How Do You Best Implement Access Control? Why Should You Be Choosy?
Who should access your company’s data? How do you make sure those who request access have been granted that access? When should you deny access to a user with access privileges? For effective data security, your organization’s security controls and access control policy must address these (and other) questions.
What is Access Control?
Access control is a mechanism of validating the users’ identity to ensure they are who they say they are and that they have the appropriate access to corporate data and systems. If we take a high-level approach, it is a selective restriction of access to data that consists of two components: authentication and authorization.
While these terms are often used interchangeably, they are not the same, although they complement each other. Authentication is used to verify that someone is who they claim to be. Authorization determines whether a user should be allowed to access the data or make the transaction they’re attempting. Authentication and authorization work together to provide a layered approach to data security.
Access control is a key component of data security. Lack or poor implementation of these controls can have a catastrophic impact on any organization. The truth is that every modern organization today needs some level of access control. With employees accessing remotely systems, applications and data, and accelerated migration to the cloud, it becomes increasingly important. If your data could be of any value to someone without the proper authorization to access it, then your organization needs strong access control.
Considerations for Access Control Implementation
Although everyone agrees that access control is critical for businesses, there is some debate on how to best enforce and implement these security controls. Businesses operate in hybrid environments where data transits from on-premises servers and cloud applications to offices, homes, hotels, cars and coffee shops with private networks or open Wi-Fi hotspots. This fluid business environment makes enforcing access control difficult. In a dynamic world, where traditional borders have vanished, access control requires the enforcement of persistent policies.
An additional risk factor is the fact that access to data is being requested using an increasingly large range of devices, including PCs, laptops, smartphones, tablets, and other internet of things (IoT) devices. That level of diversity makes it a real challenge to create and secure consistency in access policies.
While traditionally access control was a static, one-time authentication process, today this is not adequate. Modern business models require a dynamic, risk-based methodology that is identity-centric. In a perimeter-less business environment, perimetry security is obsolete and identity has become the cornerstone of corporate security strategies towards a zero-trust paradigm. A sophisticated access control policy must cater for a step up in authentication to respond to evolving risk factors and minimize the impact in case of a security breach.
Access control rules must change based on evolving risks and must support consistently all their computing infrastructure, from on-premises legacy apps to cloud assets and applications. In addition, they must cater for a smooth user experience, otherwise, employees will either become counterproductive or will find ways to bypass them to do their job.
What Are the Available Types?
Organizations must determine the appropriate access control model to adopt based on the type and sensitivity of data they are processing. They may select from either DAC, MAC, RBAC or ABAC models. Here’s a quick breakdown of each model.
- Discretionary Access Control (DAC): The data owner specifies the rules and decides on access.
- Mandatory Access Control (MAC): People are granted access based on regulations from a central authority.
- Role Based Access Control (RBAC): Access is granted based on a user’s role and implements key security principles, such as “least privilege” and “separation of privilege.” Someone attempting to access information can only access data that is necessary to perform their role.
- Attribute Based Access Control (ABAC): Each resource and user is assigned a series of attributes, such as time of day, position, and location, which are used to make the access decision.
Organizations should decide which model is the most appropriate based on data sensitivity and operational requirements for data access. This is especially important for organizations that operate in a highly regulated environment, where security and privacy laws and regulations, like GDPR, HIPAA, CCPA, etc., dictate that access control is a core capability.
What is Next?
The reality of data spread across multiple cloud service providers and a growing number of SaaS applications dictates the need to orchestrate an access security solution. While there are many vendors in the wild offering a range of authentication and identity management solutions, businesses should look for platforms that can integrate with on-premises Active Directory and legacy apps as well as with cloud-based services. These solutions should offer features like Single Sign-On with step-up authentication that includes multi-factor authentication and support for various authentication models.
In today’s complex IT and business environment, access control must be a dynamic and living security infrastructure that evolves together with the technological landscape and threat surface to secure cloud-first and digital transformation initiatives.
Danna Bethlehem is the Director of Product Marketing in Access Management at Thales. With her strong understanding of the industry, combined with a deep understanding of customer solutions and strategies, she regularly contributes to the Thales blog and produces valuable cybersecurity articles around Identity and Access Management.