Hardening your Access Control

Managing Access to Information Resources

When first considering how to organize information resources in a company one would first need to establish an access baseline. (Schwartz, 2007) says, “By doing this, you’ll see the holes in your current processes and quickly nab any gross offenders, such as “someone who’s running a business out of their cube.”  By identifying the roles that current employees have and going down the list by job title will tell a lot about where you need to go with your access control strategy.  This could also be a recertification effort.  Where employees would have to get certified for sensitive application access.  Next I would automate the provisioning process for access activity.  Identity Service Providers such as Centrify have proven invaluable to organizations with an application workflow provisioning system built-in.  There are many other flavors of this. (Schwartz, 2007) states, “according to a new survey of 600 organizations’ identity and access management practices conducted by the Ponemon Institute, 58 percent of companies use mostly manual monitoring and testing to monitor access policy compliance”

Next a security engineer should focus on finding business cases for the access control.  Most companies access control programs are driven by regulatory compliance versus the need of the business to have them.  Establishing regular meetings to address new company access control business cases will be very beneficial moving forward.  It’s important to get the right information to the right people faster, (Schwartz, 2007). Following this it would be best to tie your access controls to your company’s direct regulations.  Whether it makes more sense to have specific access controls to Sarbanes Oxley, PCI, or both.  State regulations vary but if a company is handling data badly was accessed they may need to notify every affected state resident, (Schwartz, 2007).

Above all the necessary practice of least privilege should be used at all time. (Anderson, 2008, p. xx) states, “Programs should only have as much privilege as they need: the principle of least privilege. Software should also be designed so that the default configuration, and in general, the easiest way of doing something, should be safe.”  This should be just the norm of operation throughout the company from business to IT resources.

 

References

Anderson, R. (2008). Security engineering: A guide to building dependable distributed systems. Indianapolis, IN: Wiley Pub.

Schwartz, M. (2007, March 27). Access control: 10 best practices — enterprise systems. Retrieved from https://esj.com/articles/2007/03/27/access-control-10-best-practices.aspx