In our first post in this series, we talked about authentication: verifying whether someone is who he or she claims to be. In many instances, this is where system administrators call it a day, by giving all verified users equal access to network resources. But there is much to be gained by continuing to apply the other three As of Account Management. In this post we’ll talk about authorization and access control – what are they, and in what scenarios could you use them to improve your security?
What are authorization and access control?
Simply put, authorization and access control are ways of enforcing access policies. The stereotypical authorization scenario is the bouncer at the nightclub who only lets the cool kids past the velvet rope. Access control would be the other side of that – excluding the uncool kids. But these processes happen all over the place. For example, at your bank, at the sports stadium and the concert hall, as you prepare to board an airplane… in each of those instances, you must show that you are authorized to take an action; such as entering the secured area of the airport or making a withdrawal from your account. If you do not have permission to access that area or activity, you will be excluded.
“To have successful authorization and access control schemes, you need two things: good authentication, and good policies.”
To have successful authorization and access control schemes, you need two things: good authentication, and good policies. Strong authentication is needed because when you’re letting John and Jane Smith access the things they need, you want to be certain that you’re actually letting Jane and John Smith in and not someone pretending to be them. Good access policies make sure that you’re following the principle of least privilege. This means that no one is able to access anything unless it’s both needed and permitted. Both authentication and policy-making take some planning and forethought, to make sure you’re giving appropriate levels of access, neither too liberal nor too restricted.
When are authorization and access control useful?
This level of planning may seem like an inordinate amount of work. So you may be wondering: “When would someone want to tackle that sort of task?” The short answer is, it’s particularly useful if you’re in a situation where your budget is limited and you are looking for risk-limiting ways that utilize more brainpower than buying-power. That group probably includes most people, regardless of the size or success of your business.
We’ve all heard stories, either anecdotally or on the news, about companies that got into trouble because attackers were able to get into sensitive systems by way of a machine that should not have had access (such as a vendor portal or a machine from an unrelated department). By taking some time for planning, the risk of this sort of situation can be mitigated.
Every business, big or small, has areas or files that should not be accessible to everyone. Depending on the size of the business, you could have several departments that have resources that are particularly sensitive and should not be accessible to anyone outside that department, including Human Resources, Payroll, Accounting, Business Development, or IT for example. There may also be instances where you want outside parties, such as vendors or guests, to have access to some of your resources.
You can either include or exclude individuals or groups, single machines or whole sections of your network, depending on your needs and the sensitivity of what you’re protecting. Before creating your policies, it’s a good idea to put together a list of groups, such as:
- Individual departments
- Groups within departments
- Roles across departments (e.g. project or product managers, administrative)
- People with specific job-related duties
- Group leaders and managers
- High-level managers and executives
- IT or security
Once you have these groups, you can start defining what actions they need to have permissions for, and where. Likewise, you can define which actions and areas those groups or individuals should be prevented from accessing.
“You can also set limits on resources, such as how long or how often different employees or departments are able to access something.”
While some groups may need full access to both view and edit files or data, others may simply need to be able to view (but not modify) content or directories. You can also set limits on resources, such as how long or how often different employees or departments are able to access something (such as web-surfing on websites that are not related to work), or how much storage space has been allotted to them.
When you have created your list of groups and permissions, you can now enforce these policies. The most natural place to do this is at points where users may already be required to log in:
- Device start or wake-up
- Online services
These policies should be living documents, which are frequently updated as users are hired or leave the company, or as they change jobs or roles within the company.
Once you have all these policies in place and are properly enforcing them, you might think this is the end of the story. But accidents and unexpected events do happen, and you’ll want to be aware of them too. In the next installment of this series, we’ll talk about audit logging, which is what will allow you to look into those past events so that you can prevent future problems.
by Lysa Myers, ESET