Access restrictions prevent unauthorized reading, adjusting, copying, using or deleting of information and information processing systems or even the risk of a data breach. This control is therefore considered one of the most important controls out there. Access restrictions should be set on all data that should not be publicly available, both for digital and physical access.
How
There are many types of control models you can use to enforce access. The most commonly used are Roll-Based Access Control (RBAC), Mandatory Access Control (MAC), Identity-Bases Access Control (IBAC) and Attribute-Based Access Control (ABAC). Each control model uses its own mechanism to provide users with the correct rights to access the data. It depends on your organization which one is the best for you.
Depending on the size of your organization, managing access rights can get a difficult task. You might have hundreds of applications and each of them require user profiles and access roles. When this sounds familiar you might need a Identity Access Management (IAM) system. This system can manage all user profiles and access roles within one application and manage a lot more. And when you setup the use of Single Sign-On (SSO) it makes it even easier for the system administrator, the auditor and for the user.
As most organizations have already setup some form of access model, their won’t be much need to go into the setup process for these models. The main challenge is to make sure that access rights are setup as they should be. So remove access rights from users if they don’t need it as soon as possible.
One other important topic on access control is logging and monitoring. Mistakes happen, so when something goes wrong, you should be able to trace back what happened. When someone, who has left your organization, still has access, you will want to check if that person used that access and if so, what did they do.
Risks
Setting to restrictive access controls can prevent users from correctly using it. They might even find other ways to get the information, for example creating an export of a data set and store it on a non secure location. It might help the users from quickly accessing it, but it does not help in securing the data correctly. Setting to permissive access control can provide unauthorized users from accessing the data. So the importance here is to find a balance between securing the access to the data and the user-friendliness of the used access methods.
Example Control Ruleset
When the following controls are used, you should be compliant for this topic:
- Sensitive information is only accessible for persons or systems that are required to access that data to perform their duties.
- Systems, applications and services are setup in such a way that access control can be performed
- The organization has control over the access of each user
- The level of control (e.g. read, write, delete, etc) is managed by the organization
- Procedures are setup, maintained and monitored to provide physical and logical access
- Sharing of sensitive information is performed using authorized tooling
- The use of sensitive information is logged and monitored
- Changes to access rights is logged and monitored
- For the highest classification level access the use of Multi-Factor authentication is required before access is provided
