Access Control is a Foundation of Information Security
Information security is all about preventing unauthorized access to data. So it’s obvious that managing access—access control—is critical to implementing effective information security.
Authentication is the first component of access control. It means determining that a user or system requesting access is who they claim to be. Authentication is typically through user ids and passwords. It’s often supplemented by a second level of authentication, using tokens delivered either to a user’s phone or smart card, or biometrics that validate a user’s physical features such as fingerprints.
Once you’ve determined that the person requesting access is who they say they are, authorization controls determine which data and systems the user can access. In information systems, access can be defined as the ability to read, write, or execute certain data and files. This has to be determined by determining both the functions the user needs to perform and the data they need to see. Often more sophisticated rules take into effect such factors as where the user is connecting from, the type of device they are using (desktop computer or mobile phone), and the time of day they are requesting the access.
Assigning access privileges to individual users is difficult to manage and frequently results in too many privileges being granted. Role based access control (RBAC) allows privileges to be more easily managed by grouping the permissions required to perform certain functions. By assigning users the permissions identified as appropriate for their role, they can be given the minimum access required to perform their jobs. Access control lists (ACLs) are a common method for implementing RBAC.
Access requires ongoing monitoring. There are two aspects to this. First, the actual access to your networks, systems, and data needs to be reviewed to ensure that there aren’t any attempts at unauthorized access. Second, when users’ responsibilities change, the access rights granted to them need to change as well. Deleting user privileges when an employee leaves the organization is also critical. RBAC makes this review easier, because it makes clear why privileges were granted.
In addition to monitoring the access granted, you should monitor systems for vulnerabilities that allow access even when privileges are not granted. This can be done through manual reviews and automated vulnerability assessments.
Access control is one component of a strong information security program. Prescient Solutions cybersecurity services offer a comprehensive approach to information security, utilizing firewalls, data loss prevention software, identity and access management, antivirus, and other controls to implement a robust defensive strategy. Contact us to learn more about the best ways to approach protecting your valuable data and systems.