At its most basic, access control is a means of ensuring that users who are logged in to your system are who they say they are, and that they have been granted appropriate access to your organization’s data.
At a highly technical level, Daniel Crowley, head of research for IBM’s X-Force Red, describes access control as “a selective restriction of access to data” consisting of two main components—authentication and authorization.
Authentication is concerned with identity and involves validating the identity of a registered user attempting to gain access to data resources such as an application, an API, or microservices.
Authorization is concerned with action and involves determining the specific actions that a registered user is allowed to perform on a given data resource.
Questions to keep in mind regarding access control
What type of data are you working with?
What happens if your data falls into the wrong hands?
Who should access your company’s data?
How do you ensure that the users who attempt to access a particular data have actually been granted access to that data?
When do you deny access to a user with access privileges?
Practically all organizations with an online presence need some form of identity access , particularly if their employees require access to organizational data resources and services.
Protection for sensitive data
Some organizations need access control more than others. For example, Ted Wagner, CISO at SAP National Security Services, advises organizations that process personally identifiable information (PII) as well as other sensitive information types—e.g., data relevant to the Health Insurance Portability and Accountability Act (HIPAA) or Controlled Unclassified Information (CUI)—to put access control at the core of their security architecture.
Defense against access mining
Organizations need to get ahead of the growing threat posed by the collection and selling of access descriptors on the dark web. Sensitive information such as usernames and passwords, domain information, and internal IP addresses are targets for access mining, to be sold on the “access marketplace” to entities who could then launch remote access attacks. Cybercriminals will likely resort to access marketplaces and access mining more and more for their potential to be very lucrative.
The importance of Identity access policies
Modern organizations operate in hybrid environments that rely on seamless data mobility—from on-premises servers or/to the cloud, to offices, homes, coffee shops and cafes with open Wi-Fi hotspots . . . This means that access control needs to be backed up by robustly implemented policies that are not restrained by conventional parameters.
The challenge to access control enforcement is further compounded by the growing range of devices that anyone can access.
The answer is to develop advanced access control policies that ensure a dynamic, rather than static, response to constantly evolving risk factors.
Identity Access models
Organizations have 4 access control models to choose from based on the type and sensitivity of their data and their operational requirements:
1. Discretionary access control (DAC)
Access is decided by the data owner. Access rights are assigned based on rules that users specify.
2. Mandatory access control (MAC)
Access is granted based on an information clearance. MAC is a policy that uses regulations from a central authority as basis for assigning access rights.
3. Role Based Access Control (RBAC)
Access is granted based on a user’s role, and key security principles like least privilege and separation of privilege are implemented. This means that users can access only data that’s determined to be necessary to their function in their organization.
4. Attribute-Based Access Control (ABAC)
Access to a resource is determined based on a comparative assessment of such user attributes as position, location, and time of day. ABAC is a dynamic model in which resources and users are assigned a series of attributes.
Addressing Identity access problems
Ensure that your organizational data is properly secured by access control, first by determining whether you adopted the best model, and then by leveraging technology so that it is properly supported. Depending on the sensitivity of your data, you may have to resort to employing multiple technologies that work jointly to maximize your access control.
Consider these options:
Privilege access and identity management solutions
These can be integrated into a traditional Active Directory construct from Microsoft.
Multifactor authentication (MFA)
This is your long-overdue answer to the ever-growing vulnerability of the basic username-and-password authentication.
MFA + SSO (single sign-on)
Get layered protection with this combination of convenience and enhanced security.
Talk to TraitWare today to explore our enterprise-level solutions for your cybersecurity requirements.