Modern Access Control

In cybersecurity, it’s critical to restrict who has access to particular IT assets, such as sensitive data, servers, or applications. The implementation of policies and methods to regulate the ability to view or use resources in your environment is known as access control. This article takes a look at access control in the context of the changing modern IT environment.

Logical and Physical Access Control

If access control is the ability to selectively restrict who can access IT assets, then this can be accomplished in two main ways:

1. Physical controls regulate the ability to access a particular location.
2. Logical controls that limit data and application access through identification, authentication, and authorization.

If you’ve ever worked in an office where you had to swipe a keycard before being granted entry to the building, then you’ve experienced a physical control that protects IT assets. In this example, the control helps to prevent outsiders from entering an office and inflicting harm to systems.

An example of a logical control is to give an employee read-only access to a particular dataset so that they can’t tamper with that data. Logical controls are particularly relevant in today’s complex IT environments. These controls span large domains of security knowledge and software, such as identity and access management (IAM) and privileged access management (PAM) offered by Thales and Beyond Trust.

The overarching importance of these controls is to reduce both outsider and insider threats. Several regulations for which compliance is mandatory to specify strict controls over access levels, including HIPAA and GDPR.

Hybrid IT Access Control Challenges

One of the main modern access control challenges is securing resources across a distributed and hybrid IT environment. Organizations use 2.6 public clouds on average for various business use cases, such as to store data, test and develop software, and run cloud-based applications. This heavy use of cloud computing creates a dilemma about whether to trust the native controls provided by cloud vendors.

You can’t exactly build walls around public cloud servers and secure them with a locked door and a passkey, so physical controls become less relevant in the cloud landscape. In some special cases, cloud vendors may have service level agreements with customers that specify the physical access control standards for their hardware. However, logical controls are more important in the cloud from the perspective of cloud customers wanting to make sure that no unauthorized party can access their cloud resources.

Access Control Models

Here are the three main logical models used to control access.

Mandatory access control (MAC)

In MAC, a system administrator controls access to resources by assigning security labels to those resources based on their sensitivity. Users get authorized to only access resources with a specific security label. This “need to know” access basis is very secure.

MAC is resource-intensive to maintain because it depends on system administrators manually configuring security levels and clearances. Furthermore, user experience can be frustrating because MAC doesn’t provide room for the dynamically changing access needs of modern users. MAC is best used within military or sensitive government departments.

Discretionary access control (DAC)

DAC lets the owners of particular data establish access permissions for specific users or groups of users. This is opposed to MAC where a single entity sets permissions. The ability to share access from one person to another makes this less secure in large corporations with strict compliance requirements.

Role-based access control (RBAC)

In RBAC, the security policy grants access permissions to roles rather than to users. A specific user can be added to one or more business roles. When the user tries to access an application or database, access is granted based on whether that specific role can access the resource. RBAC helps enforce the least privilege principle by ensuring that individual users only get the level of access to resources that they need to carry out their work duties.

Zero Trust Access

Another major challenge for companies trying to protect their IT resources from unauthorized access is the increasingly remote modern workforce. Even before Covid-19, many economists predicted a change to remote work as the next big trend in workforce dynamics. The rapid shift enforced by the pandemic greatly accelerated this trend, and most organizations plan to provide remote work capabilities to employees even after the pandemic ends.

Securing access in a remote work setup creates new challenges. Employees need access to data and applications from devices located outside of the corporate network perimeter. A zero-trust approach is needed to secure access in a remote work environment. Depending on traditional perimeter controls such as firewalls no longer suffices.

In zero-trust, you assume that everything on the network is hostile by default. The mantra is “never trust, always verify”. By adopting a zero-trust strategy, organizations can better protect corporate assets regardless of the location of employees accessing those assets. Some key aspects of zero trust include:

• Multi-factor authentication
• Least privilege access
• Device authentication

This zero-trust approach regards identity as the new perimeter. The concept extends beyond user identity to device and application identity.

Wrapping Up

There are numerous challenging aspects of modern access control that require specific strategies to secure your valuable IT resources. Understanding your environment, choosing a suitable access model, and opting for a zero-trust strategy are all useful tools to better control who can access which resources in complex modern IT environments.