The ancient way of security was unable to suffice the organization’s protection completely. With different attacks hovering in the network to sneak through the smallest vulnerability loophole, it becomes very difficult for organizations to apply various controls on a regular basis. As stated by experts, Controls like documented processes and countermeasures like firewalls must be implemented as one or more of these previous types, or the controls are not there for the purposes of security.
As defined by Cisco
“Cyber security is the practice of protecting systems, networks, and programs from digital attacks. These cyber attacks are usually aimed at assessing, changing, or destroying sensitive information; extorting money from users; or interrupting normal business processes. Implementing effective cyber security measures is particularly challenging today because there are more devices than people, and attackers are becoming more innovative.”
Why the need for a “Review of Access Control” ?
No organization wants to accept that their employees steal from them, but statistics show that 75% of employees steal from their employer at least once and according to the ‘Association of Fraud Examiners,’ internal theft accounts for up to 5% of annual revenues for businesses. Although secure access control can’t prevent theft completely, it can hinder it by prohibiting employees from accessing the building during certain hours or anytime outside of their shifts. Access control can also be used alongside the existing time-logging systems maintained by organizations, so you know exactly when an employee starts their day or leaves for the day, preventing them from not clocking out in an attempt to gain more hours when they are actually not working.
Two Major Myths defined by Oracle in its report regarding security are as below
- “Myth: Hackers cause most security breaches.
In fact, 80% of data loss is caused by insiders.
- Myth: Encryption makes your data secure.
In fact, encryption is only one approach to securing data. Security also requires access control, data integrity, system availability, and auditing.”
Access Control Implementation and Review
Access control has a large coverage in an organization and includes the ability to block off portions of the database, so that access to the data does not become an all-or-nothing proposition for the employees in the organization. A clerk in the Human Relations department might need some access to the data, although he might not be permitted to access salary information for the entire company. Also the access rights could be defined in such a way that certain data rows may contain confidential information which should not be made available indiscriminately to users authorized to access the table.
It is a valuable exercise for an organization to perform access rights review on accounts at regular intervals to verify whether security policies related to user accounts are being adhered to.One of the major aims of this process is to check if the least important policy for employee favor is still being adhered to. This can be verified by routine audit setup to identify if any unauthorized party has gained access to the information. Another methodology that can be used for routine audit is through logs. By validating the logs any bypassed process can be easily tracked and security can be kept on track.
Different methodologies can be applied to organizations depending on their need of security. If an organization focuses more on Confidentiality of the data then granular access control methodology can be implemented. For example, in a shared environment businesses should only have access to their own data; customers should only be able to see their own orders. If the necessary compartmentalization is enforced upon the data, rather than added by the application, then it cannot be bypassed by users.
Similarly a developer should not have access to code of other products of organization and should be given access to view his product code only. The granularity of access control is the degree to which data access can be differentiated for particular tables, views, rows, and columns of a database. Thus it is defined based on the ground rules of the organization. Few points to be considered while reviewing the Access rights are the negative scenario, where the unauthorized access can be captured in the database and the report can be generated for the same.
Systems must therefore be flexible and should be able to support different security policies depending on whether the access rights are defined for customers or employees. For example, an organization would need a stronger access control system for employees (who can see more data) as compared to the one defined for customers.
It is not just data access in the organizations, but also the physical access of employees that causes a huge damage to the organization. It has been observed that tailgating has caused 75% of information leakage in security cost incurred by the organization.
On understanding the importance of access rights, it is also important to maintain the same. Although it is a risk based analysis by experts in the organization to decide the tenure of revising the review rights, yet it is important to consider factors like employee satisfaction and security factors, since these are major areas where access breaches have occurred in the past.
A carbon black researcher, Chesla has stated in his work
“Enterprises must assure that their access control technologies are supported consistently through their cloud assets and applications, and that they can be smoothly migrated into virtual environments such as private clouds. Access. control rules must change based on risk factor, which means that organizations must deploy security analytics layers using AI and machine learning that sit on top of the existing network and security configuration. They also need to identify threats in real-time and automate the access control rules accordingly.”