{"id":2733,"date":"2014-10-21T18:55:01","date_gmt":"2014-10-21T18:55:01","guid":{"rendered":"http:\/\/kasperskydaily.com\/b2b\/?p=2733"},"modified":"2020-02-26T18:49:39","modified_gmt":"2020-02-26T16:49:39","slug":"how-an-ill-designed-data-access-policy-can-interfere-with-cybersecurity","status":"publish","type":"post","link":"https:\/\/www.kaspersky.co.za\/blog\/how-an-ill-designed-data-access-policy-can-interfere-with-cybersecurity\/2733\/","title":{"rendered":"How an ill-designed data access policy can interfere with cybersecurity"},"content":{"rendered":"<p>A data access policy becomes an issue for any company as soon as it accumulates a considerable amount of valuable and sensitive data. That doesn\u2019t mean the policy is always in place when it should be, or that it\u2019s implemented properly.<\/p>\n<p style=\"text-align: center\">\n<\/p><p>How should the policy work so that it doesn\u2019t interfere with security and increase risk? It\u2019s simple: Every employee should only have access to the data that\u2019s related to his or her own job. In practice, this is a bit more complex.<\/p>\n<p>In his <a href=\"https:\/\/securelist.com\/blog\/research\/66846\/breaches-in-corporate-network-protection-access-control\/\" target=\"_blank\" rel=\"noopener\">recent article<\/a> Kirill Kruglov, Kaspersky Lab\u2019s expert, writes about protecting critical systems from unauthorized changes and reducing the possibility of attacks on the corporate network. As the proper course of action he lists the following items:<\/p>\n<ul>\n<li><em>specify those objects (equipment, systems, business applications, valuable documents, etc.) on the corporate network that require protection;<\/em><\/li>\n<li><em>describe the company\u2019s business processes and use those to help determine the levels of access to the protected objects;<\/em><\/li>\n<li><em>ensure that each subject (a user or a corporate application) has a unique account;<\/em><\/li>\n<li><em>limit subjects\u2019 access to objects, i.e. to restrict the rights of the subjects within the business processes;<\/em><\/li>\n<li><em>ensure that all operations between the subjects and the objects are logged and the logs are stored in a safe place.<\/em><\/li>\n<\/ul>\n<p>At least three of these items are directly related to data access rules.<\/p>\n<p>Keeping in mind the assertion that an employee should only have access to the data needed over the course of their work, this means that in a more restrictive environment any given user has very limited privileges in the system they\u2019re working with: no software can be installed to the workstation by the user, web access is limited to those few resources they\u2019re supposed to visit during the day, and access to corporate documents and applications is limited to their role.<\/p>\n<p>Employees typically don\u2019t like \u201cexcessive\u201d restrictions such as limited web access; they would also prefer to have the ability to install software, and not to request a system admin\u2019s support for such a \u201cmundane\u201d task. Besides, it may take some time between sending the request and getting help from the admin, especially if the company is large and IT workers are few.<\/p>\n<p style=\"text-align: center\"><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/103\/2014\/10\/06020143\/wide2-1.png\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-2735\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/103\/2014\/10\/06020143\/wide2-1.png\" alt=\"wide\" width=\"1000\" height=\"656\"><\/a><\/p>\n<p>Kruglov further writes that in practice the proper ways aren\u2019t followed. For instance,all corporate documents are stored centrally in shared folders on one of the servers of the company. Access to critical systems is denied to everybody but administrators \u2013 any administrator \u2013 can log into the system remotely to quickly repair any failure, and sometimes administrators use a \u201cshared\u201d account.<\/p>\n<p>All corporate documents stored in shared folders on just one server? Helpful, but unsafe for a number of reasons.<\/p>\n<p>If there are documents that only a \u201cselected few\u201d are supposed to view and change, no other person should even see them. If these documents can be viewed and modified from any corporate account it opens up the possibility of an employee using his own device (an Android-based smartphone, for instance), logging into the corporate network, and infecting the system with a piece of malware.<\/p>\n<p>Imagine getting a Cryptolocker-like ransomware into your file server. Sorry, if you already don\u2019t have to imagine this \u2013 more than a few fellow IT workers told us about such experiences and only in a few cases were those problems resolved without huge losses.<\/p>\n<p>Crypto, for example, would encrypt any data within its reach, so if all of the documents are stored together \u201cin one basket\u201d, damage may be deadly.<\/p>\n<p>System administrators\u2019 shared accounts are also a big \u201cdon\u2019t\u201d. For an attacker, getting access to such an account is like acquiring a master key: all systems of the targeted company now lie at their feet. And if there is indeed collective access to this account, it may be a huge problem to backtrack the path an attacker used and prevent it from happening again.<\/p>\n<p>An ideal approach is to have all the corporate data segmented as to limit the possible damage from hacker attacks or malware; to separate access rights for all users, according to their roles in the company; and to avoid using any \u201cmaster keys\u201d \u2013 no shared accounts, and a minimal number of people with access to critical systems and\/or data.<\/p>\n<p>Essentially these are the ways to diminish the attack surface, thus reducing the risks that are very high on their own.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>A data access policy becomes an issue for any company as soon as it accumulates a considerable amount of valuable and sensitive data. That doesn\u2019t mean the policy is always in place when it should be, or that it\u2019s implemented properly.<\/p>\n","protected":false},"author":209,"featured_media":15776,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1999,3021],"tags":[279,191,189],"class_list":{"0":"post-2733","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-smb","9":"tag-cyber-security","10":"tag-data","11":"tag-data-security"},"hreflang":[{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/how-an-ill-designed-data-access-policy-can-interfere-with-cybersecurity\/2733\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/how-an-ill-designed-data-access-policy-can-interfere-with-cybersecurity\/2733\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/how-an-ill-designed-data-access-policy-can-interfere-with-cybersecurity\/2733\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.co.za\/blog\/tag\/cyber-security\/","name":"cyber-security"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/posts\/2733","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/users\/209"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/comments?post=2733"}],"version-history":[{"count":3,"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/posts\/2733\/revisions"}],"predecessor-version":[{"id":26373,"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/posts\/2733\/revisions\/26373"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/media\/15776"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/media?parent=2733"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/categories?post=2733"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/tags?post=2733"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}