Access control list

User access control Fundamental but forgotten

May 7th, 2013

User access control is a cornerstone of information security management. Everybody needs it and does it. Yet in practice it’s poorly conceived, implemented and managed. It’s one of those elephants in the room: a problem that is highly significant, but difficult to tackle so business is reluctant to acknowledge it. If it wasn’t for compliance and internal audit the situation would be even worse.

A number of theoretical models have been developed over the years but they don’t deliver in practice. We’ve got ACLs, Capabilities, MAC, DAC and RBAC, none of which work in a medium or large enterprise. There are several reasons for this.

Firstly, the models are too simple. Access control is too rich a subject to be determined by a single label or capability. Deciding whether a user can have access to an enterprise system is far from simple. It depends on who they are, what they are, how important they are, where they are, what they are doing, to whom they report, and what other access they might already possess. This requires unambiguous policy rules and reliable decision processes, supported by smart application front-ends, all of which are in short supply.

Secondly, we rarely have enough knowledge in one place to make this work. Neither systems owners nor administrators have perfect knowledge of who does what across the enterprise and what access they require, especially in an organization that is continuously acquiring, divesting and restructuring business units.

Thirdly, we don’t pay enough attention to administration. It’s too often poorly resourced and equipped. Cost savings can easily be made by streamlining processes and implementing better tools but this requires enterprise-wide cooperation and it’s rarely at the top of any business unit’s agenda.

Fourthly, we are constrained by legacy systems and infrastructure which complicate the problem space and restrict the solution space. Ambitious visions quickly fade into the distance.

An inescapable fact is that we can’t control a complex situation with simple controls. Today’s access requirements are a sophisticated blend of numerous factors. Access rights depend on multiple user characteristics that can be surprisingly hard to define measure and monitor.

The end result is that it doesn’t get done properly. Instead we fudge it. We do the minimum we can to keep it going and rarely get around to developing the rich policies, knowledge base and streamlined processes needed to build a sustainable, effective access control system.

In fact it’s much easier to close the back doors, through vulnerability management and penetration testing rather than to secure the front entrance. But compliance is catching up with the thousands of wrong profiles, toxic combinations and dead registrations. Sooner or later we will have to put aside the easy, quick wins and face up to the long-standing elephant in the room.

Prevention is better than cure. Prevent your systems from attacks with Alertsec Xpress.

Get your personal as well as office laptops encrypted by Alertsec

Unencrypted laptops present a major risk of data loss. 80% of information theft is due to lost or stolen laptops and other equipment. About 50% of network intrusions are performed with credentials gathered from lost or stolen devices. The penalties for a data breach are severe not only in terms of the monetary fines imposed on the organization, but also the potential loss of trust from customers and suppliers. Encryption software greatly enhances the security of your organization’s data as the information is not compromised if a laptop is lost or stolen.

Alertsec Xpress is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Enhanced by Zemanta