Who Has Access to Your Data? It's All About Permission

There's a saying in the information security business that a company's sensitive data is only as safe as those who use and have access to it.

So, it is important to consider access control as part of your information security plan and a critical component of an overall strategy to prevent data breaches and other information security incidents.

Access control defines who has permission to use and access company networks and resources and puts systems in place to enforce these guidelines. As you might imagine, the concept can play out differently, depending on the industry you occupy.

Regardless of the business and industry you're in, the concept of access control revolves around three universal factors.

Three A's of Access Control

Factor 1: Assignment

Assigning which individuals have access to what information is crucial to access control. It can be influenced by factors such as job title, an employee's role or position in the organization, and your company's data classification policy.

Factor 2: Authentication

Authentication is verifying that individuals requesting access are who they say they are. Network credentials or name badges are just two examples of authentication. In some cases, more than one method is used or required, a process called multi-factor authentication or MFA.

Factor 3: Authorization

Authorization acknowledges that while an individual may be who they say they are, they may not be authorized to access certain information within the organization. As such, it's essential to factor in where permissions begin and end. This is where the importance of assignment plays out.

Access Control Models

With these critical factors in mind, you can begin to consider an access control model that aligns with your company and the employees and roles they occupy.

There are several established models in existence to choose from:

DAC: Discretionary Access Control

In this well-established model, one of the oldest in use, the data owner decides who gets access to the organization's data and what rules apply. The model works best in small organizations where oversight is easy.

MAC: Mandatory Access Control

This model grants access based on information clearance standards set by a central source or authority. It's often used in government where the position is tied to data classification labels such as Confidential or Top Secret.

RBAC: Role-Based Access Control

In this model, the individual's role determines access privileges based on key security principals. One of these is the 'least privilege' principal, which limits access privileges to the minimum required to do the job.

ABAC: Attribute-Based Access Control

In this dynamic model, attributes such as time of day and the individual's location are used to determine whether access will be granted. For example, a shifting, round-the-clock security staff grants access privileges to individuals only at specific times.

Choosing an Access Control Model

The access control method your company chooses will depend on your business, your industry, and the information you use in your day-to-day business. Regulations and compliance standards may also influence it.

For example, a factory outlet chain with thousands of customer credit cards on file may have a different access landscape than an urgent care clinic dealing with personal medical information.

And a company with thousands of remote employees worldwide will have different challenges than one with a single on-premise network linked to a handful of individuals. Moreover, the complex nature of how data is stored and distributed across multiple platforms, networks, and the cloud can also have an impact.

The point is that every organization's approach to access is unique. And that the method you choose for your enterprise will effectively identify, authenticate and authorize individuals in a way that keeps sensitive data and resources safe.

As you can imagine, access control can be a complex challenge for any organization, large or small. Fortunately, there are resources you can consult with to properly assess and address your needs. An online search of information security firms or consultants reveals many resources that can help you navigate this landscape.