listen to this article:
Is your organization’s access control up to date? No…wait. Let’s rephrase that a bit: is your organization prepared to handle what may be the extreme security challenges of the already very unsettled and uncertain 2020s?
Not the Same Old Security Landscape
The major security issues that most organizations face have already changed considerably from what they were just a few years ago. There was a time when the main job of network security was to protect centrally controlled hardware-based infrastructure located in an office environment and often with limited points of access from attackers who were in many cases more interested in vandalism than profit.
A New and Dangerous World
Now, however, the challenge is to protect highly decentralized networks that mix virtual/cloud-based and office-based components with Internet services, often with very haphazard structures.
These networks may have many points of access, including some that are probably unknown to network administrators. The attackers have changed as well; they are now more likely to be well-organized with sophisticated tools and knowledge and intent on either stealing money or other valuable assets or trying to spy on or sabotage sensitive systems.
Security practices, however, often haven’t caught up with the changes in network structure or attacker capabilities and intent. Like today’s virtualized/Internet-based networks themselves, they have often been extended incrementally and in ways that leave resources spread across a range of platforms.
This is particularly true of systems for managing keys (which are necessary for the encryption of passwords and other vital information), and they are often scattered across the system without any centralized coordination.
The Need for Best Practices
This kind of scattered key management can result in a lack of control over key security – and one compromised key can compromise the entire system. It also tends to promote haphazard user access to keys, preventing some stakeholders from using keys that they need, and giving access to other users that don’t need it, along with the continued use of outdated or invalid keys.
This, in turn, can place the entire system at risk – and depending on the environment, the risk may be to the well-being or even existence of the organization, public safety, or national security. Best practices in key management and associated security systems are vital – there is nothing optional about them.
So, what are the best practices in access control, and how can you implement them in your organization?
Best Practices for Access Control
Comprehensive network security needs to include two basic components: a unified, centralized, and secure system for managing keys, and a coherent, unified method of user-account access management. Working together with the appropriate support resources, these components provide you with optimum control, security, and flexibility. Let’s take a look at what that means in practice.
Key Management: What You Need
An ideal centralized key management system should allow you to monitor and control your keys from a unified administrative control interface. At the same time, it should let you use the keys and key systems that you want, and it should be fully compatible with your existing key and access systems. Needless to say, it should also provide a high level of security for the keys that it manages.
Scattered Keys vs. Secure Decentralization
At this point, you may be wondering whether there is more security in decentralized management, which would (at least in theory) deprive an attacker of a single point of entry that allows access to all keys in the system. It’s a reasonable question, but in practice, that kind of decentralization really means fragmented, scattered, frequently ad-hoc, and often inadequate key management, making it easier for individual keys to be compromised – and a single compromised key can wind up compromising the entire system.
Decentralized key storage (as opposed to management) is a different matter. The system as a whole can be centrally managed and still secure if the keys themselves are stored in such a way that a break-in at one storage site can’t be leveraged into access to the whole system. For example, a multiparty computation system, which splits keys into smaller chunks, stores the chunks in different places, and applies the keys without actually putting the chunks together, is much more secure than simple decentralized storage of individual keys since it does not require the existence of a complete key at any point in the process.
Access Control: What’s Needed and What’s Best
What should a best-practices access control system do? At a minimum, it should provide users with access to all of the resources that they legitimately need, it should prevent access to any sensitive resources that are not required by a given user, and it should be reasonably simple to maintain.
In practice, of course, there’s a basic conflict between fine-tuned access control and simplicity; whether you manage access by telling the system which individual accounts can use a given resource or telling it which resources an individual account can access, this kind of precise control comes at the expense of frequent (or even continual) hands-on management.
Role-Based Access Control
The best way to minimize the fine-tuning/simplicity conflict (and in many ways, the best all-around approach to managing user access) is role-based access control (RBAC), which gives you fine control over access to resources and data, but without the need to micromanage individual accounts. It does this by creating roles (such as accounting, programming, sales, administration, etc.), setting up access control for those roles, then assigning users to the roles so that a single role may represent a large number of individual users. As long as there are significantly fewer roles than there are individual users, and as long as the roles are defined and assigned based on actual requirements, setup is fairly simple and access is appropriate to individual users.
Implementing Access Control Best Practices
What steps can you take to implement best practices in your organization’s access control system? You might want to start with something like the following three-phase process:
Key Management Requirements
You can start by analyzing your organization’s requirements for a centralized key management system:
- Do an inventory of your existing keys, types of keys, key management resources, and where they are stored or managed.
- Note anything that needs to be upgraded, improved, or replaced.
- List any additional key requirements that are not yet implemented.
- Analyze your organization’s projected future needs regarding keys and related access control resources.
- Turn it all into a basic requirements checklist.
Next, map out the user roles that are appropriate for your organization:
- Identify types of users and what they need access to.
- You can start by defining roles according to department, job title, etc.
- Also look at roles based on the need for access to specific resources.
- The completed role list should assign all individual users to roles. No user should be left out, and no user should be forced into a role that does not provide adequate access to resources.
Selecting Access Control Systems
Now you’re almost ready to shop around for access control systems, but first, it’s time for one last (but very important) round of sanity checking:
- Run your requirements past key stakeholders. Do they meet users’ real needs, and do they provide adequate security under actual working conditions?
- Take a close look at available access control solutions; you need to know what they can and can’t do, how they work, and how they can fit into your existing IT operations.
- Look for an access control and security solution provider who you can trust – a partner with comprehensive and practical solutions, and up-to-the-minute expertise who you can count on to meet tomorrow’s security issues as easily as today’s.
Keeping Up with 21st Century Security
The stakes are high: both the number and cost of ransomware attacks are increasing exponentially, and attacks for other purposes (including data theft, sabotage, and embezzlement) are also sharply on the rise.
Yesterday’s security solutions simply aren’t adequate. You owe it to yourself and your organization to meet 21st century access control challenges with true 21st century solutions.