Stay up to date
Stay up to date with the latest threat reports, articles & mistakes to avoid.
Simple, yet important content.
No salesy pitches and all that, promise!
Access control is unarguably one of the essential aspects of information security. It is the means or method by which your business or any entity or organisation of interest can deny access to an object to subjects or entities not permitted specific access rights. Access control provides an organisational means to limit and control access permission to and by end-users and other interested entities to grant only approved and adequate access.
By securing your access controls, you can construct systems and applications that can be used at any time with any size of user base or load – and only your users can get to the data they need, when and how they need it. How is this done? Through an access control security software.
What is access control?
Access control is a security mechanism by which an entity, such as an individual or system process, is allowed or disallowed access to a physical or logical resource. The term also refers to how this restriction is applied.
There are two types of access control, i.e. physical access control and logical access control. Access controls provide a means to control who can do, use, or see what can be applied at many different levels in any system or application.
The most commonly recognised access control is the username and password combination. Some access controls are straightforward, while others are complex, depending on the desired control that you seek to apply. But in modern software, access controls are mostly structured and implemented within an application.
Access control systems or mechanisms are required in every business because they provide for the entire security framework. Other elements of data security remain affected if the business did not apply access controls correctly and appropriately. Every control required to be operational for your business must have security management and a design in place addressing the access control security implementation.
Your business must provide the necessary environment wherein your assets can be secured, and access to only authorised users or entities can be granted. These access control security mechanisms must be in place for each resource or asset that must be secured and protected, and for each person and process authorised to obtain access rights. The following points discuss the main components of access control.
At the heart of every access control is the process of authentication – obtaining authenticated user identification and password information that has been validated. Another critical component of many access control systems is the process of authorisation, where the identity or element is verified based on available access to a specified object.
Authentication systems allow the organisation or company to confirm user identity by the provision of valid, legally acceptable identification information such as a unique employee id, access id, etc. Access is then granted based on the authentication. Authorisation, on the other hand, not only requires valid information or identification but also requires an ongoing evaluation, which attributes determine the rights and privileges that the user should be given for the requested resource.
Change management and audit trails are an important component ensuring records as well as critical help during incident response process. This process records events around who has access, what access has been granted, which resources are accessed and when is all this happening/happened.
The presence of an information security management system can assure access controls. A system must be available to evaluate, audit, and correct information, access, and other data security management processes, thereby keeping them running smoothly and correctly.
Why is access control important?
Data security is crucial in our evolving IT environment. Access control security is not a low-priority item on your long-term priorities. Access control refers to who can do what and when, end-to-end, and within a larger context; it is also about the process of obtaining, validating, and using that access information.
Before we address this question in technical terms, compliance and regulatory requirements often cite this as important requirement:
PCI DSS requirement 9 states that businesses should have sufficient access controls to restrict physical access to cardholder data. It is defined as:
“Any physical access to data or systems that house cardholder data provides the opportunity for persons to access and/or remove devices, data, systems or hardcopies, and should be appropriately restricted.”
PCI DSS requirement 10 ‘Track and monitor all access to network resources and cardholder data’ relates to logging and monitoring user activities that are important in preventing, detecting and minimizing the impact of a data compromise.
Therefore, exercises such as PCI DSS penetration tests are often a business case providing assurance against the PCI DSS scope.
Similarly, ISO 27001, SOC2, GDPR and other regulations mandate the implementation of secure access controls to protect data.
While the process may seem simple enough, ensuring accurate and appropriate access control is crucial for providing your company’s foundational security. Secure access controls are necessary for:
The first and most important reason for access control is to preserve confidentiality. While this might seem like a simple concept on the surface, the more you delve into confidentiality’s underlying requirements, the more complicated – yet, essential, the information to be protected becomes.
Confidentiality is the term used to describe the concept or means by which information is not disclosed or revealed and protected from unauthorised users and entities. Ideally, the information that you want to protect is such that it is not directly available or assignable to any one individual user or entity. It is where the notion of group privileges comes into play.
- Restrict unauthorised access:
Another essential aspect of access control security is ensuring that only authorised users can access or use the objects they are permitted to access. It is also critical that an unauthorised user or entity’s attempt or action to access protected information be contained and reduced.
An access control security solution can provide an increased security and reliability level over the utilisation of only local access control options – such as physical locks or username and password combination. A multi-tiered system or mechanism will provide an increased level of security to reduce unauthorised users from gaining access to sensitive data.
- Eliminate key concerns:
Another fundamental to consider when thinking about access control and security is that access control is a long-standing concept that will not go away anytime soon. There are many emerging security concepts and technologies that are replacing certain aspects of access control security controls. However, the need to identify a specific user or entity, validate the credentials, and then provide specific access rights and privileges will continue to be part of the security management process for the foreseeable future.
- Prevent data interception:
While the solution may not always be as glamorous as the typical Hollywood thriller, access controls also include a means to ensure that the accessing or using entity does not try to gain unauthorised access to the data they are attempting to use or access. All access must be collected and then processed to provide reliable or authorised service and prevent any sensitive information interception.
- Control data ownership & duplicates:
The ability to control data ownership provides a means to ensure that you have control and ownership of the data that has been created or entered – and that you are the only user for which you have the authority to control and change. Access controls have a significant impact on the processes in which your business can operate securely – and these controls can be put into place to reduce or eliminate data duplication.
What are the different types of Access Control?
