Access management, RSSI training, Fraud and cybercrime management
Stop unauthorized access that could lead to a security or privacy breach
Isa Jones •
February 14, 2022
The best way to stop a bank robbery is to prevent the criminal from entering the bank. This is, in many ways, what access controls are for. If a user cannot access, by default, they cannot leverage that access. And, by creating these series of defenses, an organization protects itself from the myriad of attempted cyberattacks it may experience.
See also: Live Webinar | How to stop the four horsemen of the data loss apocalypse
What are access controls
Access control can be any method that creates precision and control over when and how a person can exercise their access rights. The purpose of access control is to create friction between a user and their access, and to stop any unauthorized access that could lead to a security or privacy breach.
Think of access governance as the perimeter fence and access control as the guards that find and close the gaps in that fence.
There are a handful of access control types, each offering a different method of limiting access:
- Accurate access control such as access notifications, access approvals, time-based access, and an access schedule. These controls limit access to an external factor, such as a supervisor approving access or a time limit for access.
- Zero trust network access. ZTNA removes any implicit trust from users (external or internal) and instead applies the same kinds of controls to each user, removing all access privileges. This method ensures that every access, routine or critical, is valid.
- Multi-factor authentication. Like the granular access controls mentioned above, this method also relies on an external factor. This control is incredibly common, so much so that Facebook, your bank account, and probably even your personal email account have started requiring it. It confirms the identity of the user by asking him to validate the access via two forms. Whether it’s an SMS password and code, keycard swipe and PIN, or a variety of other methods.
- Management of privileged identifiers. Saving credentials, manually managing them, or even obfuscating them so literally that no user knows the password is, is a simple way to prevent credential theft and control the access.
Why are access controls important?
Creating strong access policies within an organization is the first step to better cybersecurity, but if no one enforces those policies, they won’t do much to stop a breach. Think of access governance as the perimeter fence and access control as the guards that find and close the gaps in that fence.
Additionally, access controls contribute to a decentralized approach to cybersecurity, which focuses on individual access points and user access rights instead of a simple castles and moats strategy. We recently saw how the “hack one, hack many” method is successful, so it only takes one access point to cripple an entire system. Hackers use decentralized approaches to breach a system, so an organization’s security must be equally nimble and thorough. Placing access controls on every access point is like placing a guard in front of every door, not just the front one. If the bank robber breaks through the lobby doors, the guard is still waiting outside the vault.
Third parties, which are an essential component of any organization, also represent an inherent risk. They are full of external users and, understandably, much less is known about them than about an internal user like a full-time employee. Hackers know this, and as happened with SolarWinds and Kaseya, they like to take advantage of this and use third parties as a kind of tunnel to other organizations. Using access controls here would stop this jump between organizations and remove the threat that third parties carry with them.
Investing in access controls, even a small investment like multi-factor authentication for all users or an enterprise-wide solution like VPAM or PAM, can go a long way in protecting your organization in a rapidly changing cybersecurity environment.