Who should access the company’s data? How to ensure those who attempt access have actually been granted that access? Under which situations to invalidate access to a user with access privileges?
To strongly protect the data, the organization’s access control policy must address these and many other questions.
What is access control?
Access control is a procedure of ensuring that users have the appropriate access to company data or in simple words a selective restriction of access to data.
Authentication is a method used to verify that someone is who they claim to be. Authentication isn’t sufficient by itself to protect data. What is needed is an additional layer, authorization, which verifies whether a user should be allowed to access the data or make the transaction they’re attempting.
Mostly during a data breach, access controls are among the first policies investigated.
If the data could be of any value to someone without the proper authorization to access it, then the organization needs strong access control, especially for businesses with employees who work remotely out of the office and require access to the company data resources and services.
Access control policy: Key considerations
Many of us work in different various environments or say hybrid environments where data moves from on-premises servers or the cloud to offices, homes which can make enforcing access control difficult.
A cultivated access control policy can be adapted dynamically to respond to evolving risk factors.
Based on the risk factor access control rules must be updated, which means that organizations must establish security analytics layers that sit on top of the existing network and security configuration. They need to identify threats in real-time and automate the access control rules correspondingly.
4 Types of access control
Organizations must determine the significant access control model to adopt based on the type and sensitivity of data they’re processing. Legacy access models include discretionary access control (DAC) and mandatory access control (MAC), role-based access control (RBAC) is the most common model today, and the most recent model is known as attribute-based access control (ABAC).
- Discretionary access control (DAC)
DAC is a method of assigning access rights based on rules that users specify. Here data owner decides on access.
- Mandatory access control (MAC)
Here people are granted access based on an information clearance. MAC is an approach in which access rights are assigned based on regulations from a central authority.
- Role-Based Access Control (RBAC)
RBAC provides access based on a user’s role and implements key security principles, such as the least privilege and separation of privilege. Thus, someone attempting to access information can only access data that are esteemed necessary for their role.
- Attribute-Based Access Control (ABAC)
In ABAC, each resource and user is assigned a series of attributes. Here, a comparative assessment of the user’s attributes, including the time of day, position, and location, are used to make a decision on access to a resource.
It’s upto organizations to decide which model is most suitable for them based on data sensitivity and operational requirements for data access.
Access control solutions
A number of technologies can support various access control models. In a few cases, multiple technologies may need to work together to achieve the desired level of access control.
Most data spread across various cloud service providers dictates the need to orchestrate a secure solution. There are various vendors providing privilege access and identity management solutions that can be integrated into a traditional Active Directory. 2-way Multi Factor authentication can be a component to further enhance security.
Why authorization remains a challenge
Authorization can still be challenging to determine and perpetually monitor who gets access to which data resources, how they should be able to access them, and under which conditions they have granted access, for starters.
Access control must be continuously monitored, in terms of compliance with the corporate security policy as well as operationally, to identify any potential security gaps. Organizations need recurring vulnerability scans against any application running access control functions and should collect and monitor logs on each access for violations of the policy.
Access control must be considered as a technology infrastructure that uses the most advanced tools which reflect changes in the work environment such as increased mobility, identifies the devices we use and their inherent risks, and takes into consideration the rapidly increasing movement towards the cloud.