The most common and widely used access controls are listed below. The underline of this concept remains following the principle of least privilege and default deny rule. These are also known as different access control models, known by their abbreviations MAC, DAC, RBAC and RB-RBAC.
Discretionary Access Control (DAC):
The term discretionary in this context means that it is up to either the company, the system, or the user to determine what access privileges will be granted for the user to be granted or denied access. It is typically done with the use of access control lists – ACLs. Any given access control of this type may be implemented in a wide variety of ways depending on your specific access control requirement. There are no standards, but basically, there are the local or user-level access controls and the group-level access controls.
Mandatory Access Control:
Mandatory access control (MAC) is an implementation where all access requests are denied unless the requesting entity has established enough validated credentials to allow access. It is specifically for more sensitive or restricted types of information or resources such as government and military environments where access is restricted based on device or user’s security clearance.
Again, for mandatory access control (MAC), your access control requirement dictates the specific implementation and drills down to access rights that have been granted by a central authority. All other access requests must be denied.
Role-Based Access Control:
Role-based access control (RBAC) is an implementation where the user or entity must be associated with a specific role or job function. Typically, this means that access is granted based on the position or function that the user is playing or filling. It is considered one of the more secure and best-controlled access control types because it is generally an easy way to group access privileges and period them into easily digestible components. This way, a single user will have several access privileges granted by their position in the organisation, function, team, or other logical entity.
Attribute-Based Access Control:
Attribute-based access control is an implementation where rights are granted by virtue or based on a third-party attribute or attribute base. It is an internal access control model and is by nature not available for external access. This particular access control model is generally based on validation of attributes such as a username, token, digital certificate, or role validation. It provides a more granular and specific approach to access control than most traditional access control models.
Rule-based Access Control
This strategy is for manging user access on systems such as administrator defined rules. These may be based on certain conditions such as date, time, location or days/months. Role-based and rule-based controls are used together in certain scenarios to ensure high security.
Break glass is another interesting control model where privileged account access is used to bypass normal access control procedures. It is similar to extending someone’s rights temporarily when other alternatives (normal process) are exhausted such as helpdesk or support is unavailable and system admin is on leave. Break glass is normally the case where user does not have privileged account access otherwise, and is allowed in exceptional instances as defined by the organisation.
Discuss your concerns today
What does ACL mean in Computers?
Access control list or ACL stands for a list of permissions or permissions for a specific resource. Typically ACLs are applied on a file, directory, or network resource, though they also may be used at the process level. Access control security measures include access control lists, commonly written as ACLs to maintain the integrity of a network or an environment.
An ACL can be a precise control that can be applied to the most in-depth and most granular level, or it can be as simple as you or your network management team need it to be. Control of access to resources is based on:
- Who has access to the network/system/application or resource: Most commonly, this is who is allowed on the network, though it could also be who is allowed to access software or resources in an application or system.
- What the user or users can do with the resource accessed based on allocated privileges: This includes key functions such as modifying, viewing, writing, etc.
- What resource the user or users are accessing: This is typically associated with resources at the directory or file level – the file or directory they are allowed to access.
In this context, it’s important to note that the context of an access control generally has to be secure, and its specific location must be known. This is critical to the successful implementation of an access control security system.
What is the purpose of NAC?
Network Access Control (NAC) is a means by which network and system access is restricted based on the access control list. NAC provides a means to ensure that only authorised users or entities can access the network and its resources. It differentiates users based on the type of access they are allowed or denied. Any unauthorised users who try to access the network without proper validation and authorisation will be denied access.
Network NAC can be applied in various ways. It can be applied to the network, devices, or specific applications such as company email. Another use is to ensure employees are connecting to the relevant systems and networks in compliance with your company-provided security policies and rules. Depersonalised access control mechanism and methods may be used to validate and authorise the proper access to the company network, email, and devices.
Network access control also provides a means by which access to other systems or applications within your business can be protected. Any unauthorised access can be successfully prevented or detected.
What are the three key activities performed by NAC?
Network access control can enforce authentication, authorisation, and accounting activities. All devices communicating with the network are required to complete these activities based on validating the user or other requesting entity credentials against the existing access control policies, rules and regulations.
- User Authentication:
Authentication is the process of obtaining user credentials or credentials for some entity or device. It is a means by which the validity of the identity of the requesting entity is established. Through the authentication process, entities are distinguished, and port access privileges or policies are validated.
- User/Entity Authorisation:
When the network receives a request to access or connect, that request must be compared to the access control list for the resource or system. If the request passes the evaluation, then the network access is validated. If the request fails the evaluation, then access to the network is denied. It is an authorisation process whereby access is validated by comparing the requested access and the actual or granting access rules.
Accounting is the process by which the network access control system can provide data that depicts the user’s or entity’s access. This added accountability ensures that network and system resources are used appropriately.
With the current threat landscape and data significance, businesses can’t rely on the perimeter firewall and anti-virus solutions only. Defence in depth principle requires a layered approach towards security while balancing usability and other security elements to ensure cyber security returns.
Effective access controls should be applied to ensure authorised users have pain free access and unauthorised access attempts are logged, monitored and responded in line with security policies. One of the methods to identify the gaps in your security strategy covering access controls is third party validation exercises such as network penetration testing assessments that include reviews of key components such as authentication, authorisation, logging , monitoring. Get in touch to discuss your primary security concerns. We offer a free consultation to help you make informed choices about your environment while providing flexibility and transparency around deliverables, costs and time frames.