What is access control? A key component of information security

Admission controls authenticate and authorize individuals to access the data they are immune to see and use.

access control / authentication / privileges / managing permissions
Metamorworks / Getty Images

Who should access your company's information? How do you make sure those who try admission take actually been granted that access? Nether which circumstances practice you lot deny access to a user with access privileges?

To effectively protect your information, your organization's access control policy must address these (and other) questions. What follows is a guide to the basics of access control: What information technology is, why information technology's important, which organizations need it the virtually, and the challenges security professionals tin can face.

What is access control?

Access control is a method of guaranteeing that users are who they say they are and that they have the appropriate access to company information.

At a high level, admission control is a selective restriction of admission to data. It consists of ii chief components: authentication and authorisation, says Daniel Crowley, caput of inquiry for IBM's X-Force Red, which focuses on data security.

Hallmark is a technique used to verify that someone is who they claim to be. Authentication isn't sufficient past itself to protect information, Crowley notes. What's needed is an additional layer, authority, which determines whether a user should be allowed to admission the data or make the transaction they're attempting.

Without authentication and authority, there is no data security, Crowley says. "In every information breach, admission controls are amongst the first policies investigated," notes Ted Wagner, CISO at SAP National Security Services, Inc. "Whether information technology be the inadvertent exposure of sensitive data improperly secured by an finish user or the Equifax breach, where sensitive information was exposed through a public-facing web server operating with a software vulnerability, access controls are a key component. When not properly implemented or maintained, the result can be catastrophic."

Any arrangement whose employees connect to the cyberspace—in other words, every organization today—needs some level of access control in place. "That's especially true of businesses with employees who work out of the office and crave access to the visitor data resources and services," says Avi Chesla, CEO of cybersecurity house empow.

Put another way: If your data could exist of any value to someone without proper dominance to access information technology, then your organization needs strong access control, Crowley says.

Some other reason for stiff access command: Access mining

The collection and selling of access descriptors on the dark web is a growing trouble. For instance, a new report from Carbon Black describes how 1 cryptomining botnet, Smominru, mined not only cryptcurrency, but also sensitive data including internal IP addresses, domain information, usernames and passwords. The Carbon Black researchers believe information technology is "highly plausible" that this threat actor sold this information on an "access marketplace" to others who could then launch their own attacks by remote access.

These access marketplaces "provide a quick and easy way for cybercriminals to purchase access to systems and organizations.... These systems tin be used every bit zombies in large-scale attacks or equally an entry point to a targeted attack," said the report's authors. One access marketplace, Ultimate Anonymity Services (UAS) offers 35,000 credentials with an average selling cost of $6.75 per credential.

The Carbon Black researchers believe cybercriminals will increase their use of access marketplaces and access mining because they can be "highly lucrative" for them. The risk to an arrangement goes upward if its compromised user credentials have college privileges than needed.

Access control policy: Cardinal considerations

Almost security professionals understand how disquisitional access control is to their organization. But not everyone agrees on how admission command should exist enforced, says Chesla. "Access control requires the enforcement of persistent policies in a dynamic world without traditional borders," Chesla explains. Most of us piece of work in hybrid environments where data moves from on-bounds servers or the cloud to offices, homes, hotels, cars and coffee shops with open wi-fi hot spots, which tin can make enforcing admission control difficult.

"Calculation to the risk is that access is available to an increasingly large range of devices," Chesla says, including PCs, laptops, smart phones, tablets, smart speakers and other net of things (IoT) devices. "That diversity makes it a real challenge to create and secure persistency in access policies."

In the past, access control methodologies were often static. "Today, network access must be dynamic and fluid, supporting identity and application-based apply cases," Chesla says.

A sophisticated access command policy tin can be adapted dynamically to respond to evolving risk factors, enabling a company that'south been breached to "isolate the relevant employees and data resources to minimize the harm," he says.

