Expand all | Collapse all

How do you manage access controls?

  • 1.  How do you manage access controls?

    Posted Feb 20, 2020 11:50:00 AM
    What is the best way to internally manage who has authorization to certain resources or functions? In Domain four it talks about internal controls based on the entitlement matrix, but I am curious if there are other ways to manage people and the authorization levels they have.

    Kaela K.


  • 2.  RE: How do you manage access controls?

    Posted Feb 26, 2020 08:42:00 PM
    Not sure I can be vendor specific here or not but you should be able to leverage governance model. I think you are asking more of an operation question, correct me if I'm wrong.


    Adnan Rafique

  • 3.  RE: How do you manage access controls?

    CSA Instructor
    Posted Feb 27, 2020 06:27:00 AM
    What I tell my CCSK classes is that for SaaS, the entitlement matrices are the interface between operational risk and the application.
    For example, in an invoicing process, a risk analysis has identified the possibility of an employee to commit fraud. That is operational risk. To control that, we would implement 4 eyes principles or something like that. That translates into entitlements for the 2 pairs of eyes involved.

    It would still be a matrix, as that is the general model.

    For IaaS and PaaS you would have a similar approach, i.e. it would be an operational risk if developers could modify something in production without going through the CICD pipeline.

    Peter HJ van Eijk

  • 4.  RE: How do you manage access controls?

    CSA Instructor
    Posted Mar 11, 2020 07:35:00 AM
    Edited by Guillaume Boutisseau Mar 17, 2020 11:14:01 AM

    The entitlement matrix is an essential step in managing access controls. Practically, this is where you record the business decisions on who can access/do what. You want to give your people enough access to perform their job duties, and also limit the damage they could cause accidentally or intentionally with the access given to them (through a "what if" risk based approach, for example).

    Without a properly maintained entitlement matrix, you would quickly end up with a disconnect between the business governance and the access controls configured in your production environments. That wouldn't be ideal.

    Guillaume Boutisseau
    CCSK Authorized Instructor , CCSP