We all want to feel safe. We all want to feel secure. We all want to know that the things we value are safe and secure.
Safety and Security. On December 10th 1948, the General Assembly of the United Nations (UN) adopted and proclaimed the Universal Declaration of Human Rights, stating – “Everyone has the right to life, liberty and security of persons”. We all want to feel safe. We all want to feel secure. We all want to know that the things we value are safe and secure. The first point of call – the most effective and simple tool, is to control who has access to the people, places and things we value and care most about in this world. Access Control.
In the digital, working world, access control is a security technique that regulates who or what can view or use resources in a computing environment. It is a fundamental concept in security that minimises risk to a business or organisation, an individual or corporation.
The two types of access controls are: Physical and Logical.
Physical access control limits access to campuses, buildings, rooms and physical IT assets. Logical access control limits connections to computer networks, system files and data.
To secure a facility, organisations use electronic access control systems that rely on user credentials; access card readers; auditing; and reports to track employee access to restricted business locations, such as data centres. Some of these systems use access control panels to restrict entry to rooms and buildings as well as alarms and lockdown capabilities to prevent unauthorised access or operations.
Access control systems can include passwords, personal identification numbers (PINs), biometric scans, security tokens or other factors to authenticate and authorise a user or entity. Multi-factor authentication, which requires two or more authentication factors, is often an important part of a layered defence.
These security controls work by identifying an individual or entity, verifying that the person or application is who or what it claims to be, and authorising the access level set for the associated username or IP address. Organisations use different access control models depending on their compliance requirements and the security levels of information technology they are trying to protect.
Main types of access control Mandatory access control (MAC): A security model in which access rights are regulated by a central authority based on multiple levels of security. Often used in government and military environments, classifications are assigned and access is granted or denied by the operating system based on the security clearance of the user or device.
Discretionary access control (DAC): An access control method in which owners or administrators of a system set who or what is authorised access.
Role-based access control (RBAC): A widely used mechanism that restricts access to computer resources based on individuals or groups with specific business functions – executive level, engineer level etcetera, rather than the identities of individual users. The role-based security model relies on a complex structure to regulate employee access to systems.
Rule-based access control:A security model in which the system administrator defines the rules that give access. Often these rules are based on things like time of day or location.
Attribute-based access control (ABAC):A method that manages access by evaluating a set of rules, policies and relationships using the attributes of users, systems and environmental conditions.
When a user is added to an access management system, system administrators use an automated system to set up permissions based on access control frameworks, job responsibilities and workflows. The best practice of “least privilege” restricts access to only resources that an employee requires to perform their job. One of the common problems with access control is failure to revoke credentials and access to systems and data when an individual moves into a different job internally or leaves the company.
Four Access Control Tips
1. Put a strict process in place for assigning and revoking access rights for all your user types and for all your systems and services. This helps verify a user’s identity before issuing or resetting a password for example.
2. Only give users access to resources that they need to do their jobs. This helps limit the harm that a disgruntled employee could do.
3. At least twice a year, review access rights for your users. Has Jane changed departments or jobs? Has she left your organisation? Have associated controls been updated accordingly?
4. Make sure that all your most sensitive data (financials, PII and PHI) is securely maintained, with access strictly limited on a “need-to-know” or “least privilege” basis.
CybACADEMY courses powered by GoldPhish® educates employees on the cyber risk and helps build a more secure organisation with awareness training.