The modern hybrid workplace presents a new set of risks and challenges for cybersecurity professionals, with a physically dispersed employee base introducing vulnerabilities that IT teams have never had to contend with before. Improving and strengthening data loss protection, or DLP, strategies has been a pivotal task for all organizations across the globe as they learn to contend with a new way of working. Newly emerging best practices and discourse around protecting networks and company information mean the industry is constantly changing, so InfoSec teams need to stay aware of new developments in the DLP space.
One important aspect of DLP is access control, which determines and dictates how a user is able to interact with company data, resources, or information. As part of a robust zero trust framework, access control ensures only the right employees have access to the right data at the right time, limiting opportunities for theft or leakage. Without an access control strategy in place the wrong actors will be able to get their hands on sensitive information, potentially opening organizations up to litigation or financial damages. Let’s break down the basics of access control.
In Information Security, access control refers to the selective restriction placed on user access to certain files or resources, as determined by access management policies. The end result of access control is that only users that meet certain criteria, whether set in advance or assessed in real time, can interact with, download, or modify company data or information. Access control consists of identification, authorization, authentication, access approval, and audit. Let’s break these piece by piece to help us understand access control a little better.
Identification: Identification is when a user is recognized by the system and their identity is verified.
Authorization: Authorization is the process of defining access rights for users. Three common authorization levels are read-only, write, and execute. Read-only users will only be able to read documents and logs, write permission users will be able to edit documents or files, and execute level permissions will allow users to run programs.
Authentication: Authentication is the process of proving someone is who they have identified themselves as. We’re all very familiar with authentication- most of us have our phones and computers locked by passcodes! Passwords and codes are one of the most common means of identification in InfoSec, as having users remember login information is cost effective and streamlined.
Access Approval: Once the user has been identified access is either confirmed or denied based on user permissions and authorization. The user will either be allowed to access what they’re attempting to, or denied.
Audit: A crucial part of access control is auditing capabilities to review what users were allowed in and why. Being able to review and reevaluate who was and wasn’t granted access will help ensure data is kept safe and policies are kept up to date in a variety of circumstances.
Under generally accepted standards there are four primary means of access control, each suited to different organization requirements and types.
Discretionary access control (DAC): Discretionary access control consists of an owner or admin who chooses the criteria required for access to a protected resource, file or system.
Role-based access control (RBAC): Role-based access control allows users to access information based on their function or business area. For example, accountants and HR teams might be able to access payroll information, but the software engineering team would be unable to. This grouping by purview allows members of organizations to seamlessly access information pertinent to their roles.
Mandatory access control (MAC): Often used in the U.S military and government, mandatory access control restricts access to data or resources based on security clearance levels. Information is grouped by sensitivity, and access is regulated by a central authority. (Want to know more about data sensitivity levels? Check out our blog on data taxonomy!)
Attribute-based access control (ABAC): ABAC is based off an if/then structure where a series of criteria are evaluated in real time to determine whether or not users are able to access information.
Having a well-established, robust access control system is a key component of protecting data from theft, misuse, or exfiltration. By choosing the right model of access control, inserting the right protections, developing strong authorization and authentication policies, and creating expansive auditing capabilities you can make any network infrastructure even safer. Having the right systems in place to strengthen your organization’s digital footprint in its weakest areas makes data loss less likely. Speaking of data loss…
DLP is made simpler with Venn, the secure workspace that isolates and protects work from any personal use on the same computer. Venn’s patented LocalZone technology sets up a smart, secure perimeter that protects local work apps, files, and data while isolating them from personal computing. The LocalZone™uses local device resources and secures data with its bright blue border and badge, allowing your employees to work when and how they need without fear of personal use bleeding into company information. Venn also enables high quality DLP with auditable screen sharing and capture approval, clipboard controls, and download/upload restrictions.
Book a crisp demo with us today and learn more about how Venn can help keep your organization safe from modern threats!