Enterprises must assure that their access control technologies "are supported consistently through their cloud assets and applications, and that they tin can be smoothly migrated into virtual environments such as individual clouds," Chesla advises. "Access control rules must change based on run a risk gene, which means that organizations must deploy security analytics layers using AI and motorcar learning that sit on elevation of the existing network and security configuration. They too demand to identify threats in real-time and automate the access control rules appropriately."

4 Types of access command

Organizations must make up one's mind the advisable access control modelto adopt based on the blazon and sensitivity of data they're processing, says Wagner. Older admission models include discretionary admission command (DAC) and mandatory admission control (MAC), role based access control (RBAC) is the virtually common model today, and the most contempo model is known as attribute based access control (ABAC).

Discretionary access control (DAC)

With DAC models, the data possessor decides on access. DAC is a means of assigning access rights based on rules that users specify.

Mandatory access control (MAC)

MAC was developed using a nondiscretionary model, in which people are granted access based on an data clearance. MAC is a policy in which access rights are assigned based on regulations from a central potency.

Role Based Access Control (RBAC)

RBAC grants admission based on a user'south role and implements fundamental security principles, such as "to the lowest degree privilege" and "separation of privilege." Thus, someone attempting to access data tin but access data that's deemed necessary for their role.

Attribute Based Admission Control (ABAC)

In ABAC, each resources and user are assigned a series of attributes, Wagner explains. "In this dynamic method, a comparative assessment of the user's attributes, including fourth dimension of day, position and location, are used to make a conclusion on access to a resource."

Information technology's imperative for organizations to make up one's mind which model is virtually advisable for them based on information sensitivity and operational requirements for data admission. In particular, organizations that process personally identifiable information (PII) or other sensitive information types, including Health Insurance Portability and Accountability Act (HIPAA) or Controlled Unclassified Information (CUI) information, must make access command a cadre capability in their security architecture, Wagner advises.

Access command solutions

A number of technologies can back up the various admission control models. In some cases, multiple technologies may need to work in concert to achieve the desired level of admission command, Wagner says.

"The reality of information spread beyond cloud service providers and SaaS applications and connected to the traditional network perimeter dictate the demand to orchestrate a secure solution," he notes. "There are multiple vendors providing privilege access and identity management solutions that can be integrated into a traditional Active Directory construct from Microsoft. Multifactor hallmark tin be a component to further enhance security."

Why authorization remains a claiming

Today, most organizations take go expert at authentication, says Crowley, particularly with the growing employ of multifactor authentication and biometric-based authentication (such equally facial or iris recognition). In contempo years, every bit high-profile information breaches have resulted in the selling of stolen countersign credentials on the dark web, security professionals take taken the need for multi-factor authentication more seriously, he adds.

Authorization is still an surface area in which security professionals "mess up more ofttimes," Crowley says. Information technology tin can be challenging to decide and perpetually monitor who gets admission to which data resource, how they should be able to admission them, and under which weather they are granted access, for starters. But inconsistent or weak authorization protocols can create security holes that need to be identified and plugged as chop-chop every bit possible.

Speaking of monitoring: However your organization chooses to implement access control, it must exist constantly monitored, says Chesla, both in terms of compliance to your corporate security policy as well as operationally, to identify whatsoever potential security holes. "You should periodically perform a governance, risk and compliance review," he says. "You lot need recurring vulnerability scans confronting any application running your access control functions, and you should collect and monitor logs on each admission for violations of the policy."

In today's complex IT environments, admission control must exist regarded as "a living engineering science infrastructure that uses the most sophisticated tools, reflects changes in the work surround such as increased mobility, recognizes the changes in the devices we use and their inherent risks, and takes into account the growing movement toward the cloud," Chesla says.

James A. Martin is a seasoned tech journalist and blogger based in San Francisco and winner of the 2014 ASBPE National Golden award for his Living the Tech Life blog on CIO.com. James is also a content marketing consultant.

Copyright © 2019 IDG Communications, Inc.