The modern business environment is no longer a static self-contained area, enclosed in a physical, logically discrete and easily controlled space.
In the past, the IT department needed to manage multiple sign-ins to multiple platforms to handle an increasing number of discrete systems. This was handled through a single domain and login and, once authentication was complete, the user could access whichever systems or applications they were authorised for. But this is no longer adequate, says Mike Gillespie, director of cyber research and security at The Security Institute.
“We have an increasingly diverse and mobile workforce and, for several years, have been adopting flexible IT systems to accommodate the new and convoluted needs that have been the result of all this change. Whether it is mobile devices, online or cloud services or remote access to back-end services, they all pose increasing challenges when it comes to access control.”
So there is now a fresh set of challenges for the chief information security officer (CISO). “Wherever your information is stored and wherever there is a need to access that information, it is vital that the information asset owner (IAO) is involved in setting up the access control policy, so that the asset is properly understood, assessed and access is on a need-to-know basis,” says Gillespie.
He warns that it is vital that the IT department understands whether the device being used for access can provide an appropriate level of security.
“People and their behaviour represent a major risk to security – and access is no different. Users will try to find a way around something they see as inconvenient, without realising the risk they are adding. Educating them in risk is very important,” says Gillespie.
In fact, as Maxine Holt, principal analyst at the Information Security Forum (ISF) points out, the IT security function has a significant number of people and systems to support in access control – not only employees but often partners, suppliers and customers, since IT systems are rarely internal-only. The CISO must also consider the access and authentication requirements for any cloud services used by the business, but simply relying on passwords is not an option.
“Password management must come top of the list as a leading access control mistake,” she says. “Individuals have too many passwords to manage and frequently use the same password (or a small set of passwords) for multiple systems. These are rarely/never changed, and are often easy to guess or crack. Password keeper apps are readily available and individuals should take a look at these at their earliest opportunity.”
Enterprises often force users to change their passwords to something previously unused, but this can still result in easy-to-guess passwords. Holt says single sign-on (SSO) or reduced sign-on (RSO) is another option when combined with two-factor authentication (2FA), where a user knows something (such as their username and password) and uses something else (such as a one-time-passcode) to confirm they are the valid user. “Users should only be given access to systems they need, and at a level appropriate for their role,” she says.
The ISF’s Standard of Good Practice advocates that access privileges are approved by a sufficiently senior business representative. As far as accessing cloud services is concerned, Holt says: “Role-based access control is essential when operating in the cloud, and organisations typically deploy 2FA on access points here.”
As well as providing access, she says the IT department needs to manage joiners and leavers: “As soon as an employee leaves the organisation, access should be revoked across all systems – but delays can occur, and a disgruntled former employee is not someone you want inside your network.” The ISF advocates the deployment of a process for terminating access privileges and reviewing access control arrangements regularly.
The mobile conundrum
The transition to mobility has led to an explosion in devices, warns Rob Stroud, a past international president of ISACA and principal analyst at Forrester Research. “There is minimal value in banning the use of such devices, so organisations need to establish and ensure conformity to company policy on portable machines,” he says.
Stroud recommends IT departments invest in tools and process to ensure that, if a loss or breach does happen, access through that access point can be quickly and effectively shut down and the device wiped of any organisational data.
Peter Wenham, a committee member of the BCS Security Forum strategic panel and director of information assurance consultancy Trusted Management, recommends IT departments establish policies and procedures for the use of remote devices covering how and where they should be used. “Companies should also carry out regular staff security awareness refreshers and a formal risk assessment covering all aspects of remote access,” he adds. Such a risk review might suggest contextual access controls – such as only providing access to a subset of systems when remote access is required.
Read more about identity and access management
Why identity and access management is taking centre stage in companies’ access policies
An organisation’s IT security can be compromised if staff do not follow a strict policy of using strong passwords to access internal systems
In the modern business environment, what are the most common access control mistakes and how can these best be corrected?
He urges CISOs to put in place polices to encrypt the hard discs of corporate laptops and ensure all communications from the laptop across a public network are carried out over an encrypted VPN link back to the company. To provide access control on users’ own smartphones, Wenham says the CISO should establish a company policy and associated procedures covering BYOD, which he says should include a list of acceptable devices, together with software versions and recommended configurations. A company might also require the ability to remotely “zap” a lost device – but this would require a formal acceptance of the situation by a device owner. Along with this, the company email server should be protected by current and fully maintained antivirus and anti-malware.
But getting access control right can be a laborious task. “Each and every user should be securely provisioned, assigned privileges according to their role or function, and provided information on a need-to-know basis,” says Tim Holman, CEO at security consultancy 2-sec. He warns that the most common mistake companies make is sharing user account details among colleagues: “This offers users the ability to access areas of the company systems they would not otherwise have, and removes the ability to track and audit user activity to a specific person, should there be errant behaviour.”
Holman recommends firms enforce a strict no-sharing policy for all employees or apply physical restrictions.
Striking a balance between risk and productivity
Whatever measures or policies are put in place, the secret ingredient of user access control is to find the perfect balance between risk and productivity.
“User accounts and control access should be effectively managed alongside proactive monitoring for inappropriate user behaviour,” says Paul Yung, vice-president of products at PC optimisation firm Piriform.
Clearly policies need to be put in place to protect sensitive company and customer data, while fulfilling regulations or governance the business must abide by. But these should not be implemented in a way that limits how staff perform their duties.
“When striving for this ideal balance, companies must remember that technology can only partially solve the problem, by stopping malevolent actions or plugging security holes,” says Yung.
Security experts agree that ultimately, any system to manage user access must also address the human factor, and must be underpinned by stringent employee contractual obligations.