Description: Grant a user only sufficient rights and access to perform their duties, while following a least privilege model. Considerations beyond standard rights that should be granted and monitored for applications, devices and systems-
- Governance and segregation of duties
- Policy-based access and entitlements
- Administrative access and entitlements
For access and actions beyond their normal duties, monitoring and traceability should be enforced for applications, devices and systems.
Benefit: Prevents users from having elevated privileges beyond their job role and responsibilities. Reduces the threat landscape by limiting the use of over-privileged access or invalid/obsolete accounts for the purposes of access. Detecting and automatically resolving policy-violating account access to maintain continuous compliance.
Watch the deep dive webinar to learn more about this security outcome.
Implementation Approaches
Security Frameworks
NIST Cybersecurity Framework 1.1
- PR.AC-4: Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties
NIST SP 800-207; Zero Trust Architecture
- 2.1.3: Access should also be granted with the least privileges needed to complete the task.
- 2.1.4: Least privilege principles are applied to restrict both visibility and accessibility.
Title | Define Policies and Controls to Enforce Appropriate Access |
Technology Components | Access Management (AM) Identity Management (IM) Identity Governance and Administration (IGA) |
Description | Implement application-based access controls using Role Based Access Control (RBAC), Policy Based Access Control (PBAC), and/or Application Based Access Control (ABAC), or hybrid models supported by policies and enforced by governance and compliance. |
Pre-requisites | Define business requirements for applications and access Target systems must have integration and connectivity Role and entitlement catalog has been built and populated Approval process is defined for each role and entitlement Attributes and policies are defined providing conditions and constraints for access |
Member Companies | ForgeRock, Okta, Omada, Ping Identity, Remediant, SailPoint, Saviynt, SecZetta, Thales |