Access control is a foundational cybersecurity practice that allows organizations to balance two competing needs: protecting vital company resources and granting necessary access to employees so they can do their work.
It involves verifying credentials, managing access privileges, and monitoring your system regularly.
Why is strong access control essential?
Mitigates 'Access Mining': Hackers develop sophisticated tools to take over computers and use them to search for valuable data. Strong access control is the primary defense against this "access mining," which can be devastating to a company of any size.
Ensures Compliance: In many regulated industries, access control is required to comply with state, local, and federal laws (e.g., HIPAA, PCI DSS).
Builds Trust: By following guidelines and avoiding a data breach, you prove to customers that you are trustworthy and reliable.
How Access Control Works
Large companies can face a staggering number of hacking attempts every day. Utah state computer systems, for example, endure as many as 300 million hacking trials each and every day. Managing each issue without help is impossible. A robust system could help.
Your access control system is made up of software, humans to manage it, and rules to dictate its use. Common steps within the system include:
Authentication. A user wants to access your system. Is that person legitimate, or are you dealing with an imposter? User names, passwords, biometric data, and one-time verification codes could all help you confirm identities.
Authorization. What should that person be allowed to do? Authorization involves the rules you set regarding access.
Access. With identities verified and rules set, a person can see, write, save, share, or otherwise work with an asset. Conversely, if the person does not pass your authentication or authorization checks, the system denies entry.
Management. Teams must monitor their rules and the company's use of data. New employees, departing teammates, or organization restructures could all put security at risk.
Audit. As much as you might try to keep tight control over access, details may elude your attention. Regular audits ensure that you always know what's happening and that you can respond accordingly.
What does the user experience look like?
Log in: The user gives a password, followed by another authentication method.
Access: The user can see some servers and files. Others may remain hidden.
Work: The user might attempt an action not allowed by authorization rules, such as writing in a protected file. The system prevents that action.
If you've worked in an office environment within the last decade, all of these steps seem familiar. Countless employees have followed these same steps every day as they work.
Common Authorization Types
Proper access control policies begin with strict authorization rules. Sometimes, people refer to these things as "access control types." But make no mistake. These are rules that dictate what people can and can't do within a server. They are all about authorization.
You might choose to allow access based on:
Authorization Model | What Dictates Access? | Example |
Attributes | The time of day, a device location, or a person's geographic location could all help you understand if the system should allow a person in or keep them out. | If you run a business in Boise that is only open until 5 p.m., but you have a login attempt from India at 11 p.m., you could set up the system to deny that user. |
Discretion | The person who owns the data decides how widely people can see, use, and work with it. | Someone on your sales team has a pitch to send to a prospect, and project managers need to check the details for errors, so the sales rep would grant access to the project manager. If someone in accounting wants to see the pitch, the data owner would deny access. |
Mandatory | A strict set of rules, typically based on information clearance levels, dictates access. This is a common approach in very hierarchical settings, including the military. | Documents are made only for colonels, as they contain very sensitive data about an upcoming initiative. A private tries to access the files, and the system denies them.
|
Roles | People can only see and work with the files that people in their positions commonly need. | Accountants in your company can see a server called “Accounting.” Engineers in your company don't know that the accounting server exists. |
Rules | An administrator gives and rescinds access based on information that might be unique to each person. | One receptionist in your company also works on the marketing team. That person can see the marketing server, while other receptionists can't. |
You may choose just one method and apply it consistently across your company. Or you may create a hybrid mix of a few approaches to wrap your assets in layers of security.
Access Control Policies & Regulations
In some regulatory environments, you must prove that you keep data safe and secure. Strong access control policies can help you do just that.
You might be required to strengthen your security policies due to:
PCI DSS. The PCI Data Security Standard applies to anyone who accepts or stores payments from credit and debit cards. You must protect that data, and the standard requires you to prove it too.
HIPAA. The Health Insurance Portability and Accountability Act includes several data security provisions. In essence, you must prove that you protect anything that could be considered personal, private information about patients. SOC2. Service organizations must prove that they process and protect data properly.
ISO 27001. Any organization, including those that deal with financial data, intellectual property, or employee data, could be required to follow these data protection rules.
The list we've provided isn't exhaustive. You may have far more rules that govern how you collect, save, and share the information you collect in your business.
A strong access control policy, including the use of frequent audits, can help you submit the proper paperwork to prove that you comply.
Avoiding fines is just one reason to abide by the rules. Remember that your customers are watching you, and they rely on you to keep their information safe. If you follow the guidelines and avoid a breach, they will know that you're trustworthy. And conversely, if you get hacked, it will be extremely difficult for you to regain customer trust.
Common Access Control Challenges
It's clear that most companies need to keep control over sensitive information and that access control policies could help. But there are drawbacks.
Cloud Computing Complexity: It's difficult to apply local-geographic access rules consistently when cloud services allow global access, creating discrepancies.
Multiple Devices: Rules must be flexible enough to secure access across the numerous devices (e.g., phones, tablets) a single person uses.
Employee Friction: Administrators must be prepared to stand firm against disgruntled users when new, stricter rules take away prior, overly broad access permissions.
Access Control Software & Solutions
Anyone with valuable data needs strong access control policies. You also need software to help you do the job.
Access control software is designed to manage these challenges efficiently.
These solutions:
Work with multiple environments and devices.
Scale to accommodate more users easily.
Reduce staffing and maintenance requirements.
Automate processes, making hacking significantly more difficult.
If you're searching for an access control solution, we'd love to talk. At Okta, we develop strong products that are easy for anyone to use. Contact us to find out more.
References
Smominru Hijacks Half a Million PCs to Mine Cryptocurrency, Steals Access Data for Dark Web Sale. (August 2019). ZD Net.
NSA Data Center Experiencing 300 Million Hacking Attempts Per Day. The Council of Insurance Agents and Brokers.
Merchants. PCI Security Standards Council.
Summary of the HIPAA Security Rule. (July 2013). U.S. Department of Health and Human Services.
SOC2. Auditing Standards Board of the American Institute of Certified Public Accountants.
ISO/IEC 27001. International Organization for Standardization.
Gartner Forecasts Worldwide Public Cloud End-User Spending to Grow 18 Percent in 2021. (November 2020). Gartner.
A Third of Americans Live in a Household With Three or More Smartphones. (May 2017). Pew Research Center.
