Profile Applicability:
Level 1
Description:
Access to production environments must be strictly limited to authorized personnel only. This includes restricting login credentials, network access, and administrative privileges to reduce the risk of accidental or malicious changes that could impact system availability, integrity, or confidentiality.
Rationale:
Production environments often contain critical systems and sensitive data. Limiting access reduces the attack surface, prevents unauthorized modifications, and helps maintain system stability and compliance with security policies and regulations.
Impact:
Pros:
Enhances security by minimizing exposure to unauthorized users.
Helps maintain system integrity and availability.
Supports compliance with regulatory and organizational security requirements.
Cons:
May increase administrative overhead managing access controls.
Could slow down urgent operational tasks if access processes are not well designed.
Default value:
By default, some systems may grant broad or unmanaged access to production environments.
Audit:
Review access control lists, user permissions, and audit logs to verify only authorized personnel have production access. Validate the use of role-based access control (RBAC) or similar mechanisms.
Remediation:
Implement strict access controls using the principle of least privilege. Use role-based access, multi-factor authentication (MFA), and regular access reviews. Document and enforce access approval processes.
References:
NIST SP 800-53 – Access Control: https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final
CIS Controls v8, Control 14 - Controlled Access Based on the Need to Know: https://www.cisecurity.org/controls/controlled-access-based-on-need-to-know/
OWASP Secure Deployment Guide: https://owasp.org/www-project-secure-deployment-guide/