Running a business is no easy task. With multiple challenges demanding your constant attention, even a small slip can spell disaster. In the midst of this chaos, one essential element that regularly goes overlooked is your company’s information security policy. Unfortunately, it often takes a major system intrusion for a business to begin taking its cybersecurity seriously. And by then, the damage has already been done.
If you want to protect your company’s data, thus ensuring its financial and reputational well-being, it’s essential that you formulate a rigid set of informational security access controls. These buffers and limits serve as the invaluable first line of defense against cyber threats.
Below, we’ll cover the ins and outs of security access control so that you’re prepared for future threats.
What is Access Control?
Any access control policy will specify access rights and decide whether requests made by principals should be allowed or rejected. In the world of access control, principals are any one of the following:
- User – A human worker
- Object – Resource or data
- Subject – A process a user employs
When creating your Enterprise Information Security Policy (EISP) and your cybersecurity controls checklist, you’ll have to determine your company’s philosophy on such matters by answering questions like:
- Who in your company has access to your business data?
- How do you ensure that those who attempt to enter have the approval to do so?
- How do you determine who you grant or deny access to?
Access control plays directly into such questions. At its essence, this security feature regulates the flow of information and dictates how a user and a system can connect or interact with other systems or resources. It’s your means of safeguarding your business and confirming that any user who attempts to gain entry to your company’s data verifies that they are who they say they are and they’ve been approved for entry to that level of information.
This is all complicated by the following:
- Different types of users – Whether internal users, outside users, partners, or contractors, each will require different levels of access.
- User identity data – There is data that must be stored regarding the various users, including their personal data, passwords, and contact info.
- Resources with different classification levels – Certain resources may have more or fewer restrictions upon them. They could be confidential, private, public, or internal use only.
- An ever-changing business makeup – A business is rarely static. There’s constant change with employees coming in and out, roles shifting, and the business’ needs fluctuating. As such, your access needs will vary accordingly.
- Range of devices that people use – Today, employees will use PCs, laptops, tablets, and mobile devices to accomplish their tasks. The sheer range of devices that employees utilize makes it incredibly challenging to formulate a secure and consistent set of access policies.
Any business is hierarchical. The employees on the lower tiers are restricted to information that only concerns their specific realm; whereas executives or other higher ups will require a wider breadth of access to both project and system files.
This selective restriction of informational security access controls typically consists of three primary components: identification, authentication, and authorization.
Identification is the business’s first means of corroborating that a user is who they claim to be. Typically, it consists of a universal naming system that each employee adheres to and is based upon a user name or account number. Each name or number should be:
- Unique to ensure culpability
- Undisclosed to other users
- Free of any reference to the user’s role or title
Authentication is the cybersecurity technique used to verify or prove a user’s identity. There are 3 main authentication factors you can employ.
- Passwords and pins – These are private bits of information that only the specific user would know. This is the cheapest and most common means of authentication and is the least secure as a result.
- Access cards and keys – Cryptographic keys and smart cards provide a digital signature or two-factor authentication, ensuring a high level of security.
- Biometrics – The most expensive and secure authentication methodology; biometrics confirm a person’s identity by reading a unique genetic attribute, behavior, or physical characteristic. Typical biometric scans include:
- Retina scan
- Iris scan
- Palm scan
- Facial scan
- Hand topography
- Signature or keyboard dynamics
Once a person has gone through identification and authentication, authorization controls the level of access and the ability to change, edit, or disseminate certain data. You’ll have to determine the level of access that an authorized user has both to data and behavior.
Types of Access Control
When you create your information security framework, you’ll have to determine the proper access control model. Typically, this is based on two factors:
- The type of data that needs to be accessed.
- The sensitivity of the data required for access.
The principle of Complete Mediation states:
“A software system that requires access checks to an object each time a subject requests access, especially for security-critical objects, decreases the chances of mistakenly giving elevated permissions to that subject. A system that checks the subject’s permissions to an object only once can invite attackers to exploit that system. If the access control rights of a subject are decreased after the first time the rights are granted and the system does not check the next access to that object, then a permissions violation can occur. Caching permissions can increase the performance of a system but at the cost of allowing secured objects to be accessed.”
As such, any access control system will focus on the following actions:
- Preventing access – If there are no privileges, the system prevents a subject from accessing the object.
- Determining access – Using policy to decipher whether or not a subject has access to take action with an object.
- Granting access – Provides a subject with access to an object. Ideally, this should be access to just one object and not several.
- Revoking access – Confiscating a subject’s access to an object.
- Auditing access – Figuring which objects a subject has access to.
These days, most companies will select one of the following four types of information security access controls:
- Discretionary Access Control (DAC) – An older methodology, DAC assigns access rights based on rules that users stipulate. Basically, subjects get to regulate who has access to objects.
