Principle: B2 Identity and Access Control
The organisation understands, documents and manages access to networks and information systems and supports the operation of essential functions. Users (or automated functions) that can access data or services are appropriately verified, authenticated and authorised.
This means clearly defining who or what has authorisation to interact with the network and information system as well as what level and type of permission accounts are assigned. Rights granted to both user and service accounts should be carefully controlled, especially where rights provide an ability to affect the operation of the essential function. Departments should follow the principles of ‘least privilege’ to ensure users are provisioned the minimum access required to complete their duties. Privileged user activity should be periodically reviewed and access should be technically removed when no longer required.
Users, devices and systems should be appropriately verified, authenticated and authorised before access to data or services is granted. Verification of a user’s identity is a prerequisite for issuing credentials, authentication and access management.
Unauthorised individuals should be prevented from accessing data or services at all points within the system. This includes system users and service accounts without the appropriate permissions, unauthorised individuals attempting to interact with any online service presentation and individuals with unauthorised access to user devices. Access controls should be managed to run directly in parallel with an organisation’s joiner, mover and leaver process.
Third-party access to systems and data should be carefully controlled and monitored. Proportionate security requirements should be placed on the connecting organisation to mitigate identified risks, with evidence of compliance logged and validated.
Policy
The following requirements are placed on government departments:
- Government Organisations shall meet the Cyber Assessment Framework (CAF) requirements of the relevant Government Profile under this principle.
- Multi-factor authentication (MFA) shall be implemented by departments where technically possible across business applications. This should include where administrative consoles provide access to manage cloud-based infrastructure, platforms or services.
This requirement originated in the 2018 Minimum Cyber Security Standard and has been retained due to its criticality in the protection of government systems and data.
Guidance
- The Introduction to identity and access management sets out the fundamental principles that operators should consider in designing and managing identity and access management systems. Identity and access control should be robust enough that essential functions are not adversely affected by unauthorised access.
- The NCSC’s Secure by Design: make compromise difficult principle identifies identity and access control as one of the core means of protecting a system through supporting an identity lifecycle process and utilising a single sign-on approach.
- To support departments in achieving their policy requirements relating to the implementation of multi-factor authentication (MFA), the NCSC’s multi-factor authentication guidance provides insight into when you should consider using an extra factor for your systems and services. It will additionally outline the different types of MFA such as devices, apps and physical tokens alongside how these would be configured effectively for your organisation.
- Your organisation should make every effort to reduce the burden of identity and access control on staff through implementing effective controls, in turn reducing your overall security risk. The NCSC’s guidance on passwords and biometric recognition and authentication systems both provide useful advice on how to implement authorisation and authentication to your networks. Organisations should focus on encouraging complex, unique passwords for all systems protecting government information, ensuring these can be easily managed by users. This should include avoiding unnecessary password resets, such as forced regular password changes where there is no indication or suspicion of compromise. Other key mitigations include the adoption of password management solutions, advising colleagues on how to securely store written-down passwords, and where possible utilising alternate solutions such as single sign-on. The password guidance outlines effective password strategies to be implemented by system administrators, including technical controls to improve authentication practices, monitor for suspicious authentication attempts and mitigate compromise attempts. It also provides socio-technical guidance for training staff on secure password use. Further guidance on implementing an effective enterprise authentication policy will also help you implement effective authentication controls across your devices.
- You should ensure that only corporately owned and managed devices can access your essential function’s networks and information systems and that any unknown device access attempts are detected. See the NCSC’s Device Security Collection, which includes Device security principles on securely managing and configuring corporate devices as well as the platform-specific guidance on steps for deploying specific types of Operating Systems.
- Organisations should protect physical access to networks and information systems supporting the essential function, to prevent unauthorised access, tampering or data deletion. NPSA guidance on physical security provides a comprehensive list of controls for the physical protection of assets and people. In particular, the Technology and Control Rooms section of the guidance provides content on the effective use of automated access control systems, CCTV and physical lock systems.
Enhanced profile guidance
- Your certificates are integral to identifying and authenticating client and gateway connections. Provisioning and securing security certificates should form a part of your device management regime. This NCSC guidance will assist you in managing your Public Key Infrastructure (PKI) securely through both design, configuration and procedural controls. It also details responsibilities for the PKI provider and outlines multiple security requirements which you could set prior to using their service.
- Systems administration architectures describes a range of administration models for IT systems and their associated risks, including those which are considered insecure and present an unacceptable level of risk. In line with the enhanced profile, the guidance offers models which use dedicated devices on a segregated network for privileged access.
Further information
Further guidance and information on related industry security standards can be found on the NCSC’s CAF Guidance webpage.