Gridware Logo

Why Your Organisation Needs an Access Control Policy

Share:

Access Control Policies are integral to an organisation’s security strategy. These policies can be as simple as implementing authentication to access a particular resource or as comprehensive as policies defining what users can access. However, these policies must be based on the principle of least privilege to ensure that sensitive information doesn’t fall into the wrong hands.

The principle of least privilege is relatively simple in theory. Abiding by the principle means that users and programs should only have access to the resources that they need in order to accomplish their tasks. When privileges are restricted to the bare minimum, it limits the amount of damage that can be done by an external attacker or an insider threat. However, in practice, this is far more complex to implement.

There are many different kinds of access control policies that can be applied depending on the structure of the organisation in question. Two of the most common models described in the Trusted Computer System Evaluation Criteria (TCSEC) are Discretionary access control (DAC) and Mandatory access control (MAC).

Discretionary access control (DAC) is commonly implemented in civilian organisations and smaller government departments. These policies restrict access based on the identity of users or certain groups. Additionally, users in control of a resource can grant or revoke access for other users without the assistance of an administrator.

However, this in itself is a security risk.

Let’s assume that your company has a discretionary access control policy and gives each employee free rein to all systems and data. Not only that, but employees can grant access rights to other users whenever they choose. If a hacker manages to take over an account or an employee goes rogue, they could wreak tremendous havoc against your organisation and leak highly sensitive information.

They could steal all of its data, or delete it. If they infiltrate the system further and obtain elevated privileges, they could lock everyone out and change their passwords. The more extensive these privileges are, the more extreme the destruction could be.

Most Employees Don’t Need Much Access

There’s no guaranteed method of keeping disgruntled employees or hackers from attacking your organisation. However, adopting the principle of least privilege can mitigate these risks.

The principle of least privilege is most effectively adopted by introducing some form of mandatory access control (MAC). With mandatory access control, the security policy is enforced among all users and resources; these are assigned sensitivity labels that form the basis of access control decisions. MAC policies are primarily adopted by military and intelligence departments, where security classifications are assigned to specific resources that determine if a user can access these based on their security clearance.

For example, the Australian government assigns protective markings to denote information sensitivity. Only those with the required security clearances can have ongoing access to specific resources. This is demonstrated in the table below:

 

Protective Marking Impact if Compromised Security Clearance Required
UNOFFICIAL No business impact No security clearance requirements for access
OFFICIAL 1 low business impact No security clearance requirements for access
OFFICIAL: Sensitive 2 low to medium business impact No security clearance requirements for access
PROTECTED 3 high business impact Ongoing access requires a Baseline security clearance or above
SECRET 4 extreme business impact Ongoing access requires a Negative Vetting 1 security clearance or above
TOP SECRET 5 catastrophic business impact Ongoing access requires a Negative Vetting 2 security clearance or above

However, while MAC policies are useful for military and intelligence organisations that deal with sensitive information regarding national interests, many civilian organisations have very different needs. In particular, there is a need for information to be protected while avoiding the burden of cumbersome security policies.

This is where role-based access control (RBAC) policies are most effective. Role-based access control (RBAC) is a popular model that is ideal for structuring access control policies within both small and large organisations. With RBAC, users are allocated roles based on the access rights that they need. Where this differs from DAC is that RBAC does not permit users to grant or revoke access rights to other users at their discretion. Instead, RBAC policies grant access based on organisation-specific protection guidelines and employee roles.

For example, a banking system may have specific roles such as banker, accountant and secretary, so access privileges will be granted based on what each role requires. The benefit of this approach is that access is given to users based on the principle of least privilege, where access is only granted when it is necessary for the user’s job functions. Implementing RBAC as opposed to MAC also reduces administrative burden as it does not require multiple levels of security clearances and classifications.

Following this approach will significantly limit what any single person can access, without causing any major obstructions to the organisation’s workflow. Each person will still be able to access the tools, files and folders that they need.

However, if an attack occurs, the damage will be far more limited. The attacker may only be able to steal a small number of files or obstruct some parts of the system. Following the principle of least privilege can be the difference between a potentially ruinous attack and one that is merely a nuisance.

Keep Your System Flexible & Dynamic

Circumstances change, so your access management system needs to change along with them. If you wish to adhere to the principle of least privilege without causing disruptions, then your organisation needs to be able to adapt to new events quickly. Following these principles can be challenging at first, but the security benefits are immense. Protect your organisation and consult Gridware, to see how we can help you more effectively administer your user access.

 

Picture of Ahmed Khanji
Ahmed Khanji

Ahmed Khanji is the CEO of Gridware, a leading cybersecurity consultancy based in Sydney, Australia. He is recognised for his insights into offensive security and emerging technologies such as blockchain, and often contributes to broader cybersecurity conversations across the country. With an extensive background as a security advisor to major Australian enterprises, Ahmed helps organisations navigate the evolving threat landscape with clarity and confidence.

Related Articles​

What Is a Managed Security Service Provider (MSSP)?

Managed Security vs In-House Security Team: Which Makes More Sense for Your Business?

How to Build a Cyber Incident Response Plan for Your Australian Business

Our services

We partner deeply with clients to understand their needs, working closely and iteratively to provide robust, best-in-class security solutions

Learn more about the team at forefront of the Australian Cyber Security scene.

Gridware team
Learn more about our renowned partners and awards.

Expert penetration testing

Incident investigation & remediation

Governance, Audits & Strategy

Simulate real attacks

Security-as-a-service

24x7x365 Security Operations Centre

Comprehensive & proactive security

Harness the benefits of cloud technology

End-to-end security suite

Swift, expert-led incident resolution

Resources

A collection of our published insights, whitepapers, customer success stories and more.

Resources

Customer success stories from real Gridware customers. Find out how we have helped others stay on top of their Cyber Security.

RSPCA logo
Nikon logo

Download our Cyber Governance Factsheet

Network Penetration Testing

Get a quote

Please fill out the form so we accurately can quote your project:

Emergency Assistance

Under Attack?

Please fill out the form and we will respond ASAP. Alternatively, click the button to call us now.

Download our Incident Response Factsheet