Through the lens of a small business operations team.
It is common for one person to take on many roles in a small business environment. So, how does a small business mitigate risk that comes with the challenge of a separation of duties and managing access to key data and systems? In this blog post, we answer common questions about access management, the concept and strategy of Zero Trust in the small business space.
How can a small business effectively manage separation of duties?
Limited resources in a business mean that a smaller number of people could be managing multiple roles traditionally split between individuals to mitigate risk of dangers like collusion or lack of checks and balances.
Here are some recommendations to consider when defining Separation of Duties:
- Identify the Critical Processes and Assets: What needs protection? What are the key functions and tasks related to those processes? Are Development and Production Environments segregated?
- Define Roles and Responsibilities: Clearly define roles and responsibilities for each employee involved. Specify their access rights and tasks. Is there an individual with a lot of control over a critical process? How can you (meaningfully) incorporate someone else into the process? Is there an opportunity for the main person to be audited periodically? What is the risk to the business if there is not a second person to assist with the task? It may make sense to bring on a Managed Service Provider to outsource certain cybersecurity functions.
- Cross-Train Employees: Cross-train employees and ensure that people are familiar with and capable of handling critical functions. This may mean testing or assigning that back-up person to handle the task at a regular interval, so that they are comfortable enough to complete the task properly in the event of an emergency.
- Use Technology to Implement Role-Based Access Control (RBAC): Use RBAC to assign permissions based on job roles. It can be tempting to give everyone administrative rights so that a single user is not bothered every time someone needs a software upgrade installed, but the risk of over-authorizing administrative access is dangerous in any business, regardless of size. Additionally, there are applications that help facilitate this, such as Just-In-Time (JIT) access management within Microsoft Defender, which temporarily allows a user to elevate their permissions to make administrative-only actions after a series of auditable steps.
- Regularly Review and Update Permissions: When was the last time you did an audit of your list of users? It is important to remove unnecessary access when employee roles change, or when someone leaves the company. If the business has a check list or procedure for off boarding an employee, it could be helpful to add the step of removing access permissions to the list.
- Use Multi-Factor Authentication (MFA): It may sound like industry is beating a dead horse, but the use of MFA cannot be overstated. MFA adds an extra layer of security if an attacker gains access to login credentials.
How can a small business effectively implement Zero Trust with minimal interruption to proven business processes?
Zero Trust is a cybersecurity model that operates under the assumption that organizations should not automatically trust anything – inside or outside of their network. Traditionally, a perimeter-based approach assumes that anything inside the corporate network has been vetted and is trustworthy, and everything outside of the network is untrusted (unless granted access in). The Zero Trust model challenges all of this, requiring steps to verify identity each time access is requested.
While the concept can seem daunting, small business can implement some of the principles of Zero Trust:
- Verify the identity of users, devices, and systems before granting access. There are applications to assist with this – even when the users and devices are within the network.
- Grant the minimum level of access necessary for users and devices to perform their role, following the principle of least privilege.
- Segment the network into smaller, isolated zones to limit lateral movement. Control the traffic between the segments using policies to prevent unauthorized access.
- Continuously monitor network traffic, user activities, and devices to detect and respond to odd behavior in real time. There are Managed Service Providers with Security Operation Centers to help manage this.
- Encrypt sensitive data in transit and at rest to protect it from unauthorized access.
There are plenty of challenges implementing Zero Trust principles, particularly in a small business. Some of the grief a small business may experience include:
- Legacy systems and applications may not easily integrate with modern Zero Trust security solutions. Replacing the “old” applications may be expensive or a non-starter in a small business.
- Users may resist disruption as new workflows are established. Balancing security and user experience is a continual challenge.
- Developing Zero Trust architectures can be complex and resource-intensive. Small businesses may find themselves short on skilled personnel, time, and financial resources. An experienced Managed Service Provider (MSP)may help solve this challenge.
- Regulatory compliance as it relates to Zero Trust principles can be challenging. Understanding the requirements of security and translating them into GRC roles can be tough. A MSP can also assist in this area if they are aligned with specific frameworks and compliance requirements.
- As a small business grows, its ability to scale Zero Trust models in terms of users and devices can be a significant challenge. Solutions must be scalable without sacrificing security.
How does the approach to security change in a small business environment when managing allow-listing as opposed to blocklisting?
The terms “blocklist” and “allowlist” are used in the context of access control and security to manage and control access to resources.
Blocklisting is a list of items (such as IP addresses, banned websites, or email addresses) that are explicitly prohibited or denied. Many businesses will expand on that a bit and ban things like social media platforms, or websites related to adult content, alcohol, or firearms.
Allowlisting, also known as “whitelisting,” is a list of items, entities, or actions that are explicitly permitted or allowed. This method of access management grants access to specific things while denying access to everything else.
The use of allowlists is generally considered a more secure approach because it explicitly defines what is permitted, reducing the risk of unintended access. However, this method can be exhausting for a small business to maintain.
It can be time consuming to come up with the initial list for allowlisting, but to maintain that list in a dynamic environment can be challenging.
In a small business, here are the steps to determine what resources should be allowed in your environment:
Identify Resources: What network access, email communication, or specific applications are used every day? What about those used periodically or on occasion?
Identify Entities: What entities need access to the resources? What IP addresses should be allowed? For email communication, what are the trusted email addresses or domains allowed?
In a small business continuously developing relationships with new customers, the management of this portion of the allowlist can be challenging!
Some examples of allow-listing may include:
- Network IP Addresses
- Network MAC Addresses
- Sender Email Addresses
- Email and Website Domains
- Executable Files
- Libraries
- Website URLs
- Network Access Control Lists (ACLs)
- File System Access Control Lists (ACLs)
- User Authentication
- Device Authentication
- API Endpoints
- API Keys
- Database IP Addresses and User Accounts
- Cloud Resources
- VPNs
- Remote Desktops
Document the Allow-list: Creating a comprehensive list of the approved entities can be daunting!
Configure Security Tools: If the small business uses security tools or firewalls, configure them to enforce the allow-list.
Update Access Controls, and Regularly Review and Update: Ensure that only entities on the allow-list have the necessary permissions to access or interact with the resources.
If allowlisting sounds almost close to Zero Trust principles, you are correct! While Zero Trust principles still verify the legitimacy of each request (even if allowed before), these methods all attempt to stay one step ahead of the bad guys.
Sentinel Blue is a managed security service provider (MSSP) that works daily with the DIB tackling operational and security challenges designed to streamline effective agency/prime/sub collaboration, secure architecture and IT environments, mitigate threats and implement incident response best practice.