NIST SP 800-171 Framework Series: Access Control

Article NIST Framework
Access Control


This article is the first of a multi-part series covering the core requirements from NIST SP 800-171 rev.1.

Who has access, or rather who should have access, to your organizational systems and data? Organizations that handle personally identifiable information (PII) or other sensitive information types, including payment card data (covered by the PCI DSS), health records (HIPAA), or student records (FERPA), must take extra steps to ensure access to that information is closely controlled and monitored.

To effectively protect sensitive information, and meet numerous compliance requirements, your organization’s access control policy must formally address a robust list of questions. Who has access to your core IT systems and enterprise applications, and is that access 100% necessary? How do you ensure those users attempting to access sensitive information have accurately been granted that access? Can users access the data remotely? Do third-party service providers or vendors have remote access as well?

At a high level, access control is identifying an individual who has a specific job or role, verifying their identity, and then giving them the “key” to the system or file they need but no access beyond that. It is the process of ensuring that users can see what they are supposed to in order to perform their job responsibilities, and blocking them from being able to view data that is not a legitimate part of their business need-to-know.

Access control consists of two main components, authentication and authorization. Authentication verifies that someone is who they claim to be. Authorization determines whether that user should be allowed to access the requested data. In order to get access to a network, file, computer, or other hardware or software system, individuals need a unique username and password associated with specific role-based permissions. With that proper user authentication and authorization, the organization is able to accurately pinpoint who has access to network resources and what they are accessing.

Today’s dynamic business environments can complicate your access control. Many organizations operate hybrid environments where data moves between servers located on-premises and the cloud. Employees may work from office locations across the country, or are working remotely from homes, hotels, and coffee shops. Add in the fact that employees are also accessing information on multiple devices and you begin to see the complexities your networking team faces when defining secure, but flexible, access controls.

Most organizations that process or store any type of sensitive information will operate under key security controls like “least privilege”. This framework dictates that employees can only access information that’s deemed necessary for their role. However, there may be times when someone needs access to documents or information but finds they don’t have the appropriate permissions. This can definitely lead to frustration by the employee trying to get work their done, as well as the IT Support person they call to complain to. However, as painful and frustrating as these experiences may be for your staff, it is best to have defined access policies and procedures for assigning permissions. Strict adherence to those policies is a critical piece of your overall cyber security and data breach prevention program.

Inconsistent or incomplete authorization processes can create security holes. Without proper access controls, users may inadvertently install malicious software and allow intruders to gain access to the organization’s network and sensitive data. In the majority of data breach investigations, access control policies are typically one of the first items reviewed. The Anthem breach in 2015, which exposed the personal data of almost 80 million customers and employees, was traced back to improperly controlled access to a database. Anthem did not have any controls in place to monitor or evaluate database queries, or to monitor when and where users were accessing information online.

So, how should you organize your access control policies in order to efficiently grant the right level of permissions to individuals across the organization? There are several different access control models and each has its own benefits and drawbacks. Role Based Access Control (RBAC) is the most common method used for large organizations, and access is granted based on a user’s role. Clearly understanding, documenting, and creating the complete list of all roles would be a big component of the work for this method.

Other access control models include Mandatory Access Control (MAC) where the control is managed by the operating system, and Discretionary Access Control (DAC) which allows users to grant permissions. Many organizations have their access controls integrated into their Active Directory groups, to allow only particular groups of people to access specific types of data. This method can help automate user provisioning across internal and external systems.

However your organization chooses to implement access control, it must be constantly monitored, both in terms of compliance to your security policies, as well as operationally to identify any potential gaps. Make sure to periodically assess your program and review / re-evaluate user access policies. Perform recurring vulnerability scans against any applications running your access control functions. Collect system logs and monitor for violations of the policy. It is important to remind employees that access control violations are being monitored. This notification not only makes them aware of the internal practice but keeps that heightened sense of awareness around information security top of mind.

Here are a few other access control-related processes to deploy:

  • Periodically verify that terminated staff accounts have been removed
  • Review staff roles and associated users to ensure data access aligns with users and current job responsibilities
  • Run tests to see whether or not user passwords meet policy requirements
  • Verify that default credentials have not been changed
  • Limit the number of unsuccessful logon attempts
  • Define an appropriate lockout period to prevent access by unauthorized individuals.

The NIST SP 800-171 rev.1 requirements are not very prescriptive, so organizations will often follow the requirements from the DSS as a guideline. Requirement 7 of the PCI DSS covers restricting access to cardholder data by business need-to-know. For payment card environments, privileges should be assigned based on role and defaulted to “Deny All” unless explicitly allowed. Rights should be limited to the least amount of data and the highest security privileges needed to perform a task. Limit access to specific authorized devices and reduce the scope of systems that are able to connect to critical technologies or applications that host sensitive data.

Remember to regularly review and update your access control policy. Properly implemented access controls only grant employees access to the information they need to do their jobs. By limiting information in this way, you are narrowing the window for malicious individuals to gain access as well.

Some additional guidance from the Security Advisor team below:

[Ko]: Having proper access control is one of the most critical aspects of information security. Using access control methodologies is not only important for limiting access to information, but ensuring availability to all who need access is just as important, too. Be sure to use access control methods that are easy to implement and manage. Failing to keep access-controls up-to- date is almost as bad as not using any control methodology at all!

As you’ve already read in the related articles, controlling access is not only a logical control, but also physical one, too. Using simple, straightforward methodologies that are able to be applied and reproduced consistently are the keys to a successful access control strategy.


About the Author
Katie Johnson

Katie Johnson


Manager, Operations Support

As the manager of Operations Support, Katie leads the team responsible for supporting and delivering CampusGuard services including online training, vulnerability scanning, and the CampusGuard Central® portal. With over 15 years of experience in information security awareness training, Katie is also the Product Lead for CampusGuard’s online training services. As a Senior Customer Relationship Manager for a limited number of customers, Katie assists organizations with their information security and compliance programs and is responsible for coordinating the various teams involved.