Presentation is loading. Please wait.

Presentation is loading. Please wait.

Least and Highest Privilege Access - Need to Know

Published byPolly Morgan Modified over 5 years ago

Similar presentations

Presentation on theme: "Least and Highest Privilege Access - Need to Know"— Presentation transcript:

1 Least and Highest Privilege Access - Need to Know
Jerry Wynne, CISA, CISSP, CIRSC Vice President of Security, CISO

2 Disclaimer This document and any oral presentation accompanying it are not intended/should not be taken as necessarily representing the policies, opinions, and/or views of Noridian Mutual Insurance Company, Blue Cross Blue Shield of North Dakota, Noridian Healthcare Solutions, any of their component services, or any other affiliated companies. This document and any oral presentation accompanying it has been prepared in good faith. However, no express or implied warranty is given as to the accuracy or completeness of the information in this document or the accompanying presentation

3 Who am I? Currently employed by Noridian Mutual Insurance Company
DBA: Blue Cross Blue Shield of North Dakota an independent licensee of the Blue Cross Blue Shield Association DBA: Noridian Healthcare Solutions Assisting: Three other Healthcare plans with Security Vice President of Security, Chief Information Security Officer (CISO) Responsible for both Electronic and Physical Security 3200 employees, 15+ locations coast to coast Staff of 70+, physical and electronic security professionals Certifications include: Certified Information Systems Auditor (CISA) Certified Information System Security Professional (CISSP) Certified in Risk and Information System Control (CRISC) Over twenty years experience in Electronic Security, with over fifteen years of leadership in Electronic Security

4 Agenda Definition and Overview of Least Privilege vs High Privilege

5 Definition Least Privilege is a visitor with no access
High Privilege is a System Administrator

6 Questions?

7 Ok Ok Onto the presentation!

8 Agenda Definitions ID vs User So if my password is not enough…
Lots to level set ID vs User So if my password is not enough… Least Privilege How do we get there?

9 Definition of Privilege
ˈpriv(ə)lij/ noun noun: privilege; plural noun: privileges 1. a special right, advantage, or immunity granted or available only to a particular person or group of people.

10 Definition of Access Rights
Definition of: access rights. access rights. The permissions that are granted to a user, or to an application, to read, write and erase files in the computer. Access rights can be tied to a particular client or server, to folders within that machine or to specific programs and data files.

11 Definition of Privilege
Privilege within an Information Technology (IT) environment refers to what rights and abilities a user has within the environment These rights SHOULD BE based upon based upon what is needed by the individual to perform their job Rights and Abilities refer to many different aspects of their jobs

12 Definition Levels All Information Technology Shops should have clearly defined levels of access defined for different types of users. Users include (but are not limited to): Visitors Vendors Users Power Users Super Users Administrators

13 Definition Visitors Visitors are just that visitors to the building who should not be credentialed nor given access to the building Contract Needed: No Badge / Building access: No Network ID No Advanced access No GSSP Access No Administrator No Multi-factor No

14 Definition Vendors Vendors are people providing a service who do not need network access and who just need physical access to the building Contract Needed: Yes Badge / Building access: Yes Network ID No Advanced access No GSSP Access No Administrator No Multi-factor No

15 Definition Users Users are day to day users who perform no special functions and are involved in day to day operations Contract Needed: Yes – IF contract employee Badge / Building access: Yes Network ID Yes Advanced access No GSSP Access Yes Administrator No Multi-factor Possibly

16 Definition Power Users
Power Users are day to day users who perform SOME special functions and are involved in day to day operations. Special functions could include adding printers or adding users to network shares or performing advanced duties in COTS Contract Needed: Yes – IF contract employee Badge / Building access: Yes Network ID Yes Advanced access Yes GSSP Access Yes Administrator No Multi-factor Possibly

17 Definition Super Users
Power Users are day to day users who perform SOME special functions and are involved in day to day operations. Special functions could include adding printers or adding users to network shares or performing advanced duties in COTS (typically same as Power Users) Contract Needed: Yes – IF contract employee Badge / Building access: Yes Network ID Yes Advanced access Yes GSSP Access Yes Administrator No Multi-factor Possibly

18 Definition Administrator
Administrator IDs are the IDs who run and configure the IT systems that run the enterprise. Contract Needed: Yes – IF contract employee Badge / Building access: No Network ID No Advanced access Yes GSSP Access No Administrator Yes Multi-factor REALLY SHOULD BE

19 There was a BIG Difference on the last slide
Who caught it?

20 ID vs User In the definition of an administrator the word ID was used instead of a user. In the world of privilege, The more advanced server and administrator rights of the person with the ID the less GSSP access they should have So if the ID has administrator access they SHOULD NOT have access to the internet, , or other GSSP systems

21 An ID does not always have an assigned user
ID vs User A user while have an ID BUT An ID does not always have an assigned user

22 ID vs User Discussion

23 How should privilege be secured?
There are several options for securing privilege

24 So if my password is not enough…
Definition: Multi-factor authentication (MFA) is a method of computer access control in which a user is granted access only after successfully presenting several separate pieces of evidence to an authentication mechanism – typically at least two of the following categories: knowledge (something they know), possession (something they have), and inherence (something they are). Two-factor authentication (also known as 2FA) is a method of confirming a user's claimed identity by utilizing a combination of two different components. Two-factor authentication is a type of multi- factor authentication.

