Enforce Least Privilege & Role-Based Access Control (RBAC)

This standard mandates the enforcement of least privilege and Role-Based Access Control (RBAC) to minimise access rights and reduce the attack surface.

1. Enforce Least Privilege & Role-Based Access Control (RBAC):

Minimise access rights to reduce the attack surface. This approach ensures that only necessary access is granted, reducing the risk of security breaches.

• 1.1 Least-Privilege Access Controls:
  • 1.1.1 Application, Infrastructure, and Data:
    • Implement least-privilege access controls for applications, infrastructure, and data.
    • Automate the configuration of access control policies.
  • 1.1.2 Control Management:
    • Automate the tracking of access control implementations.
    • Implement control tutorials.
• 1.2 Role-Based and Attribute-Based Access Control (RBAC/ABAC):
  • 1.2.1 Sensitive Operation Restriction:
    • Use role-based and attribute-based access control (RBAC/ABAC) to restrict sensitive operations.
    • Automate the configuration of RBAC/ABAC rules.
  • 1.2.2 Rule Implementation:
    • Automate the enforcement of RBAC/ABAC rules.
    • Implement rule feedback collection.
• 1.3 Just-In-Time (JIT) Access Provisioning:
  • 1.3.1 Privileged User Access:
    • Enforce just-in-time (JIT) access provisioning for privileged users.
    • Automate the provisioning of JIT access.
  • 1.3.2 Provisioning Management:
    • Automate the tracking of JIT access requests.
    • Implement provisioning tutorials.

By enforcing least privilege and RBAC, organisations can minimise access rights and reduce the attack surface.

---