Learn Important Things You Need to Know About Access Control
Learn Important Things You Need to Know About Access Control –
If you want to protect your company’s valuable data and other resources, you need strong visibility and control over who can access what information. These controls act as first-line defenses against cybersecurity attacks, so they should be central to your information security policy. This article describes everything you need to know about access control, including important terms, control models, and best practices.
Access Control Overview –
Access control uses policy-based rules and tools to regulate who can access data and applications on a network. There are two crucial components of access control:
- Authentication: this means using controls to verify that users are who they claim to be. For example, requesting users to enter a username and password before signing in to an application.
- Authorization: determining whether an authenticated user should be given the permission they request based on their current level of privileges.
- Authentication and authorization are two important concepts in access control, but there are several other terms worth understanding. This access control glossary provides more information.
4 Access Control Models –
There are different access control models that organizations can choose from based on their unique security posture and the sensitivity of the data they need to control access to. These models regulate access to resources for users after they have already been authenticated.
1. Discretionary Access Control (DAC) – in this model, users directly grant and revoke access to objects under their control. DAC is somewhat outdated and not commonly used for data security purposes.
2. Mandatory Access Control (MAC) – using system-level controls to restrict access to data, files, or other resources. A system admin configures the settings using subject clearances and object labels (confidential, secret).
3. Role-Based Access Controls (RBAC) – assigning access permissions based on a user’s role within your company. For example, a financial analyst will get all the access needed for the financial analyst role.
4. Attribute-Based Access Control (ABAC) – controlling access using characteristics about an access event rather than the role of the person requesting access. These characteristics include the subject requesting access, the resource requested, the action (read, write, copy), and the environment (time, location, device).
If DAC is outdated and MAC is frequently only used in government and military contexts, the choice is between role-based or attribute-based control for most organizations. Most organizations ultimately use a hybrid of these two models.
A Changed Data Security Landscape –
Data security was already a significant business challenge before the global pandemic abruptly came along and made things even harder. Businesses frantically tried to provide employees with sufficient remote access to corporate resources using remote desktop protocols, VPNs, and more cloud-based applications. Gaping security gaps likely emerged for businesses relying too much on legacy access controls that require too much manual input.
Statistics from the 2021 Thales Data Threat report highlight the current data security landscape:
- Only 17% of businesses indicated that they have protected more than 50% of their sensitive data in the cloud with encryption.
- Just 55% of businesses have implemented MFA.
- Only 20% of respondents said that their infrastructure was very prepared for the operational shifts brought about by the pandemic
It’s clear that the pandemic strained existing infrastructure and resources. But the lack of MFA and encryption highlights problems with access control that existed before Covid.
Even before Covid, most people worked within a dynamic hybrid IT environment. Data regularly moved between on-premises systems and the cloud. Employees needed access to business applications hosted in the cloud. Cloud environments however, lack the perimeters that safeguarded data in the past.
Opportunistic cybercriminals frequently try to exploit weaknesses in access controls. For example, an employee clicks a link on a phishing email that looks legitimate. The employee unknowingly discloses their password for a network resource.
Due to shoddy access controls, such as a lack of strong authentication, the hacker can access the network masquerading as one of your employees using only this password. Moving laterally through the network, a hacker can eventually steal valuable corporate data.
Access Control Best Practices –
Strong access control can make a huge difference in improving data security at any organization. Here are some best practices for implementing access control in the context of a sophisticated threat landscape and complex modern IT infrastructures.
Apply the Least Privilege Principle –
The least privilege principle only gives users the minimum level of access needed to perform their jobs. For example, a chief accountant should have the highest level of access to accounting systems, but that same person likely doesn’t need any access to information security data.
Use Multi-factor Authentication Where Reasonable –
Multi-factor authentication (MFA) strengthens user verification by requiring two or more pieces of evidence from different categories to proof of identity. Good access control should use multi-factor authentication for access requests to sensitive data. Another useful scenario to require MFA is when the context of an access request, such as the location or time, differs from a user’s normal usage behavior.
Consider Automated Provisioning Tools –
Joiners, movers, and leavers at your business regularly request access and need access revoked. IT helpdesks easily become overburdened by dealing with manual provisioning requests. Good access control should leverage tools and solutions with automated provisioning capabilities for low-risk high-confidence access.
Get Visibility into Orphaned Accounts –
Orphaned accounts are accounts that exist on a network resource without a valid business owner. These orphaned accounts arise due to a lack of visibility from current access controls.
Cybercriminals can use social engineering to find out who recently left an organization and attempt to get their passwords using phishing emails or other methods. When those accounts aren’t disabled, you dramatically increase the attack surface for potential data breaches. Any access control strategy should include the procurement of solutions that provide visibility into orphaned accounts.
Minimize User Friction –
Businesses need to strike a balance between access control that protects data and enforcing so many controls that employees become frustrated. One potential way to minimize user friction and maintain security is single-sign-on (SSO).
Using one set of username-password credentials, users can sign in once per day and get access to all the applications and data they need to do their job. With SSO and MFA in place, you can minimize user friction while still identifying rogue behavior and blocking potential breaches.
The need for robust access control that fits with the complexity of modern IT environments will only increase with time. Improve your data security strategy today and implement these practices.
Author Bio –