A primary goal of Access Control is to prevent loss, be it losses of confidentiality, information integrity or information availability. It goes without saying that in order to protect your assets and information, you must explicitly control who and what has access. (And sometimes when, where and how.) Ideally, Access Control is well defined as part of a comprehensive Security Policy, one that is clearly understood by the personnel bound by it.
A few pitfalls in Access Control:
- Not adhering to a Least Privilege strategy – Simply put, personnel and workstations are granted the least privilege necessary to perform their responsibilities and no more. A computer at a reception desk shouldn’t have access to critical organizational information. The same is true for a vendor who may legitimately need access to some area of an organization’s resources. Do not allow more access than is absolutely necessary.
- Excessive Privileges or Creeping Privileges – This can happen when a manager moves from one role to another and, through oversight, retains access to assets of the initial role. Another example is where personnel have risen in an organization over time. As one gains increased privileges within the system, it may be awkward to remove access a person no longer needs to perform regular duties. Standing policies and regular reviews of access are good ways to reduce these vulnerabilities.
- Allowing personnel to access critical information in less secure environments or on less secure devices – An organization may allow a junior executive to retain access to systems and information while on vacation in a foreign country. In all but the rarest circumstances, disabling such access reduces the risk of compromise. Likewise, mobile devices, by definition, aren’t always protected by an organization’s firewall. Train your personnel in what the organization requires, on site and off.
- Single Factor Authentication – An Identity which attempts to access systems and information must be Authenticated. Authentication may be as simple as providing the right password for the Identity. This is sometimes referred to as “something you know.” A more secure Authentication strategy is Multifactor Authentication. This may include a small device you carry, also referred to as “something you have.” Also, biometrics is a growing factor in Authentication, using unique aspects of an Identity or ‘something you are.” Multifactor Authentication provides more secure Access Control than a single factor alone.
- Ensuring that accounts, keys and devices assigned to personnel leaving the organization are suspended and collected before the person leaves the premises. If the organization uses keyless entryways, change the codes at reasonable intervals and especially when someone leaves the organization.
These are but a few examples of comprehensive Access Control. NESP can help you with your policies, procedures and training. If you have any questions about reducing your risk from improper access, give us a call or send us email today. We are here to help!