2:45 min read |
The fewer ways there are to reach information, the less risk there is of unauthorized access. This is the point of CIS Control #14, “Controlled Access Based on the Need to Know.” This is closely related to Control #13, “Data Protection,” but focuses on the access allowed. The specific controls have some overlap, especially regarding encryption and logging. What is distinctive to this control is the emphasis on access control and network architecture.

Identify the Data

Data should be identified and automatically labeled or tagged based on the existing data classification requirements for your enterprise. This can be done using one of several active discovery tools that can investigate the network file shares and desktops to flag documents and folders that match the classification criteria. Upon identification, sensitive files can be relocated into the appropriate data file shares, ensuring that access rights and group policy are easier to maintain and govern.

Isolate the Data

Implementing VLANs for critical servers is a straightforward way to reduce the risk of compromise. Along with servers, VLANs should be configured to support other critical business functions. Micro segmentation should also be enabled, which restricts a user’s ability to directly connect between workstations on the network.

Implementing firewalls or ACLs between each VLAN will ensure that only authorized systems and protocols are permitted to communicate with each other and will significantly reduce the risk of unauthorized data exposure and/or the unchecked spread of malware within the enterprise.

Encrypt the Data

Implementing data encryption ensures that data compromise efforts are increased significantly. Encrypting data at rest for laptops, workstations in insecure environments, and servers containing sensitive data will mitigate against the risk of data compromise.

A mobile device management solution should be implemented for all corporate and user-provided mobile devices that will be permitted to access this data.

Encryption for data in transit should also be implemented for all methods: Transport Layer Security (TLS) should be required for all outbound email communications and for all web-based portals and user interfaces. Command Line access to management interfaces should be through SSH as well.

This mitigation strategy can be further strengthened by taking proper care to use a centralized key management system and to ensure that encryption algorithms and key sizes are reviewed and updated annually.

Protect the Data

Access to the systems containing sensitive data on the server VLAN should be restricted to specific groups of workstations within the network; file systems and database servers should also be restricted to specific groups of users.

User accounts should be configured with specific access rights based on their role within the organization. Administrative users should have two accounts, one with restricted access for normal work activities, and a separate admin-level account for any systems maintenance responsibilities.

Along with these controls, Data Loss Prevention should be implemented as a means of identifying and/or preventing the unauthorized exfiltration of data via USB, email, or web-based communications. DLP solutions typically rely on either common keywords or analysis of predefined data to identify, enforce, and report on policy violations.


Any system or account on the network carries some risk of being compromised. Any account or system with access to confidential data should be limited in order to reduce the chance of successful unauthorized access. Restricting access to critical resources and limiting the access rights of authorized systems and accounts will enable IT personnel to focus on detecting and preventing a smaller range of potential attacks.