Any organisation whose employees connect to the Internet—in other words, every business today—needs some level of access control in place.
Access controls authenticate and authorise individuals to access the information they are allowed to see and use. But in order to be effective, organisations need to address the challenges in implementing and maintaining access control.
5 key challenges for enforcing access control
- The need for persistent policies
Most security professionals understand how critical access control is to their organisation. But not everyone agrees on how access control should be enforced, says Avi Chesla, CEO of cybersecurity firm empow. “Access control requires the enforcement of persistent policies in a dynamic world without traditional borders.”
Most of us work in hybrid environments where data moves from on-premises servers or the cloud to offices, homes, hotels, cars and coffee shops with open WiFi hotspots, which can make enforcing access control difficult.
The increasing number of devices being uses such as PCs, laptops, smartphones, tablets and smart speakers among others make it a real challenge to create and secure persistency in access policies.
- Deciding upon the most appropriate control model
Organisations must determine the appropriate access control model to adopt based on the type and sensitivity of data they’re processing, says Ed Wagner, CISO, SAP National Security Services.
Older access models include Discretionary Access Control (DAC) and Mandatory Access Control (MAC). With DAC models, the data owner decides on access. DAC is a means of assigning access rights based on rules that users specify.
There’s also MAC, which was developed using a nondiscretionary model, in which people are granted access based on an information clearance. MAC is a policy in which access rights are assigned based on regulations from a central authority.
Today, Role Based Access Control (RBAC) is the most common model, Wagner says. RBAC grants access based on a user’s role and implements key security principles, such as “least privilege” and “separation of privilege.” Thus, someone attempting to access information can only access data that’s deemed necessary for their role.
The most recent model is known as Attribute Based Access Control (ABAC), in which each resource and user are assigned a series of attributes, Wagner explains. “In this dynamic method, a comparative assessment of the user’s attributes, including time of day, position and location, are used to make a decision on access to a resource.”
It’s imperative for organisations to decide which model is most appropriate for them based on data sensitivity and operational requirements for data access. In particular, organisations that process personally identifiable information (PII) or other sensitive information types, including Health Insurance Portability and Accountability Act (HIPAA) or Controlled Unclassified Information (CUI) data, must make access control a core capability in their security architecture, Wagner advises.
- You may need multiple solutions for access control
A number of technologies can support the various access control models. In some cases, multiple technologies may need to work in concert to achieve the desired level of access control, Wagner says. “The reality of data spread across cloud service providers and SaaS applications and connected to the traditional network perimeter dictate the need to orchestrate a secure solution,” he notes. “There are multiple vendors providing privilege access and identity management solutions that can be integrated into a traditional Active Directory construct from Microsoft. Multifactor authentication can be a component to further enhance security.”
- Authorisation is still an Achilles’ heel for some organisations
Today, most organisations have become adept at authentication, says Crowley, especially with the growing use of multifactor authentication and biometric-based authentication (such as facial or iris recognition). In recent years, as high-profile data breaches have resulted in the selling of stolen password credentials on the dark web, security professionals have taken the need for multi-factor authentication more seriously, he adds.
Authorisation is still an area in which security professionals “mess up more often,” Crowley says. It can be challenging to determine and perpetually monitor who gets access to which data resources, how they should be able to access them, and under which conditions they are granted access, for starters. But inconsistent or weak authorisation protocols can create security holes that need to be identified and plugged as quickly as possible.
- Your access control policies should be capable of dynamically changing
In the past, access control methodologies were often static. “Today, network access must be dynamic and fluid, supporting identity and application-based use cases,” Chesla says.
A sophisticated access control policy can be adapted dynamically to respond to evolving risk factors, enabling a company that’s been breached to “isolate the relevant employees and data resources to minimise the damage,” he says.
Enterprises must assure that their access control technologies “are supported consistently through their cloud assets and applications, and that they can be smoothly migrated into virtual environments such as private clouds,” Chesla advises. “Access control rules must change based on risk factor, which means that organisations must deploy security analytics layers using AI and machine learning that sit on top of the existing network and security configuration. They also need to identify threats in real-time and automate the access control rules accordingly.”
The bottom line on access control
In today’s complex IT environments, access control must be regarded as “a living technology infrastructure that uses the most sophisticated tools, reflects changes in the work environment such as increased mobility, recognises the changes in the devices we use and their inherent risks, and takes into account the growing movement toward the cloud,” Chesla says.