Search
Close this search box.

Why Your Organisation Needs an Access Control Policy

Share:

Access Control Policies are integral to an organisation’s security strategy. These policies can be as simple as implementing authentication to access a particular resource or as comprehensive as policies defining what users can access. However, these policies must be based on the principle of least privilege to ensure that sensitive information doesn’t fall into the wrong hands.

The principle of least privilege is relatively simple in theory. Abiding by the principle means that users and programs should only have access to the resources that they need in order to accomplish their tasks. When privileges are restricted to the bare minimum, it limits the amount of damage that can be done by an external attacker or an insider threat. However, in practice, this is far more complex to implement.

There are many different kinds of access control policies that can be applied depending on the structure of the organisation in question. Two of the most common models described in the Trusted Computer System Evaluation Criteria (TCSEC) are Discretionary access control (DAC) and Mandatory access control (MAC).

Discretionary access control (DAC) is commonly implemented in civilian organisations and smaller government departments. These policies restrict access based on the identity of users or certain groups. Additionally, users in control of a resource can grant or revoke access for other users without the assistance of an administrator.

However, this in itself is a security risk.

Let’s assume that your company has a discretionary access control policy and gives each employee free rein to all systems and data. Not only that, but employees can grant access rights to other users whenever they choose. If a hacker manages to take over an account or an employee goes rogue, they could wreak tremendous havoc against your organisation and leak highly sensitive information.

They could steal all of its data, or delete it. If they infiltrate the system further and obtain elevated privileges, they could lock everyone out and change their passwords. The more extensive these privileges are, the more extreme the destruction could be.

Most Employees Don’t Need Much Access

There’s no guaranteed method of keeping disgruntled employees or hackers from attacking your organisation. However, adopting the principle of least privilege can mitigate these risks.

The principle of least privilege is most effectively adopted by introducing some form of mandatory access control (MAC). With mandatory access control, the security policy is enforced among all users and resources; these are assigned sensitivity labels that form the basis of access control decisions. MAC policies are primarily adopted by military and intelligence departments, where security classifications are assigned to specific resources that determine if a user can access these based on their security clearance.

For example, the Australian government assigns protective markings to denote information sensitivity. Only those with the required security clearances can have ongoing access to specific resources. This is demonstrated in the table below:

 

Protective Marking Impact if Compromised Security Clearance Required
UNOFFICIAL No business impact No security clearance requirements for access
OFFICIAL 1 low business impact No security clearance requirements for access
OFFICIAL: Sensitive 2 low to medium business impact No security clearance requirements for access
PROTECTED 3 high business impact Ongoing access requires a Baseline security clearance or above
SECRET 4 extreme business impact Ongoing access requires a Negative Vetting 1 security clearance or above
TOP SECRET 5 catastrophic business impact Ongoing access requires a Negative Vetting 2 security clearance or above

However, while MAC policies are useful for military and intelligence organisations that deal with sensitive information regarding national interests, many civilian organisations have very different needs. In particular, there is a need for information to be protected while avoiding the burden of cumbersome security policies.

This is where role-based access control (RBAC) policies are most effective. Role-based access control (RBAC) is a popular model that is ideal for structuring access control policies within both small and large organisations. With RBAC, users are allocated roles based on the access rights that they need. Where this differs from DAC is that RBAC does not permit users to grant or revoke access rights to other users at their discretion. Instead, RBAC policies grant access based on organisation-specific protection guidelines and employee roles.

For example, a banking system may have specific roles such as banker, accountant and secretary, so access privileges will be granted based on what each role requires. The benefit of this approach is that access is given to users based on the principle of least privilege, where access is only granted when it is necessary for the user’s job functions. Implementing RBAC as opposed to MAC also reduces administrative burden as it does not require multiple levels of security clearances and classifications.

Following this approach will significantly limit what any single person can access, without causing any major obstructions to the organisation’s workflow. Each person will still be able to access the tools, files and folders that they need.

However, if an attack occurs, the damage will be far more limited. The attacker may only be able to steal a small number of files or obstruct some parts of the system. Following the principle of least privilege can be the difference between a potentially ruinous attack and one that is merely a nuisance.

Keep Your System Flexible & Dynamic

Circumstances change, so your access management system needs to change along with them. If you wish to adhere to the principle of least privilege without causing disruptions, then your organisation needs to be able to adapt to new events quickly. Following these principles can be challenging at first, but the security benefits are immense. Protect your organisation and consult Gridware, to see how we can help you more effectively administer your user access.

 

Ahmed Khanji

Ahmed Khanji

Ahmed Khanji is the CEO of Gridware, a leading cybersecurity consultancy based in Sydney, Australia. An emerging thought leader in cybersecurity, Ahmed is an Adjunct Professor at Western Sydney University and regularly contributes to cybersecurity conversations in Australia. As well as his extensive background as a security advisor to large Australian Enterprises, he is a regular keynote speaker and guest lecturer on offensive cybersecurity topics and blockchain.

Contact

Sydney Offices
Level 12, Suite 6
189 Kent Street
Sydney NSW 2000
1300 211 235

Melbourne Offices
Level 13, 114 William Street
Melbourne, VIC 3000
1300 211 235

Perth Offices
Level 32, 152 St Georges Terrace
Perth WA 6000
1300 211 235

Company

Learn more about the team at the forefront of the Australian Cyber Security scene.

About Us →

Meet the Team →

Partnerships →

Learn more about the team at the forefront of the Australian Cyber Security scene.

Career Opportunities →

Internships →

Media appearances and contributions by Gridware and our staff.

See More →

Services

Services

Whether you need us to take care of security for you, respond to incidents, or provide consulting advice, we help you stay protected.

View all services →

Web App Pen. Test Calculator →

Network Pen. Test Calculator →

Governance & Audit

Legal and regulatory protection

Penetration Testing

Uncover system vulnerabilities

Remote Working & Phishing

Fortify your defenses

Cyber Security Strategy

Adaptation to evolving threats

Cloud & Infrastructure

Secure cloud computing solutions

Gridware 360

End-to-end security suite

Gridware Managed Services

Comprehensive & proactive security

Gridware CloudControl
360

Harness the benefits of cloud technology

Gridware Incident Response 24/7

Swift, expert-led incident resolution

Resources

Resources

A collection of our published insights, whitepapers, customer success stories and more.

Customer success stories from real Gridware customers. Find out how we have helped others stay on top of their Cyber Security.

Read More →