Digital transformation changes the perimeter. When organizations had all their applications on-premises, the network firewall kept the right users inside the gate and malicious actors outside. However, the move to the cloud changed all that. In today’s hyper-connected ecosystem, understanding the components and types of access control can help you strengthen security.
What is access control?
Access control consists of data and physical access protections that strengthen cybersecurity by managing users’ authentication to systems. Managing access means setting and enforcing appropriate user authorization, authentication, role-based access control policies (RBAC), attribute-based access control policies (ABAC).
An organization supplies every identity – human or digital – with credentials, like a username and password. Then, those credentials are granted permissions to access resources, data, and applications whether on-premises or in the cloud.
What are the types of access control?
Although multiple types of access controls exist, cloud migration has changed the importance of them. Since the National Institute of Standards and Technology (NIST) is a well-known security framework, using NIST Special Publication (SP) 800-53’s definitions offers good insight into the different types of access controls.
Discretionary access controls (DAC)
According to the NIST SP 800-53, DAC is defined as an access control policy enforced over all subjects and objects granting information access that allows the subject to:
- Pass the information to other subjects or objects
- Grant its privileges to other subjects
- Change security attributes of subjects, object, systems, or system components
- Choose security attributes associated with newly-created or revised objects
- Change rules governing access control
A good example of DAC would be giving someone Editor privileges for a folder in Google Drive. That person can share information, give the same privileges to others, change other users’ ability to edit/read information, and choose security attributes for any other assets in the folder.
Mandatory access controls (MAC)
NIST SP 800-53 defines MAC as an access control policy uniformly enforced across all subjects and objects, ultimately placing restrictions on DAC. MAC controls limit a subject’s access by preventing:
- Passing the information to unauthorized subjects or objects
- Giving its privileges to others
- Changing security attributes on subjects, object, systems, or system components
- Changing access control rules
MAC limits users’ ability to share information. This is where traditional Google Drive controls often create problems because they only allow file and folder owners to give Edit, Read, and Comment permissions. While Edit permissions essentially establish DAC, Read, and Comment limit access but do not give a user the right to edit an asset directly.
Role-based access control (RBAC)
RBAC collects all the access permissions a user needs to complete their job function, both explicitly outlined and implicitly needed, and maybe inherited through a hierarchy. A single role may apply to one user or a group of users.
Under RBAC, you assign users access based on their job functions. Therefore, people in the marketing department have access to the networks, systems, and applications they need to do their jobs. This might include your customer relationship management (CRM) application, corporate blog, social media accounts, folders that marketing uses in a shared drive, and your collaboration tool. Additionally, not everyone on the marketing team will have the same access to resources. Your social media manager may be the only person with access to those accounts but does not have access to your corporate blog or CRM.
Additionally, you also need to remember that departments may need to have similar access to resources for different reasons. Your sales team might need access to your CRM and some of the same folders in a shared drive.
As the company’s application ecosystem grows, managing access becomes more challenging.
Attribute-based access control (ABAC)
NIST SP 800-53 does not include ABAC in its definitions section. However, the Access Control family (AC) control “AC-3 Access Enforcement” subsection 13 explains that ABAC is a policy that restricts system access using a combination of:
- Organizational attributes, like job function
- Action attributes, like read, write, and delete
- Environmental attributes, like time of day and geolocation
- Resource attributes, like data type or application
ABAC enables organizations to set privileges and dynamically grant access, making it useful in dynamic cloud environments.
Why is access control important?
Cloud migration changes how you need to protect information. With on-premises applications and data storage, using firewalls to prevent external connections made sense. However, the cloud changed all that.
Today, most employees use some public internet connection to access data and applications. Each access point is a new potential threat vector. Meanwhile, as organizations use more Internet of Things (IoT) devices from printers and “smart” security protections to sensors, those devices also need to connect to networks, applications, and data.
This is one of the reasons that cybercriminals increasingly engage in credential-based attacks. Every time you assign a human or digital identity a login ID and password, you increase the number of attack vectors.
