The recent arrest of US Air Force airman Jack Teixeira has brought attention to the importance of access control in protecting classified information. Teixeira was arrested for illegally sharing classified information with his friends, highlighting the need for proper access control measures to be in place and enforced.
In an ideal world, Chief Information Security Officers (CISOs) would have all the necessary resources to protect corporate information. However, the reality is that many organizations face limitations on resources, especially when cost-cutting measures come into play. This often results in security programs being deprioritized if they are not seen as directly contributing to revenue preservation. The arrest of Teixeira serves as a reminder of why access control is crucial in protecting sensitive information.
Implementing access controls to safeguard different categories of data within an organization is paramount. Joseph Carson, Chief Security Scientist and Advisory CISO at Delinea, emphasizes the need for security professionals to focus on “knowing the road and not the content.” This means having the ability to control access to data without necessarily needing to know the specific details of the content.
There are several options available to CISOs for determining who should have access to certain information. One approach is role-based access control, where access is granted based on an individual’s role within the organization. However, for this approach to be effective, three conditions must be met. First, the task or role must absolutely require access to the data. Second, the individual must have sufficient authorization for this level of access. Finally, the level of access must be clearly defined and accompanied by policies.
Another approach is policy-based access control, which involves creating policies that dictate who can access sensitive information. These policies serve as a framework for granting or denying access based on predefined criteria. Individual-based policies consider factors such as geography, job role, project assignment, and vetting, while informational policies focus on the specific data itself. Compliance with these policies should go beyond governmental requirements and prioritize security over mere compliance.
It’s important to note that the ownership of these policies should reside outside of the IT or infosec departments. Company-wide cyber policies should be owned by the functional area responsible for the specific function, such as finance, HR, or legal. The infosec team’s role is to support and implement these policies, as well as provide guidance on compliance, exceptions, and risk mitigation.
Attribute-based access control (ABAC) is another approach that relies on Boolean logic and decision trees to determine access permissions. It allows for granular control over access to protected information. ABAC takes into account an individual’s role and established policies, but also considers specific attributes assigned to that individual, such as clearance classification in the case of national security. This allows for different levels of access to be granted or denied based on established criteria.
The goal, as highlighted by Joseph Carson, is to elevate the application, not the user. This means moving towards a “just in time, operational data access” model, where information is only exposed when and as needed. This approach minimizes the risk of unauthorized access and reduces the overall attack surface.
Regardless of the size or sector of an organization, the principle of least privilege should be embraced. This principle dictates that individuals should be granted the minimum level of access required to fulfill their role or task. By implementing access controls based on an individual’s role, appropriate policies, and the “need to know” principle, CISOs can create an effective data control model.
In conclusion, the arrest of Jack Teixeira highlights the importance of access control in protecting classified information. CISOs must prioritize access controls and implement them effectively, even in resource-constrained environments. By adopting a combination of role-based access control, policy-based access control, and attribute-based access control, organizations can ensure that sensitive information is only accessible by authorized individuals and minimize the risk of unauthorized sharing or abuse.