GDV Data Protection Blog

How Do You Define and Manage Access Controls?

Sep 10th, 2009
by willb.

Access control permits or denies a user access to information, systems or resources. It allows an organization to effectively manage, track and audit disclosure of information.

What are the primary objectives of access controls?
Access control maintains and safeguards confidentiality, integrity and availability of information, systems and resources:

• Confidentiality: assures that only authorized users access or view, data and systems.
• Integrity: protects data from unauthorized or inadvertent modification.
• Availability: ensures that data and resources are readily available to authorized parties.

What are the primary concerns with access control?

CFO Concerns

• Access control is a very complicated issue due to the volume and variety of systems requiring access administration within a typical organization.
• Any user with access to sensitive information poses a risk to the confidentiality, integrity and availability of that information.
• Access must be proactively managed, based on the principle of “least privilege,” which only provides users access to the IT elements they absolutely need to perform job functions.
• Critical data must be properly classified (confidential, private, financial, etc.).
• Systems and resources providing access to that data should be identified, with established rules governing access to those systems and resources.
• The “business” owns access control and must define sensitive data and the job functions requiring access to that data. IT then executes the business’ requests.

CIO Concerns

• The business owns access control and should define what constitutes sensitive data and who needs access to that data. In most organizations, IT drives efforts to implement adequate access controls once the initial requirements are obtained from the business. In many ways, this no different than implementing a new system.
• Efforts to design access controls often focus core (typically financial or customer facing) applications and do not acknowledge sensitive information stored on file shares, non-core applications, partner systems, or test environments. All storage locations for sensitive data must be recognized.
• Defining user access based on job function requires a holistic approach that is not limited to specific systems but considers all functions that an individual performs throughout the day.
• If the volumes and locations of critical information seem overwhelming, data storage practices should be simplified and streamlined. Once roles are defined, third-party tools can assist in managing access.

CISO / IT Administrator Concerns

• While the business owns access control and defines sensitive data and access requirements, IT can drive access control efforts.
• Access control is essential and extends beyond requirements for SOX, GLBA, HIPAA, PCI and other compliance measures. Access control focuses on managing risk and ensuring that users only have access to systems, information and resources required for regular job functions.
• Access controls for sensitive information must be manageable and efficient or they will not be consistently applied.
• An effective change management process is necessary to oversee changes in access control as systems and their underlying data change over time.

What key authorization elements require consideration?
Key elements of authorization relate to sets of permissions over specific directories or files, including:

• Read (R): ability to read file contents and list directory contents.
• Write (W): ability to create, add, delete or rename files or directories.
• Execute (X): ability to run programs.

Access controls for R/W/X permissions can be managed through:

Active Directory: created by Microsoft®, Active Directory allows administrators to assign policies, deploy software and apply critical updates to an organization; Active Directory also can be used to grant access to resources on the network, such as printers, servers or specific directories on servers. Active Directory control does not extend to non-Windows operating systems, such as Unix or Linux.
Identity and Access Management Solutions: Users generally have credentials for accessing the various systems they rely upon to execute their job functions (various internal web sites, network file shares, e-mail, numerous applications, etc.). Each user with credentials across numerous systems poses risk due to the difficulty of administering access control across all of those systems.

IDM solutions, however, enable administrators to centrally manage an organizations’ user base across multiple diverse platforms and applications. This concept is often referred to as single sign-on access control. Some solutions also allow for the development of and provisioning of role-based security through the centralized solution. Therefore, Identity and Access Management solutions can dramatically simplify an organization’s efforts to control user access to sensitive functions.

What key authentication elements should you consider?
CFO Concerns
User authentication is crucial. Without it, a security system may be flawed from the start.  Authentication is typically based on something the user has (e.g., a token); something the user knows (e.g. a password); or something related to the user’s physical identity (e.g. a fingerprint).  Single-factor authentication requires only one of these elements, whereas two-factor authentication requires two of those elements.

CIO Concerns
How can I make the business case for implementing more stringent user authentication measures in a down business environment? While the cost of implementation may be high, the cost of failure – all of the consequences that accompany a security breach – may be higher. When considering security measures, try to evaluate against what your peer organizations are doing, or what your customers expect.

What access control methodologies should you consider?
Enterprise access solutions can be addressed by a number of different access control technologies, such as:

• Sound Passwords:  Passwords are weak forms of authentication and should only be used to control access to less sensitive data or in combination (two-factor) with one of the other methods listed below. Passwords should be complex (difficult to guess), require mixed alpha/numeric and mixed case characters, or use passphrases greater than 14 characters in length (Due to the methodology Windows uses to make passwords compatible with older versions of the Windows operating system, passphrases greater than 14 characters are considered more secure than alpha/numeric and mixed case passwords).
• For remote users or users accessing particularly sensitive information (customer bank account files, for example), a second mechanism for authentication should be considered, such as:

Token: a hand-held mechanism that authenticates with an enterprise server and has two-factor authentication – something a user has (the device), and something they know (such as a personal identification number); or a security token to prove one’s identity electronically (such as when an individual trying to access a bank account must verify a security image chosen as part of the login).
Smart Card: card with embedded integrated circuits which can process data; a strong authentication methodology for organizations using single sign-on access control.
Encrypted Key: algorithms making information unreadable except to those possessing a key; verifies authenticity of people sending and receiving information.
Biometric Device: personal identifier, such as a retina scan or fingerprint, to identify and authenticate a user.

How should access control be documented?
As the custodian of access control in most organizations, IT should be able to readily identify what systems and internal resources users may access. Access to critical resources and data should be attributed to job functions using role-based security. When user access requests are made, they should be made based on the user‘s job function and not on a specific resource that individual wants to access. If access granted through a role is insufficient, a request is needed to review or edit that user’s security role to properly accommodate job requirements.

How can Weaver and Tidwell help?
Weaver and Tidwell’s Risk Advisory Services practice has seasoned IT professionals who are experienced in continually identifying ways to improve your organization’s information security efforts. We provide experience and expertise for financial reporting, business operations and accounting approaches, as well as information security. We gain a comprehensive understanding of your processes and specific security needs to deliver a valuable information security assessment that protects your business.

BRIAN THOMAS, CISA, CISSP
Risk Advisory Services Partner

www.weaverandtidwell.com

Share and Enjoy:
  • Digg
  • del.icio.us
  • Facebook
  • Print this article!
  • Propeller
  • StumbleUpon
  • Technorati

Global Data Vault Main Site

Posted in: Data Security, General.
Tagged: · · · · · · · · ·

0 Comments on “How Do You Define and Manage Access Controls?”

Leave a Comment