25 So if my password is not enough…
Some options for multifactor authentication include but are not limited to: Hard Tokens Soft Tokens Biometrics PINs Passwords User IDs Smart Cards

26 So if my password is not enough…
How many factors should you use? The number of factors should be appropriate to risk Three factors is now a default minimum Factors should be from different categories Remote Access: User ID, Password, PIN, and Token generated security number

27 Least Privilege Least privilege is giving the User the most basic rights they possibly need to accomplish their job BUT never

28 Least Privilege Users should be given access to what they use 99% of the time, there is always an exception and proper Identity and Access Management (IAM) policies and philosophy state that the exception SHOULD NOT dictate the access

29 Least Privilege If the policy is to give the users 100% of what they MAY need then this falls apart. Scenario: A user needs to perform their day to day function but once every two years they have to add a printer which can only be done via administrator rights on the PC. To save time the IT department gives the user full admin rights

30 Least Privilege If the policy is to give the users 100% of what they MAY need then this falls apart. Scenario: An administrator wants to check their without logging in and out as administrator so they give themselves access to the internet and systems

31 How do we get there? At some point the IT or security team should have created a User access chart In the left column it should list job functions (NEVER NAMES) Across the top row it should list access rights

32 How do we get there? Email A/P System A/R System Internet File System
Admin rights General User X Payables Receivables Auditor Administrator Finance Clerk Manager

33 How do we get there? Utilizing this chart the IAM function should have created an access list for each job function Each job function access must be periodically reviewed to look for access “creep”

34 This is also known as RBAC
RBAC is Role Based Access Controls This is an ideal that every IAM should aim for

35 Questions?

36 References Slide 9 - https://www.dictionary.com

Download ppt "Least and Highest Privilege Access - Need to Know"

Similar presentations

Service Manager for MSPs

Service Manager for MSPs
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
By Rashid Khan Lesson 8-Crowd Control: Controlling Access to Resources Using Groups.

By Rashid Khan Lesson 8-Crowd Control: Controlling Access to Resources Using Groups.
7-Access Control Fundamentals Dr. John P. Abraham Professor UTPA.

7-Access Control Fundamentals Dr. John P. Abraham Professor UTPA.
Chapter 7 WORKING WITH GROUPS.

Chapter 7 WORKING WITH GROUPS.
May 30 th – 31 st, 2006 Sheraton Ottawa. Microsoft Certificate Lifecycle Manager Saleem Kanji Technology Solutions Professional - Windows Server Microsoft.

May 30 th – 31 st, 2006 Sheraton Ottawa. Microsoft Certificate Lifecycle Manager Saleem Kanji Technology Solutions Professional - Windows Server Microsoft.
Chapter 10: Authentication Guide to Computer Network Security.

Chapter 10: Authentication Guide to Computer Network Security.
SMART Agency Tipsheet Staff List This document focuses on setting up and maintaining program staff. Total Pages: 14 Staff Profile Staff Address Staff Assignment.

SMART Agency Tipsheet Staff List This document focuses on setting up and maintaining program staff. Total Pages: 14 Staff Profile Staff Address Staff Assignment.
1 Group Account Administration Introduction to Groups Planning a Group Strategy Creating Groups Understanding Default Groups Groups for Administrators.

1 Group Account Administration Introduction to Groups Planning a Group Strategy Creating Groups Understanding Default Groups Groups for Administrators.
Module 4: Add Client Computers and Devices to the Network.

Module 4: Add Client Computers and Devices to the Network.
Component 4: Introduction to Information and Computer Science Unit 8: Security Lecture 2 This material was developed by Oregon Health & Science University,

Component 4: Introduction to Information and Computer Science Unit 8: Security Lecture 2 This material was developed by Oregon Health & Science University,
IOS110 Introduction to Operating Systems using Windows Session 8 1.

IOS110 Introduction to Operating Systems using Windows Session 8 1.
11 MANAGING AND DISTRIBUTING SOFTWARE BY USING GROUP POLICY Chapter 5.

11 MANAGING AND DISTRIBUTING SOFTWARE BY USING GROUP POLICY Chapter 5.
Security Planning and Administrative Delegation Lesson 6.

Security Planning and Administrative Delegation Lesson 6.
DIT314 ~ Client Operating System & Administration CHAPTER 5 MANAGING USER ACCOUNTS AND GROUPS Prepared By : Suraya Alias.

DIT314 ~ Client Operating System & Administration CHAPTER 5 MANAGING USER ACCOUNTS AND GROUPS Prepared By : Suraya Alias.
Project Server 2003: DC340: Security (Part 1 of 2): How to securely deploy Project Server in an enterprise environment Pradeep GanapathyRaj (PM), Karthik.

Project Server 2003: DC340: Security (Part 1 of 2): How to securely deploy Project Server in an enterprise environment Pradeep GanapathyRaj (PM), Karthik.
Active Directory Administration Lesson 5. Skills Matrix Technology SkillObjective DomainObjective # Creating Users, Computers, and Groups Automate creation.

Active Directory Administration Lesson 5. Skills Matrix Technology SkillObjective DomainObjective # Creating Users, Computers, and Groups Automate creation.
© Wiley Inc. 2006. All Rights Reserved. MCSE: Windows Server 2003 Active Directory Planning, Implementation, and Maintenance Study Guide, Second Edition.

© Wiley Inc All Rights Reserved. MCSE: Windows Server 2003 Active Directory Planning, Implementation, and Maintenance Study Guide, Second Edition.
Module 7: Managing the User Environment by Using Group Policy.

Module 7: Managing the User Environment by Using Group Policy.
User Management: Understanding Roles and Permissions for Schoolnet Schoolnet II Training – September 2014.

User Management: Understanding Roles and Permissions for Schoolnet Schoolnet II Training – September 2014.

Similar presentations

Ads by Google