Frankly Speaking 8/16/22 -- Access is the biggest threat

Disclaimer: Opinions expressed are solely my own and do not express the views or opinions of my employer or any other entities with which I am affiliated.

I read an interesting article on being tired from the front page of Hacker News. It resonated with me as life starts to converge on a new normal, and we adjust accordingly. What helped me during my PhD was taking breaks, but it’s not just about the total number of days off. It’s important to take high-quality breaks, i.e. taking a week off is different than taking 5 individual days off. However, different techniques work for different people, so find what works best for you!

LET’S BE FRANK

Whenever people approach me for cybersecurity advice, they always ask how to start thinking about security. Should they buy a bunch of tools? Should they hire an MSSP? What are the first things to worry about? I try my best to understand their situation and guide them in the right direction because there isn’t a “universal” answer. Unfortunately, security is a complicated profession in this way. You could do all the right things and have an incident, but you could have no security and never have an incident. That’s the reality.

At the end of the day, security is like any other part of a product. It involves business risk. The job of the security team is to ensure they identify and mitigate risks, but it’s up to the executive team to decide how much risk they are willing to take on. So, what is the right amount of risk? That’s a hard question, and it’s hard to quantify and is business-dependent. I don’t want to delve too deep into this because it can be its own post.

With that said, what I tell almost everyone is that access control is the biggest threat surface. It’s important to get it right early and regularly monitor it. In this newsletter, I’m going to discuss the following:

• why access control is so important

• some tools and techniques to improve access control

I’m specifically going to talk about employee access, but many of the same lessons apply to access for customers and end users.

Why access control is important?

I think everyone knows that access control is important to security, but it’s necessary to provide context on why it is important. Access control regularly holds a spot in the OWASP Top 10. It also technically holds two regular spots because, in my opinion, authentication issues are access control issues for customers and end users. In fact, as of this writing, it is currently in the top spot. To further emphasize, it is well-known that stolen credentials are the main cause of incidents and breaches. Almost all other security precautions don’t matter if an attacker can walk through the front door!

What’s the best way to tackle this problem? If you don’t retain anything else from this post, you should remember the following: have a simple access control story.

Below, I’ll describe some specific techniques and tools that I find to be useful.

Useful tools and techniques to improve access control

I’ll describe some ways to manage access control, especially in resource-constrained environments.

Have an access control story. I said above that having a simple access control story is important, but it’s better to have a complex story than no story at all. So, what does that mean? It means that you have to define major user personas and use cases and define what permissions those people should have. For example, say you want to follow the principle of least privilege. One way to do this is to provide employees with the access they need for 90 percent of their job. They can request elevated access, and you only want them to do that for accesses that they need once a month, so it’s not disruptive. That’s one strategy, but you need to have a story. Then, you can figure out what the story should be for different classes of employees, e.g. regular developers only have ViewOnly access to production environments, but maybe infrastructure engineers have elevated access.

Keep it simple. A common problem with complicated policies is that it leads to confusing policies and that typically results in over privileging, so employees don’t have the right default privileges or conflicting ones. This is a time to take the engineering incremental approach, which is to start simple and slowly layer on. For example, start by having a clean and simple story for your most important assets, e.g. customer data, production environments, etc.

Centralize user management. Problems occur when users aren’t managed centrally. Whenever users change roles or even leave the company, it’s a huge effort to manage their access to applications individually. Investing early on in a tool like Okta can help solve most of this problem. Once you can manage users centrally in a single source of truth, it’s easier to set app-specific policies because you don’t have to worry about specific users.

Use short-lived credentials and have a strategy for elevated access. The industry is moving toward short-lived credentials over persistent credentials. It might be slightly annoying for users to log in every day, but the risk of lost credentials and the subsequent scrambling to rotate those is way more painful. Sometimes, users might want elevated access, but make sure to have a strategy to revoke the access later. That’s why doing ad-hoc privilege escalation leads to over-provisioning as many times, there’s not a strategy to revoke that access.

MFA is your friend. Require multi-factor authentication for all applications in your company, either through SSO or through the application itself. This reduces the impact of phishing attacks substantially, but is low friction to set up for the security team as they can “set it and forget it.”

Make policy enforcement easy. You should be pushing development teams to design systems and buy tools that make permission policy enforcement easy. Similarly, security engineering should focus on abstracting away the implementation of a policy by doing something similar. This way, the security team can spend more time on defining strong policies than actually having to implement the mechanisms to enforce them.

Doing access control properly is hard, and as an organization grows, it becomes increasingly complex. However, it’s important to have a strong foundation because it is a much larger threat surface than many think.