The Center for Internet Security Controls or CISControls have become an industry standard to help businesses and organizations of all sizes to maintain an industry standard of Cybersecurity controls.

Safeguard 3.3 covers configuring data access control lists based on a user's need to know. This includes local and remote file systems, databases, and applications and is the foundation of ZeroTrust.

What does a user need, what do they need access to? If they don't need access then why do they have access?

Sure, 15 years ago we lived in this world of the Company Drive where everyone had access to everything in case they needed it. Today the world is completely different and every users access, applications, and needs has to be reviewed and audited. If they don't need it then it's time to deny access to that resource.

Talking about AccessControlLists then you likely think networking as ACLs are used heavily there. But we go back to our inventory of all of our assets (1.1), users, and data (3.2) mapping out what lists of users should have access to what.

I accomplished this with AD Groups and Group Policy, where each segment of data was categorized in Shared Folders, those Shared Folders had an AD group assigned for permissions, and then Group Policy mapped the drive based on the same group. I maintained an inventory of every shared drive and who had access to it. I also used Liongard with the Windows Server inspector gave me a breakdown of every shared drive and who had access for automatic auditing. Tools like Netwrix Corporation can do similar.

Your ACL is just that, a list. It doesn't matter how or where you store it, but you want to cover all of your data from the local, server, and cloud based data. Yes, include your SaaS apps, databases, applications, and anything that is taking your data and storing it.

Join the conversation - https://www.linkedin.com/posts/scottintech_ciscontrols-cybersecurity-zerotrust-activity-7074233841535569920-12Yq?utm_source=share&utm_medium=member_desktop