The principle of need to have available can be summarized as having only the permissions you need for your next set of tasks. It builds on the principle of need to know because permissions are assigned not only based on role and responsibilities but more importantly on what is planned next. The principle of need to have available focuses on concepts not often discussed as part of information security, such as tasks that are time-bound, permissions that can be revoked and reallocated relatively quickly, and users and systems for which permissions are reassessed upon task completion. Putting the principle to work can be daunting as it requires the right level of planning and oversight as well as the overhead to focus on concepts that are not always at the center of the information security vocabulary.
The principle of need to have available can substantially limit the impact of ransomware. It is likely that the majority of major cyberattacks from the last year would have had a more limited impact had the principle of need to have available been applied proactively and with the correct level of rigor. For instance, consider a stage 1 ransomware payload, with stage 2 being where the files within the filesystem of an employee who has fallen victim to a ransomware attack are beginning to be encrypted. Had employees’ access been restricted to only the data required for them to perform their next set of tasks, the impact of the ransomware on their files would be smaller. Furthermore, had access rights been restricted, there would be a set of permissions limiting where the payload could access and search for data to encrypt. The ransomware’s impact would be further reduced because there would be fewer data available to encrypt and the permissions would restrict where the ransom payload could deploy.
Organizations should treat the rollout of this principle as they would a new product or service. It is important to avoid any default inclusions, such as in the information security policy, without a prior impact assessment. Start small in your implementation plan by examining teams, roles and systems that have a certain level of maturity in their operations. If discussions on planned tasks being performed within specific time windows alienate the audience, they are probably not ready to undertake the rollout of the principle in their operations. As much as we would like to believe the opposite, this is normal given that not all work-related activities can be broken down into planned tasks. The most likely outcome with the rollout of this principle is knowing which roles and ranks within your organization have the operational maturity to implement it.
Based on your organization’s risk landscape, you should investigate which areas of the organization would benefit the most from applying to principle of need to have available. There is no reason to rollout a time-bound activity of revoking and reassigning permissions if there is not a clear added benefit to your organization. An example of added benefit includes risk reduction involving your most important data or processes. It is also likely that parts of the organization may not be ready to adopt the principle now but may be able to in the future; therefore, the maturity roadmap should allow for this. Working with existing programs within your organization will be key to capture changes in the risk landscape and identify areas that might not be ready now but are good candidates for applying the principle of need to have available in the future.
The principle of need to have available offers a method to limit the impact of major cyberattacks. For the principle to be effective, you must premeditate which roles or permissions are required based on the data needed to complete a set of tasks. This can lead to risk such as revoking remaining employee roles and finding out they are required after revocation. Despite the overhead of needing to think about what roles should be kept while performing tasks, this principle offers a way to limit the impact of incidents as they happen. As with any principle in information security, applying this principle requires education and awareness. Explaining the benefits to areas of your organization that are not currently implementing or in a position to implement the principle of need to have available will set the foundation for a future collaboration.
Editor’s note: For further insights on this topic, read Yiannis Pavlosoglou’s recent Journal article, “The Crucial Principle of Need to Have Available,” ISACA Journal, volume 2, 2022.
ISACA Journal turns 50 this year! Celebrate with us—and do not forget you can still receive the print copy by visiting your preference center and opting in!