Given the perilous threat climate that continues to expose the sensitive data of many of the world’s best-known organizations (and their customers), the amount of attention given to who can access what data is often shockingly low. Highly sensitive financial information may be strictly controlled, but other types of data are often left “wide open.” In other words, anyone who uses legitimate credentials to access the network can access most data.
The issue isn’t just that employees might do something nefarious, although insider threats are a serious problem that shouldn’t be overlooked. You also have to think about what would happen if a hacker stole legitimate user credentials and accessed your network. Think about the systems they could access and how much data they could alter, delete, steal or hold for ransom. Think about how difficult it would be to detect such a breach.
That’s why access to all data, and not just the most sensitive information, must be selectively restricted. It gives you a better handle on your data and limits the scope of damage should a breach occur.
Access control is a security mechanism that regulates a user’s ability to connect with a network, view resources and/or make a transaction. The process involves identifying resources that users are permitted to access, using credentials to authenticate users, and authorizing access to the permitted resources. IT pros often use the acronym “AAA” — access, authentication and authorization.
There are four basic access control principles that reduce risk. The first is least privilege. Privileges are the rights and permissions granted to authorized user groups, from system administrators and senior executives to regular employees. By implementing least privilege, you ensure that users can access only the resources they need to do their job, and no more.
Similar to least privilege is the “need to know” principle, which means users should only access the data they need to know to do their job. The third principle involves user-based privileges, which grants rights and permissions at the user level instead of the group level. The fourth is separation of duties, which prevents a single person from performing every function in the access control process.
Organizations must choose the right access control model based on the types of data they process, how sensitive that data is, and operational requirements. The most common model is role-based access control, which applies the previously mentioned principles based on the user’s role.
Attribute-based access control is a newer, more dynamic model in which a series of attributes are assigned to each resource and user. Attributes such as role, time of day and geographic location are used to determine if a user is allowed to access a resource. An accounts payable clerk might have nearly unfettered access from her assigned workstation during business hours, but be locked out if she (or someone using her credentials) tries to login from a mobile device in China.
In the past, access control methods rarely changed. Either the data owner assigned rights and permissions, or users were granted information clearance based on business, legal and regulatory requirements. Today, flexible access control policies are critical. They must be able to be deployed across every application and onsite or cloud environment. Access controls must also be able to adapt to constantly changing risk factors and new threats.
IT environments have become complex collections of onsite and cloud environments, devices, applications and data. Let us help you choose the right access control model for your organization and deploy a dynamic solution that protects your assets and reduces risk.