- Mandatory Access Control (MAC) – A nondiscretionary model where users are granted access based on an information clearance. Assignments are made via regulations coming from a central authority. In a hierarchical system, the top-level determines what lower levels have access to.
- Role-Based Access Controls (RBAC) – Access to information is limited to data that is solely necessary to carry out their role within the business. It uses security principles like “separation of privilege” and “least privilege” to determine who gets access to what.
- Attribute-Based Access Control (ABAC) – Also known as policy-based access control, resources and users are ascribed attributes based upon a comparative assessment of said attributes. These might include:
- User attributes
- Resource attributes
- Locational attributes
- Environmental attributes
- Objective attributes
The model uses these and then responds to requests with an “If, Then” statement. So, “IF the requestors is a manager is and if the request is made between 8AM and 6 PM, THEN they have access to sensitive data.”
One of the primary benefits of working with RSI Security on your security access controls is that you can gain a clearer picture of your overall threat assessment and vulnerabilities. This partnership helps you become more risk-informed, thus further prepared for said risks.
Risk management lies at the heart of any cybersecurity controls checklist. Although it’s impossible to completely eliminate risk, your goal should be to do everything in your power to bring it down to an acceptable level. Naturally, this acceptable level will depend heavily upon your business, data, and systems. Usually, this determination will be made by both you and your cybersecurity partner by taking the following preventative measures:
- Risk Assessments – Identify risks and hazards that might arise due to your business, culture, or systems. At RSI Security, we perform a Gap Analysis that identifies the differences between where your security is and where you want it to be. We then formulate programs such as information security access controls to close those gaps.
- Risk Analysis – The identified risks are ranked according to a cost-benefit analysis determining the potential impact, probability of it occurring, and cost.
- Risk Treatment – Once the assessment and analysis are complete, you can begin delineating preventative measures for treating or minimizing the potential risks.
- Risk Monitoring – Risks will inevitably change, or new ones will arise. An effective risk control system will maintain regular auditing and monitoring in response to natural security fluctuations.
Decreasing Risk with Your Information Security Access Controls
In the name of decreasing your risk, consider taking the following advice regarding security access controls and cybersecurity into consideration:
1. You are always a target – If you become relaxed or lazy about your cybersecurity, you endanger your company’s financial and informational well-being. Maintaining vigilance is key. You are always at risk and the stakes won’t ever drop. Therefore, it’s essential that both you and your employees understand that your security is a team responsibility that won’t ever go away.
2. Keep your software up to date – The software for your OS will regularly provide updates in response to coding issues. This could mean closing a loophole that hackers were capable of exploiting. It is critical that you automatically update your OS, web browser, and ensure your plug-ins are current and up to date.
3. Use smart password management – If you use pins or passwords for authentication, then it’s critical that you employ wise password management practices. Now, regularly having to change or update your password can be a pain, but it is a necessary one if you want robust security access controls. Password management programs or services help you generate and store strong passwords that are incredibly difficult to breakthrough. Proper password management steps include:
- Regular password updates, at least once every 90 days
- Password generators
- Long passwords
- Special characters
- Case sensitivity
- Password checkers
- Limited login attempts
4. Work with a partner on vulnerability tracking and reporting – A partner such as RSI Security should work with you to constantly monitor your network, all the while performing checks—like penetration tests—to scan for exposure. As new issues or vulnerabilities surface, they can help you move decisively and with the alacrity to respond in intelligent and meaningful ways. Vigilant tracking and reporting grants you the ability to assess your cybersecurity strengths and weaknesses and then respond accordingly.
5. Don’t leave devices unattended – The physical security of devices matters just as much as their technical security. If your employees leave their devices for any significant span of time, they should be locked or auto-locked to prevent others from attempting to access them. If vital information is stored on drives, these too require protection. Although it may be annoying to have to re-login every time you step away, it ensures your cybersecurity.
Inputting Information Security Access Controls
In today’s complex and constantly evolving IT world, access control must be regularly monitored and updated in accordance with new risks. A comprehensive security plan will not only limit who gets access to what data but will also shift and react properly in response to novel threats.
If you realize that your information security access controls are lacking or need modernizing, reach out to RSI Security to speak with a professional security expert. RSI Security offers a host of services that will help protect and ensure your business’ continued growth and success.
Barnum, S. Cyber Infrastructure. Complete Mediation. (2005). https://www.us-cert.gov/bsi/articles/knowledge/principles/complete-mediation
Fox, C. Risk Management. Recognizing the Gaps in Gap Analysis. (2016). http://www.rmmagazine.com/2016/10/03/recognizing-the-gaps-in-gap-analysis/
Spector, H. Techwalla. Advantages and Disadvantages of Access Control Systems.