Scroll Top

CyberSec 101: The Importance of Access Controls

Access Controls

We all know what is meant by Access Control. Pretty easy to figure out?  There are all kinds of access controls that we can think about in our daily lives. Great example of access is going to the movies. Much like access to a Movie Theater is restricted without a Ticket.

The formal definition says that Information Security Access Control is the selective restriction of access to a place or other resource that contains data. It is defined by a set of Standards issued by the National Institute of Standards and Technologies known as NIST.  Access Controls prevents unauthorized individuals or machines access to information they are not supposed to see. In Cyber Security Vernacular, Access Control boils down to, (Drum Roll) “Who can get to what?”

Key TAKEAWAYS about Access Control
  • Permission to access a resource is called Authorization. Things such as locks and login credentials are two examples of Access Control.
  • Assigning the least amount of access necessary for users to accomplish their task is known as the Principle of Least Privilege. (Need to Know = Principle of Least Privilege)
  • Authorization and Access Control pretty much work hand in hand and the Principle of Least Privilege is the guiding light.
  • The underlying principles of access control systems and how to implement, manage and secure those systems, including internetwork trust architectures, identity management and various access control frameworks.

Types of Access ControlsAccess Control

Administrative Access Controls

These controls mostly consist of the organizations’ Policies. For Access Control, in your organization’s language you need to create a policy that says how you do this.

Good Cyber Security Policies are the foundation a Good Cyber Security Program. Policies must be approved and signed-off by Executive Management to be Effective. Without Written, Approved and Enforced Cyber Security Policy chaos will soon ensue.

Technical Access Controls

Technical Access Controls of “how you do things” and how are we complying with our Current, Cyber Security Policies. These could include Directives, Guides, Operating Procedures, Run Books and more. Needless to say, these also should be written and approved for continuity and to demonstrate compliance. How in depth should they be? My answer would be, as in depth as required. Once again the principle of least but apply it to many things. In other words, Just enough to the get the job done.

My belief is that Cyber Security is a balancing act that is full of nuances and compromises for all. Written Rules provide continuity and assurance to the users and management that Cyber Security Requirements are justified and approved.

Physical Access Controls

Safeguarding access is often accomplished through Physical means. Physical Access Controls include ID Scanner, Biometric Devices, Security Guards, Man Traps, Fences, Video Cameras, Access Logs, amongst many more.

This area is pretty well covered if you are a financial institution or a bank. If you are a healthcare organization Physical Security is much more difficult. To explain it another way “When was last time you saw a Barb-Wired Fence around a Hospital?” Never Right. Healthcare often doesn’t have these access controls available because Hospitals are public places. Because of this Hospitals and Healthcare need to become more creative in physical controls or strengthen their Administrative and Technical Access Controls to compensate.

Where can I find more information?

NIST’s guidance on access control is primarily outlined in a few key standards and publications, which are widely used to ensure the security and proper management of information systems. The main standards that apply to NIST Access Control include:

  1. NIST Special Publication (SP) 800-53, Revision 5:
    • This is a critical standard that provides a catalog of security and privacy controls for federal information systems and organizations. It includes detailed guidelines on implementing access control, including how to manage user permissions, authentication, and authorization.
  2. NIST Special Publication (SP) 800-63, Revision 3:
    • This publication focuses on digital identity guidelines, including how to authenticate users securely. It provides recommendations for different levels of assurance in identity proofing and access control.
  3. Federal Information Processing Standard (FIPS) 200:
    • FIPS 200 sets minimum security requirements for federal information systems, including access control. It works in conjunction with SP 800-53 to ensure systems meet baseline security requirements.
  4. NIST Special Publication (SP) 800-171:
    • This publication provides guidelines for protecting controlled unclassified information (CUI) in non-federal systems and organizations. It includes access control requirements to ensure that only authorized individuals have access to CUI.

Conclusion

There are three types of Access Controls: Administrative, Technical and Physical. Administrative refers to policy. Technical refers to process and Physical is everything outside of the Matrix. Policies must adhere to the Principle of Least Privilege. Written Security Policies must be approved by Executives. Written Rules provide continuity and assurance to the users and management that Cyber Security Requirements are justified and approved.

Find out more at https://topgallant-partners.com/cyber-security/access-controls/

2

Related Posts

Privacy Preferences
When you visit our website, it may store information through your browser from specific services, usually in form of cookies. Here you can change your privacy preferences. Please note that blocking some types of cookies may impact your experience on our website and the services we offer.