Maksim Kabakou - Fotolia

Security Think Tank: Policies and procedures vital for successful access control

In the modern business environment, what are the most common access control mistakes and what is the best way to correct them?

When an employee accesses a company’s IT resources from outside the workplace, whether from a company-owned device or a personal device, it has its challenges – not for the employee but for the organisation.

Keeping company systems and the data they hold safe is a high-level issue, and the challenges feeding that issue can be summarised as: who can access what from outside the company and what is permissible for them to do?

policies and procedures for using a remote device, covering how and where it is used, should be created and maintained. Remember that using a device in a coffee shop is different from using it in a hotel room – for example, protecting the screen from unauthorised viewing – and that a personal device is different to a company-owned one. Also, don’t forget to cover personal use of a company device. 

Companies should carry out regular staff security awareness refreshers and a formal risk assessment covering all aspects of remote access. Such a risk review might indicate that context-based access controls are required, which means only a subset of systems are made available for remote access.  

Recommendations for a company-provided laptop include encrypting its hard drive or equivalent with an encryption unlock password and ensuring that all communication from the laptop, when not using the company LAN, is carried out over an encrypted VPN link back to the company – so no dual tunneling. 

Company-provided smartphones should access email over an encrypted link, and steps should be taken to ensure that any emails or email attachments stored on a device together with contacts and calendars are protected, with similar measures taken where company apps are in use.

Most smartphones can work with Microsoft Exchange email accounts, which makes bring your own device (BYOD) an attractive option because it saves companies money and provides staff with a valuable productivity tool.

However, unlike a company-supplied device, the organisation has no control over BYOD and so a company policy and associated procedures covering BYOD use might include a list of “acceptable” devices together with software versions and recommended configurations.

A company might also require the ability to remotely wipe a lost BYOD, but this would require a formal acceptance of the situation by the device’s owner.

Also, the company email server should be protected by a current and fully maintained anti-virus and anti-malware system.

Peter Wenham is a committee member of the BCS Security Forum strategic panel and director of information assurance consultancy Trusted Management.

Read more on Identity and access management products