Skip to content
DocBase
Blog

Implicit Deny

  • Indicates that unless is explicitly allowed, it is denied.
    • Implemented with Access Control Lists(ACLs)

Example:

  • All internet traffic to a company’s web server is blocked, unless it is directed to port 443 for HTTPs.

Example 2: Implicit Deny in a Tech Company

Scenario:
In Contoso.com, the company follows the principle of Implicit Deny within their cloud infrastructure and access management system. This approach means that by default, no access is granted unless explicitly allowed.

Implementation of Implicit Deny:

  1. AWS Cloud Infrastructure:

    • AWS IAM Roles: For all services in AWS, no access is granted to any users by default. Only specific actions (like launching instances or accessing S3 buckets) are permitted to users or groups via IAM policies.
    • Why: If a new user is added to the system, they start with zero access rights. Unless they are explicitly granted permissions through IAM roles and policies, they cannot interact with the cloud infrastructure, ensuring a strict Implicit Deny policy.

  2. Microsoft 365 Admin Access:

    • Least Privilege with Implicit Deny: All employees start with no permissions to modify shared documents or access certain applications. Each employee must be assigned specific rights based on their role, such as access to SharePoint, Teams, or Outlook.
    • Why: Employees only gain access to resources when it is clearly defined in their role. If a user is not assigned a role, they default to having no access, ensuring that no unauthorized access occurs through Implicit Deny.

  3. Network Firewall Configuration:

    • Firewall Rule Setup: In the company’s AWS environment, network firewalls are configured to block all incoming and outgoing traffic by default. Only specific ports and protocols (like SSH or HTTP) are opened when there is a justified need.
    • Why: By blocking all traffic unless explicitly permitted, the company minimizes the chance of unauthorized data flow or external access to their network, embodying the Implicit Deny principle.

Key Benefits of Implicit Deny:

  • Tighter Security: Users are only granted the minimal permissions required for their role, reducing the attack surface and chance of internal misuse.
  • Control Over Resources: It ensures that only explicitly defined actions are permitted, preventing unauthorized access to critical resources like production environments or sensitive data.
  • Compliance: Helps meet regulatory requirements by ensuring that sensitive data or systems are not unintentionally exposed to unauthorized individuals.