Restricting Access in the Age of Access by Timothy Hill, technology policy adviser, Law Society
Back in 2001, Jeremy Rifkin in The Age of Access predicted an emerging word of hypercapitalism in which ‘all of life is a paid-for experience’. Whether or not you agree with his thesis (corporate monopoly over information and commoditization of experience), it is obvious that obtaining access is not just at the heart of corporate business models; it is a criminal hacker business model too. If hackers can access your systems, they ‘own’ them.
Access all areas
When it comes to managing access, thinking about access as a privilege is a good place to start. Your staff, your suppliers and your customers should feel that they are getting privileged ‘backstage’ access to your systems. Making staff or customers feel that they are only getting grudging access to your systems in order to work for you or buy from you is not a good move! Why might they feel that way? Because you need to apply the principle of ‘least privilege’. This principle is like the military rule of ‘need to know’. Users should only get the least privileges they need on a system in order to carry out the tasks they need to do.
10 Steps and Cyber Essentials
10 Steps to Cybersecurity – government guidance for organisations looking to protect themselves in cyberspace - was originally published in 2012. According to the National Cyber Security Centre it is now used by a majority of the FTSE350.
Managing user privileges is one of the 10 Steps organisations should take. The rationale for this is that if users have unnecessary privileges or access rights the impact of any failings or breaches will be magnified. For example, if I have high-level administrative privileges and my account is taken over then an attacker will also have those administrative privileges. 10 Steps argues that ‘users should be provided with a reasonable (but minimal) level of system privileges and rights needed for their role’.
User access control is also a feature of the Cyber Essentials scheme. Cyber Essentials is a government supported cybersecurity certification scheme that claims to be able to prevent 80% of cyber-attacks. It has been mandatory for suppliers of Government contracts which involve handling personal information and providing some ICT products and services since October 2014. It requires organisations to have five technical controls in place: boundary firewalls; secure configuration; user access control; malware protection and patch management.
On user access, as a minimum, Cyber Essentials requires:
- an access provisioning and approvals process
- restriction of special access privileges
- documenting and securing details of special access
- no email or internet access for admin accounts
- regular password change for admin accounts
- unique username and strong passwords for users
- procedures for decommissioning access.
GDPR and access
Under the EU General Data Protection Regulation - which will shortly be translated into a new Data Protection Bill - a ‘personal data breach’ is defined to include a breach of security leading to unauthorised access to personal data. Perhaps less well-known is a best practice recommendation (Recital 63) that where possible ‘the data controller should be able to provide remote access to a secure system which would provide the data subject with direct access to his or her personal data’. This is clearly desirable – from both a data subject and a data controller’s perspective. But ensuring that the right individual and only the right individual accesses his or her data is going to be a challenge! It is interesting that, in a sense, the principle of least privilege is lurking in the background. Data subjects will be entitled to access all their own personal data (unless an exemption applies) but data controllers should design their systems to implement the data protection principle of ‘data minimisation’. This means that ‘by default, only personal data which are necessary for each specific purpose of the processing are processed’.
The balance between enabling and restricting is at the heart of business-oriented user access control. Modern cars, for example, have automated controls that enable their drivers whilst simultaneously restricting them in a comfortable environment. A well-designed computer system should implement the principle of least privilege in a similar way. Users do not want the unrestricted administrative privileges that might allow them to trash a system. But they should feel privileged and welcome as well as safe and secure.