Serious credit to the New York Department of Financial Services (NYDFS) for pushing forward the principle of least privilege (PoLP) access control in their latest revision to 23 NYCRR 500. In this blog post, we’ll explore section 500.7 specifically, which was updated with the 500 amendment passed on November 1, 2023. This amendment embraces least privilege access control as an essential ingredient to preventing cyber attacks and protecting consumer data.
What’s in the 500 amendment?
An amendment was made to 23 NYCRR 500 to help improve the overall cybersecurity posture for in-scope companies. The NYDFS promulgated these changes in response to a significant growth in cybersecurity threats, which have had a negative impact on consumer data privacy and confidence. The new regulations cover a gamut of cybersecurity concerns including passwords, access controls, governance, and application security. As with most compliance regulations, these regulations provide a framework for controls without being overly prescriptive on implementation.
What’s this have to do with least privilege?
Section 500.7 deals specifically with several controls around access management and access control that lean heavily on the principle of least privilege access. These include:
Periodic user access reviews
Companies who have a SOC 2, SOX, or various other cybersecurity compliance requirements likely have significant experience with user access reviews (otherwise known as UARs or user access certifications). With UARs, organizations periodically review accounts, permissions, roles, and sensitive access rights for a user to ensure that they are appropriate. These reviews may be done by managers, department heads, or permission or application owners. The 500.7 regulation prescribes that all in-scope organizations must perform user access certification at least annually and that users only have the access they need to perform their job responsibilities.
Best practice recommendations:
- Quarterly user access reviews: Full quarterly user access reviews should be executed on all sensitive apps, resources, and permissions. Although it’s only “required” to run access reviews annually, performing incremental access reviews on a quarterly basis is a best practice.
- “Mover” access reviews: Access reviews should be performed on users upon department, role, or job changes to ensure that the access a user has is still appropriate given the change in their department, role, or job.
Limiting access based on need
500.7 prescribes that employees should only have access to non-public and sensitive data on an as-needed basis—meaning, only the access required to perform their job. Furthermore, if and wherever possible, the access should only be provided when the access is required to perform a function of the user’s job.
Best practice recommendations:
- Just-in-time access for sensitive access and resources: Sensitive data and accounts should be limited to time- and justification-bound access. That is, users must request access and it should be removed once it is no longer needed. Appropriate human-in-the-loop approvals should be captured and an audit trail maintained.
- “Use it or lose it” access: Unused access and permissions should be automatically reviewed and/or automatically removed. This prevents unused access sprawl.
Ensure timely offboarding
The 500.7 regulation requires that a covered entitlement shall “promptly terminate access following departures.” This means that organizations must discover all access and permissions for a user and ensure that those accounts and permissions are properly removed, revoked, and/or downgraded in a timely fashion, following a user’s departure. Offboarding can be complicated for companies with multiple identity stores, non-IDP connected applications, and/or applications with local accounts. Furthermore, this can be confounded by contractor access that is not always well tracked.
Best practice recommendations:
- Offboarding automation: When an employee has been terminated or a contractor is no longer engaged, their access needs to be promptly terminated and revoked. This requires using the catalog of system access that a user has, automating the removal if possible, and creating tickets for systems that require manual intervention. Ticketing for nonconnected systems should have an SLA enforced to ensure timely offboarding.
Visibility of access and permissions
Although not explicitly required by the 500 amendment, having visibility of users, accounts, and permissions is likely going to be a prerequisite for any company seeking to meet these requirements in an efficient manner.
Best practice recommendation:
- Automated account and access discovery: Be able to properly discover all accounts, permissions, and access for an employee or contractor on a near real-time basis. This will facilitate timely offboarding, just-in-time access, removing unused access, and other aspects of least privilege access control.
When do you have to comply?
Companies have until May 1, 2025 to comply with the new 500.7 update of 23 NYCRR.
Conclusion
It’s exciting to see regulatory bodies like the NYDFS adopting and pushing forward security best practices such as least privilege access control. They’ve taken a practical approach to access management best practice and are encouraging companies to implement controls that will achieve practical improvements in cybersecurity.
