Access Controls: Everything You Need to Know

Access Controls Blog

 

Large tech companies are still unaware of the necessity to protect passwords and train employees on the importance of multi-factor authentication. 

There are so many Access Control options out there these days, it may be hard to narrow down what your company needs to be doing. Whether you need to be compliant for NIST, PCI-DSS, HIPAA or to just get a good night sleep, there are tools that can help.  

The goal of access control is to minimize the risk of unauthorized access to physical and logical systems. Access control is a fundamental component of security compliance programs that ensures security technology and access control policies are in place to protect confidential information 

Levels of Access Controls: 

  1. Mandatory Access Control (MAC)

In MAC, users do not have much freedom to determine who has access to their files. For example, security clearance of users and classification of data (as confidential, secret or top secret) are used as security labels to define the level of trust. 

  1. Discretionary Access Control (DAC)

In DAC, the data owner determines who can access specific resources. For example, a system administrator may create a hierarchy of files to be accessed based on certain permissions. 

  1. Role-Based Access Control (RBAC)

RBAC allows access based on the job title. For example, a human resources specialist should not have permissions to create network accounts; this should be a role reserved for network administrators. 

  1. Rule-Based Access Control

An example of this would be only allowing students to use the labs during a certain time of the day. 

Access Blog

Why Access Controls are Important: 

You may have security measures such as anti-virus systems and advanced firewalls set up to protect your data. However, without any type of user authentication in place you are essentially leaving the front door wide open. The computer itself doesn’t discriminate against the user if they have the correct user name and password. Having different levels of access and multiple devices to make sure someone is who they say they are is now a must have. Putting different access controls in place for your company creates a more secure environment and minimizes the risk of unauthorized users being able to just walk right in the front door. 

How they work – the basic idea 

Multi Factor Authentication (MFA) also known as 2FA or Dual Factor Authentication is a security measure that requires more than one method of authentication to verify the user’s identity for a login or other transaction. Your credentials must come from two different categories to enhance securitySoentering two different passwords would not be considered multi-factor.  

Examples:  

  • Say you swiped your bank card at the ATM and then entered your PIN (personal ID number). This is one simple example of multi-factor authentication, the two factors being your bank card and your pin.  
  • Also, when you log into a website and it sends you a numeric code to your phone which you then entered to gain access to your account– the two factors being your login info and the numeric code.  

Access Blog

When should I use MFA?  

You should use MFA whenever possible. Multifactor authentication is one of the most cost-effective security measure a business can install to protect customers, employees, and all data associated with both. MFA should especially be used when employees are working remote or any user is logging in from an off-premise location. Administrators can adapt the level of support needed using information such as login behavior patterns, geo-location, and type of login system being accessed. For example, when an admin adapts a high level of support and a user logs in from a trusted location where they have logged in before, they will still be prompted for a one-time passcode in order to authenticate. This allows end users to work off-premise and still get the needed security with ease.  

What are the challenges of implementing multi-factor authentication? 

It may require some effort to configure and deploy MFA securely. The tools have lots of moving parts and enterprises will need specialists from different parts of their IT organization to coordinate and configure the infrastructure and get protected logins to work properly. That said, if an enterprise already has Active Directory and is confident that its directory information is accurate, adding multifactor authentication tools can be relatively painless. Cloud-based multifactor products can also be easier to set up. 

Leading Access Control Tools: 

Proof of concepts are coming soon: Duo, Imperva, Protegrity, Vormetric 

You are just a username and password.  

You need to be doing more. Meet your Access Controls goals. Set up Access Controls before its too late. Seek assistance for greater ease in setting up tools. Talk to an expert to make sure you are covered from all angles. Getting a second set of eyes on your security plan. We have helped companies who were oblivious to the vulnerability of their company, even when at first, they thought their current security measures were a sure thing. Don’t leave anything to chance and start getting a good night sleep by taking the next steps with Access Controls. 

Comments