules for Privileged Access
Privileged access rights should be managed by a formal authorization process based on an established access control policy, and the granting of minimal access privileges should be put into practice.
Access to Networks and Network Services
This second requirement ensures that users only have access to the networks and network services that they are specifically authorized to use. For this, the policies of this phase of the Zero Trust journey must establish:
- Which networks and network services are allowed and the ways in which they can be accessed.
- Procedures for granting access authorization and management controls to protect access to network and service connections.
- User authentication requirements.
At the same time those actions are easy to implement, they are crucial to prevent, among other threats, unauthorized and unsecured connections that can be lethal to the organization—a risk that grew higher with the expansion of remote work.
When we talk about workplace security, we must think about the paradigms that promote access control in modern environments, such as perimeter security, network segmentation, and observability and are adherent to the Zero Trust principles for networks.
Next Steps for the Implementation of Access Control
Now that you know the requirements, we’ll go to the third and last phase of the journey, where we’ll talk about the user’s responsibilities, system, and application access control and indispensable technologies to build an access control that meets the requirements of a Zero Trust security model.
To receive the next content about Zero Trust series, subscribe to our newsletter by filling out the form below.