When considering access control as part of strengthening your cybersecurity posture, you should consider the following risks:
- Employee access
- Contractor access
- Network devices
- IoT devices
- Service accounts
- Serverless functions
- Robotic process automations (RPAs/bots)
Because each of these human and digital identities interacts with your networks, systems, and applications, you need to make sure that you have robust access controls for each of them.
Credential theft attacks are harder to detect and remediate. Since the malicious actors use real credentials, your systems, networks, and software believe that they are “safe” users. This is why establishing, enforcing, and maintaining strict access controls create a robust security posture.
How do organizations implement access control?
Beyond the different types of access controls, you need to put several levels of control into place.
Authorization is the process of giving a user the set of permissions they need to access the resources that help them do their job.
Authentication is the process of making sure that the person logging into a resource is who they say they are. Generally, organizations should focus on using multi-factor authentication (MFA), which includes using two or more of the following:
- Something a person knows (password)
- Something a person has (token, smartphone)
- Something a person is (face ID, fingerprint, biometric).
Since many users have a difficult time setting and remembering complex passwords, they tend to use the same ones across personal and professional login IDs. Further, threat actors often use datasets of known weak passwords to engage in dictionary or brute force password attacks, where they use software to run the list of known weak passwords against the organization’s directory. MFA creates a second step that often alerts users to someone attempting to use their password or prevents the malicious actors from successfully exploiting weak passwords.
User access to cloud resources has a lot of moving parts, especially in cloud-based ecosystems.
Principle of least privilege
User access should be limited according to the principle of least privilege, which means setting the most precise privileges possible so that the person can successfully do their job. However, in complex interconnected ecosystems, this is increasingly difficult.
For example, large application deployments like a CRM have many different modules. To limit access according to the principle of least privilege, you need to make sure that your marketing and sales teams can both access what they need without having access to modules that they don’t need.
Limiting excess access
The principle of least privilege is a control that looks to mitigate excess access risk. Excess access, especially for organizations that only use RBAC, becomes a cybersecurity risk for several reasons.
First, if users have too much access, they may be able to view or download nonpublic personal information (NPI). This is a privacy and potential security risk.
Second, excess access is often a way that malicious actors can leverage a standard user’s privileges to gain access to NPI, databases, or other cloud resources.
Third, as users move within an organization, they often take their historic access from one department to another, especially in organizations that use RBAC only.
Segregation of duties (SoD)
SoD controls are generally used to prevent fraud by making sure that no user access creates a conflict of interest that could be leveraged for fraud. A traditional example of SoD is preventing someone with access to your accounts payable from also having access to your accounts receivable applications.
Privileged access is the riskiest access and often the most difficult to manage. Generally associated with system administrators, privileged access is also referred to as “superuser” access because those who have it can access and change anything. They can create new user IDs and have access to root privileges.
A standard practice is for an organization to create a standard and privileged user account for roles that need privileged access and to use time-bound restrictions for privileged access. In other words, only allowing the privileged user or account to use the privileged access for a specific amount of time, tracking activities, and terminating access automatically.
Network access control (NAC)
NAC is an access management strategy that establishes and enforces policies by requiring authentication for both users and devices. With NAC, the organization ensures that users should be accessing the network and that devices comply with security policies, like having up-to-date security patches and anti-virus software installed.
Data access management
Although at first data access management sounds like user access management, it goes beyond how to access the information and applies to what they can do with it as well.
Data access management includes:
- Classifying data by type
- Limiting user access to sensitive data
- Restricting what users can do with sensitive information, including preventing downloads and sharing
Application controls focus on how applications interact with data and preventing them from executing in ways that place information at risk. Although organizations often control this access using firewalls, modern applications often interact with databases or have service accounts that automatically connect to devices and storage locations.
When putting application controls in place, you should consider:
- Completeness and validity checks
- Input controls
Although originally intended to prevent malicious code from executing on devices, application controls can also incorporate limiting how standard and approved applications interact with one another.
SecurityScorecard: Continuous assurance through continuous monitoring
SecurityScorecard’s security ratings platform enables organizations to continuously monitor their environments and ecosystems for greater visibility into their security posture. Our platform provides an easy-to-read score using an A-F rating scale for at-a-glance visibility into your current security posture.