Integrity Blog

Role Based Access Controls

In the previous blog post Remember to Review Your Data Loss Prevention Policies, I mentioned a few things to consider before purchasing data loss prevention (DLP) products. One of which was regarding restructuring data access controls. To add a little more context to this suggestion, we will discuss some ways to handle it in this article.

The restructuring of controls can be accomplished through Identity and Access Management (IAM), which enables the right individuals to access the right resources at the right times and for the right reasons. Most organizations have tools and processes in place to control access to data. However, as employees move about the company, their access continues to grow, albeit unnecessarily. With each new role, position or promotion, new access is granted but old access is forgotten about and never reviewed to ensure appropriateness.

Limiting Access Creep with Role Based Access Controls (RBAC)

This type of access creep undermines the efforts in deploying appropriate tools that limit access in the first place. That is why it is so important for organizations to remove access that is no longer needed. To help with this challenge, organization can utilize Role Based Access Controls (RBAC). When implemented correctly and followed exclusively, RBAC is great at limiting access creep.

With RBAC in place, when a user is moved into a role, they receive only the access needed for that role. All other existing access is stripped away. Using this method requires organizations to think about each role and the responsibilities of those roles. The important thing about this approach is that organizations must be intentional about how they assign data access controls.

Sticking to the RBAC Model

Defining the roles that guide RBAC can be time consuming and challenging. If roles are not well-defined, access may either be too broad or too narrow. In these instances, administrators may find themselves struggling to decide what to do with employees who have unique roles and there becomes a tendency to grant access outside of a predefined role, which invalidates the entire model. Organizations must remain vigilant about strictly defining roles and abiding by the RBAC model.

Reviewing and Updating Access Controls

In addition to the importance of the initial role creation, access controls must be continuously reviewed and updated based on the needs of the organization. Business unit leadership should be involved in the periodic certification of access for their team members. This ensures that the need for access to data is still valid based on the current business requirements.

The goal is to encourage organizations to take a close look at their access control model and find ways to improve it. In many cases new technology isn't even required. It may be as simple as implementing a process that identifies when an adjustment to access is required. The return on investment in these situations is exponential.

Need help writing policies or auditing existing processes?
We can help.
DLP - Data Loss Prevention - Remember to review your DLP policies. Don't rely solely on the technology.

Data loss prevention (DLP), sometimes referred to as data leakage prevention, is a security strategy used to prevent end users from sending confidential information outside the organization. This is not a new problem, in fact it may be one the oldest problems in civilization. The only difference is our mediums for storing and distributing sensitive information. Instead of sealing our hand written scrolls with a stamp and wax and relying on our most trusted couriers to make delivery, we are purchasing DLP solutions and encrypting emails.

DLP Beyond the Technology

DLP software can be incredibly valuable in protecting confidential data. It affords us the ability to classify data and create business rules that restrict unauthorized users from accidentally or maliciously sharing our most confidential information. However, the real issue may not be with the technology but rather with our data loss prevention policies and with whom we are entrusting our most sensitive information.

Businesses are always striving to become more “efficient”, so they toss all of their data into shared folders and give global access to those folders. There are internal employees, contractors and vendors who often have unrestricted access to data they have no business controlling. The reality is that you can’t lose (or leak) data you don’t have. So, instead of relying solely on technology to help solve the problem, we challenge our clients to reconsider their data access policies and role definitions.

Consider reviewing your DLP policies before implementing a technical DLP solution

  1. Create and enforce a data classification policy. Classifying data, and then putting tighter controls around the most sensitive data, can greatly decrease the risk of data loss/leakage.

  2. Restructure access controls. Take a look at who needs access to data and why. This should be a routine process. As the business grows and matures, data access needs will change.

  3. Consider modifying roles and responsibilities. It's possible that the duties which require access to sensitive data could be consolidated into one role versus spread across multiple roles. This will certainly reduce exposure of sensitive data.

What You Can Learn From a DLP Policy Review

You may find that by following these suggestions you've reduced your risk to a point that implementing a large, complex DLP solution is no longer a sound investment. Perhaps minimal DLP controls on your email and internet connections will be sufficient. On the other hand, after working through the steps outlined above you may find that you need to implement even more technical controls. You could consider controls such as restricting access to USB mass storage devices or adding encryption to individual files. Another option is to implement digital rights management (DRM) to files, which allows you to restrict the rights to open, modify, print, copy, email, upload or take other actions on restricted documents.

One thing is for sure. Businesses that implement DLP solutions without reviewing and updating their data classification standards and DLP policies haven't really reduced their risk. They've simply masked it.

Need to assess your IT Risk? We can help.

The human element of information security.

When most people talk about developing an information security program, they are referring to the administrative, physical or technical controls used to protect information. While no information security program can be effective without them, there is one key element that is often underestimated: the employee element. The reality is that employees are responsible for designing, implementing and following all of the controls put in place to protect sensitive information. One misstep by an employee can spell disaster in terms of information security. And the sad thing is that it often does.

The good news is that by providing effective information security training to our users, we can solve many of our security issues. According to the Verizon Data Breach Investigation Report, nearly 1 in 3 successful cyberattacks has a social engineering component. Social engineering is nothing more than a hacker psychologically attacking a human rather than a computer. They use their knowledge of human behavior to con a user into giving them information over the phone, online or in person. If we can prevent social engineering attacks, we can reduce the number of successful cyberattacks.

Targeted Cyber Attacks Against Employees

Raise your hand if you took an information security awareness course for work this year. If that course explicitly trained you to spot and respond to specific social engineering attacks that would be targeted to you, keep your hand up. I’m guessing there aren’t many hands still in the air.

Traditional information security training is failing.

Attacks are becoming more targeted to companies and individuals. They are coming from groups that have done research into your organization’s people and practices. They have a specific target objective and have been designed specifically for this purpose.

A Small Number of Security Incidents Can Make a Large Impact

The Verizon data breach investigation reports that 23 percent of users open phishing emails and more than one in 10 click on links in these emails. This may seem like a small number, but let me put this a different way. One of every 10 users in your company will take a single action that will allow a hacker to compromise your security when presented with the opportunity. In a company of 500 people, a hacker will have 50 or more people who will provide credentials or open a machine to compromise by clicking on a link in an email. Does this paint a different picture?

Information security training has to be more than just a review of regulatory guidelines, company policies and good password selection. It has to show users examples of the types of attacks they are facing right now. It has to transcend computer use in the office and needs to show how our digital life is connected to both work and personal computer use. How can we expect people to combat digital con artists when they don’t even know how to spot them? Security awareness training is a cost-effective method for fighting back against the onslaught of attacks against your organization.

Read our blog, Top Tips for Developing Effective Security Awareness and Training Programs
Get our blog posts delivered to your inbox: