What Is Access Control & How Crucial Is It to Cybersecurity?

Digital security professionals face tough choices every day. On the one hand, you must protect your company's vital resources. On the other, you must give people access to the tools they need to do their work. 

Strong access control policies allow you to do both. 

Access control involves verifying credentials, managing access, and monitoring your system regularly. In many industries, you must handle access control to comply with state, local, and federal laws. 

But even if you're not in a highly regulated market, it's smart to worry about access control. Reporters say some hackers have developed sophisticated tools to take over computers and encourage these zombies to search for valuable data.

Access mining like this can be devastating to a company, no matter the size. Access control could stop it. 

How Access Control Works 

Large companies can face a staggering number of hacking attempts every day. Utah state computer systems, for example, endure as many as 300 million hacking trials each and every day. Managing each issue without help is impossible. A robust system could help. 

Your access control system is made up of software, humans to manage it, and rules to dictate its use. Common steps within the system include:

• Authentication. A user wants to access your system. Is that person legitimate, or are you dealing with an imposter? User names, passwords, biometric data, and one-time verification codes could all help you confirm identities.
   
• Authorisation. What should that person be allowed to do? Authorisation involves the rules you set regarding access.
   
• Access. With identities verified and rules set, a person can see, write, save, share, or otherwise work with an asset. Conversely, if the person does not pass your authentication or authorisation checks, the system denies entry.
   
• Management. Teams must monitor their rules and the company's use of data. New employees, departing teammates, or organisation restructures could all put security at risk.
   
• Audit. As much as you might try to keep tight control over access, details may elude your attention. Regular audits ensure that you always know what's happening and that you can respond accordingly. 

To someone attempting to access a resource, access control might look like this:

1. Log in: The user gives a password, followed by another authentication method.
    
2. Access: The user can see some servers and files. Others may remain hidden.
    
3. Work: The user might attempt an action not allowed by authorisation rules, such as writing in a protected file. The system prevents that action. 

If you've worked in an office environment within the last decade, all of these steps seem familiar. Countless employees have followed these same steps every day as they work.

Common Authorisation Types

Proper access control policies begin with strict authorisation rules. Sometimes, people refer to these things as "access control types." But make no mistake. These are rules that dictate what people can and can't do within a server. They are all about authorisation. 

You might choose to allow access based on:

• Attributes. The time of day, a device location, or a person's geographic location could all help you understand if the system should allow a person in or keep them out.

  For example, if you run a business in Boise that is only open until 5 p.m., but you have a login attempt from India at 11 p.m., you could set up the system to deny that user.
   

• Discretion. The person who owns the data decides how widely people can see, use, and work with it.

  For example, someone on your sales team has a pitch to send to a prospect, and project managers need to check the details for errors, so the sales rep would grant access to the project manager. If someone in accounting wants to see the pitch, the data owner would deny access.
   

• Mandatory. A strict set of rules, typically based on information clearance levels, dictates access. This is a common approach in very hierarchical settings, including the military.

  For example, documents are made only for colonels, as they contain very sensitive data about an upcoming initiative. A private tries to access the files, and the system denies them.
   

• Roles. People can only see and work with the files that people in their positions commonly need.

  For example, accountants in your company can see a server called “Accounting.” Engineers in your company don't know that the accounting server exists.
   

• Rules. An administrator gives and rescinds access based on information that might be unique to each person.

  For example, one receptionist in your company also works on the marketing team. That person can see the marketing server, while other receptionists can't. 

You may choose just one method and apply it consistently across your company. Or you may create a hybrid mix of a few approaches to wrap your assets in layers of security.

Access Control Policies & Regulations

In some regulatory environments, you must prove that you keep data safe and secure. Strong access control policies can help you do just that. 

You might be required to strengthen your security policies due to:

• PCI DSS. The PCI Data Security Standard applies to anyone who accepts or stores payments from credit and debit cards. You must protect that data, and the standard requires you to prove it too.
   
• HIPAA. The Health Insurance Portability and Accountability Act includes several data security provisions. In essence, you must prove that you protect anything that could be considered personal, private information about patients.
   
• SOC2. Service organisations must prove that they process and protect data properly.
   
• ISO 27001. Any organisation, including those that deal with financial data, intellectual property, or employee data, could be required to follow these data protection rules. 

The list we've provided isn't exhaustive. You may have far more rules that govern how you collect, save, and share the information you collect in your business. 

A strong access control policy, including the use of frequent audits, can help you submit the proper paperwork to prove that you comply. 

Avoiding fines is just one reason to abide by the rules. Remember that your customers are watching you, and they rely on you to keep their information safe. If you follow the guidelines and avoid a breach, they will know that you're trustworthy. And conversely, if you get hacked, it will be extremely difficult for you to regain customer trust.

Common Access Control Challenges 

It's clear that most companies need to keep control over sensitive information and that access control policies could help. But there are drawbacks. 

For example, many companies use cloud computing services, and experts say that trend will continue. Creating rules that work in your physical location and in the cloud isn't easy. For example, if you use geographic rules to permit or deny access, and your cloud allows access around the globe, spotting discrepancies isn't easy. 

Similarly, the average person has multiple devices to access your resources. In fact, researchers say one-third of American households have three or more smartphones. The rules you specify must bend and flex per device, and that's not easy. 

Frontline administrators may also face disgruntled people when the rules are new. Someone who always saw everything (and enjoyed a good snoop) could be upset to see that freedom snatched away. And staff must be strong in the face of pressure and stick with the rules. Otherwise, vital protections become watered down and less effective.

Access Control Software & Solutions 

Anyone with valuable data needs strong access control policies. You also need software to help you do the job.

Access control software is designed to work with multiple environments and devices, and it can scale to allow more users as needed. A product like this reduces staffing and maintenance requirements, and automation makes hacking much more difficult.

If you're searching for an access control solution, we'd love to talk. At Okta, we develop strong products that are easy for anyone to use. Contact us to find out more. 

References

Smominru Hijacks Half a Million PCs to Mine Cryptocurrency, Steals Access Data for Dark Web Sale. (August 2019). ZD Net. 

NSA Data Center Experiencing 300 Million Hacking Attempts Per Day. The Council of Insurance Agents and Brokers. 

Merchants. PCI Security Standards Council. 

Summary of the HIPAA Security Rule. (July 2013). U.S. Department of Health and Human Services. 

SOC2. Auditing Standards Board of the American Institute of Certified Public Accountants. 

ISO/IEC 27001. International Organization for Standardization. 

Gartner Forecasts Worldwide Public Cloud End-User Spending to Grow 18 Percent in 2021. (November 2020). Gartner.

A Third of Americans Live in a Household With Three or More Smartphones. (May 2017). Pew Research Center.