The importance of access control

Business owners and managers are constantly identifying areas of risk and taking steps to mitigate that risk. In an IT environment, risk takes the form of access. An organization may possess a wealth of resources, but those resources are not available to every employee, customer or partner.

Businesses implement access control to ensure that each user (inside or outside of the organization) only has access to the resources necessary to perform their respective tasks, while preventing access to resources that are not relevant to the user.

Solution providers need to recognize the importance of access control in everyday security, understand its management implications, and help clients match access control to compliance obligations. The first installment of this Hot Spot Tutorial explores the goals of access control and other considerations as it relates to user identities and authentication.

Access control goals and considerations
There are many different types of access control: network access control (NAC), identity management (IDM), Web access control, remote access control, and device or endpoint access control. This tutorial deals with the importance of access control related to user identity — in other words, ensuring that users have access to the right data (or other corporate resources).

Access control involves three processes: authentication, authorization and audit. Authentication confirms the user’s credentials in order to allow access to resources. Every business implements authentication to one extent or another. Credentials may include a simple user name and password, or more sophisticated multifactor authentication like a smart card and PIN.

The second process, authorization, allows users access to the appropriate applications, servers, data stores and physical items (such as building doors and equipment). “One [process] figures out who it is, and the other one figures out what they can do,” said Andrew Plato, president of Anitian Enterprise Security, a security solution provider headquartered in Beaverton, Ore.

Authorization is often handled by manually correlating authenticated users to specific applications or other resources — a time-consuming and error-prone activity. Recent developments like single sign-on (SSO) and other IDM technologies promise to bring automation and better control to the process.

Access control is increasingly tied to access auditing and reporting. Auditing, the third process in access control, creates a user activity trail. Administrators can analyze the audit trail and identify access anomalies that might reveal inappropriate access assignments on the part of administrators or unauthorized access attempts on the part of users.

The practice of “least privilege,” which limits user access to the minimum number of corporate resources needed for immediate job functions, has become crucial in access control, helping to minimize business risk. Even application design is affected by least privilege principles.

“Web browsers are a great example. They’re becoming the window into so many sensitive applications — everything from banking to internal [customer relationship management],” said Pete Sclafani, senior director of information systems and strategy at United Layer, a managed Internet service provider in San Francisco. “Having an application that doesn’t use least privilege … can become a liability even though it helps worker productivity [to be] able to access documents from anywhere.”

Access, and associated privileges, can be determined through a number of different techniques. The method used in each client’s organization will depend upon their environment, circumstances and business needs.

Mandatory access control (MAC) matches “sensitivity labels” to users and resources, allowing users to access objects or resources up to or including their level of sensitivity. This type of access control is rigid and rarely used except by governments and military organizations.

Discretionary access control (DAC) allows the owner of a resource or object to determine which users can access a resource. DAC is also rarely used because there is little central control over resource access.

The most common and familiar access control technique is role-based access control (RBAC), where privileges are assigned to organized groups of users. For example, Level 1 engineers and human resource generalists may receive very different access privileges. A user placed into either of those groups will receive the access privileges granted to that group.

By Stephen J. Bigelow, Senior Technology Writer
Reference Source: http://searchsecuritychannel.techtarget.com/generic/0,295582,sid97_gci1340568,00.html