Security Controls and Their Shortcomings
As per my point of view the Least Privilege technique is most effective as the theory of least privilege functions only by requiring easy accessibility to complete the task necessary. Strict adherence to the concept of least privilege in an IT environment eliminates the risk of attempt to incorporate access to systems or sensitive information by breaching a user account, computer, or program at a low level (Lord, 2018). Implemented to individuals, least privileges, also considered the least privilege principle, entails imposing the minimum level of user rights, or the lowest number of authorizations, which enables the user to play their function. The access controls theory can be enforced to all levels of a framework (Rouse, 2020). It includes end users, systems, processes, networks, databases, applications and any other aspect of such an IT atmosphere. This decreases the cyber-attack surface by restricting the rights of super-users and administrators, with the least privilege compliance helping to minimize the cyber-attack surface overall. This limits the possibility of malware by imposing least privilege on endpoints, malicious software cannot use elevated privileges to expand coverage and transfer laterally to download or deploy malware or harm the computer (CyberArk, 2019).
Roll-based access control (RBAC) is a mechanism of controlling access to the system centered mostly on positions of specific customers within the same company. RBAC allows customers only obtain the data they need to be doing their work and forbids them from obtaining information which is not theirs. Safety is more conveniently preserved for hundreds or thousands of workers by restricting excessive access to personal information, depending on the defined position of each consumer inside the company. It safeguards confidential data and guarantees that workers can obtain information and only take action that they need to do their work. An entity determines each employee a role-based access control role; the role dictates which privileges the program gives the user. This may, for example, determine whether a user is an operator, a specialist, or a consumer, and restrict access to particular resources or tasks. An organization can allow some people to build or change files while denying others permission to access them (DataSec, 2020).
A centralized government controls permission depending on multiple levels of security. MAC includes assigning definitions to machine assets and the security framework or system software. Only individuals or computers with the necessary security clearance for details may access sensitive information. Institutions of different data classification rates, such as governmental and military agencies, usually use MAC to identify all consumers. To enforce MAC, you could use Roll-based access control (DataSec, 2020).
Monitoring over file access protects sensitive computer files. Allowances may be set for granting or denying access to different files and folders. Its most general privileges are reading, writing, removing, and executing. One individual, or a group of people, could be permitted or refused consent at a period (Global Data Sentinel, 2020).
Security Through Obscurity (STO) is the assumption that a framework of any kind can be safe so long as it is not permitted to find out anything about its internal processes beyond its implementation community. Protection by obscurity can be said to be evil, as it also implies the use of the obscurity as the key form of security. Before it is found, ignorance is good, but once anyone has figured out your unique darkness, the system becomes fragile again. Once added to real protection as an alternative way to reduce the likelihood of a successful attack, such as disguise, OPSEC, etc. This system is usually considered to be as the least stringent type of security (STO, 2013).
Whereas, the other types of access mentioned have not that type of stringency as the least privilege access has.
CyberArk. (2019). What is Least Privilege Access? PoLP Explained. CyberArk. Retrieved from https://www.cyberark.com/what-is/least-privilege/.
DataSec. (2020). What is Role-Based Access Control | RBAC vs ACL & ABAC | Imperva. Learning Center. Retrieved from https://www.imperva.com/learn/data-security/role-based-access-control-rbac/.
Global Data Sentinel. (2020). File Access Control. Globaldatasentinel.com. Retrieved from https://www.globaldatasentinel.com/security-ecosystem/access-control/.
Lord, N. (2018). What is the Principle of Least Privilege (POLP)? A Best Practice for Information Security and Compliance. Digital Guardian. Retrieved from https://digitalguardian.com/blog/what-principle-least-privilege-polp-best-practice-information-security-and-compliance#:~:text=The%20principle%20of%20least%20privilege%20works%20by%20allowing%20only%20enough,account%2C%20device%2C%20or%20application .
Rouse, M. (2020). What is principle of least privilege (POLP)? - Definition from WhatIs.com. SearchSecurity. Retrieved from https://searchsecurity.techtarget.com/definition/principle-of-least-privilege-POLP .
STO. (2013). What is Security Through Obscurity (STO)? - Definition from Techopedia. Techopedia.com. Retrieved from https://www.techopedia.com/definition/21985/security-through-obscurity-sto.
Information System Management Assessment
Information System Management Assessment List