Authorisation and Access Control
This section outlines how to secure application access through role definitions, Access Management, and authorisation models.
Access Controls
- Assign permissions based on business roles.
- Enforce the principle of least privilege to minimise exposure.
- Monitor and limit privileged access to reduce risk.
Refer to Section 3 of the Information Security Policy Controls Standard for detailed access control requirements.
Role Definitions
- Define roles based on job responsibilities.
- Review and adjust roles regularly to maintain relevance and security.
- Always use the principle of least-privilege in line with Zero-Trust framework.
Access Management Principles
-
✅ Least Privilege Principle: Limit access rights to only what's necessary.
-
✅ Multi-Factor Authentication (MFA): Enforce MFA for privileged accounts, both internal and external.
-
✅ Session Management: Log and monitor all privileged access sessions.
-
✅ Access Approval Workflow: Require documented and auditable approvals for access requests.
- ✅ Password Management:
- Use secure password vaults.
- Enforce strong password policies.
- Schedule regular password rotations.
- ✅ Audit Trails:
- Maintain immutable logs of privileged access.
- Conduct regular audits to ensure compliance.
Non-Human Identities
Non-Human Identities
Digital entities that operate without direct human interaction. These include service accounts, bots, certificates, API keys, and other credentials used by applications, systems, or infrastructure components to perform automated tasks or access resources.
Account Types:
- Test/Generic Accounts: Used in development or testing environments. These should be tightly scoped and disabled when not in use.
- Bot Accounts: Assigned to automation scripts or robotic process automation (RPA) tools. They must follow the same security controls as human accounts, including MFA and password rotation.
- Managed Service Accounts (MSA): Designed for services running on a single server. They simplify password management and reduce administrative overhead.
- Group Managed Service Accounts (gMSA): Ideal for services running across multiple servers. They support automatic password management and are recommended for scalable enterprise environments.
Refer to the Non-personal System Accounts standards for detailed additional details.
User Authorization (Models? ABAC, RBAC, etc.)
Role-Based Access Control (RBAC)
Define roles based on job functionality and assign access based on these predetermined roles rather than individually. This ensures consistency and simplifies user provisioning and de-provisioning.
Recommendations
- Review permissions and roles every 90 days.
- Enforce MFA and monitor privileged access continuously.
- Follow documented workflows for approvals and audits.