In OATI’s recent blog, “Security Best Practices for Small Organizations,” we suggested organizations create a comprehensive access control system to ensure the confidentiality of their data. But what exactly is an access control system?  

It’s critical for any business to develop and follow a comprehensive access control policy. Access control policies define what resources can be accessed by a user or a computer. Without a system in place, anyone would be able to access anything, and while that makes life easy, it opens us up to several threats, both intentional and unintentional.
 
A very classic example of this would be securing file shares that contain human resource or financial information. Most are familiar with this concept and have experienced first-hand the result clicking on a folder for which they don’t have permissions.
 
In addition to file shares, many networked applications contain several functions. It’s not uncommon for multiple departments to use the same applications for different purposes. These roles should be defined and limited using role-based access controls.
 
Just as we limit access from user accounts, we want to limit the reach of our PCs and servers. Throughout the years there have been several different types of threats that exploit vulnerabilities in operating systems and applications to spread as worms throughout corporate networks.
 
Developing an Access Control Policy
Developing an access control policy should be a joint effort by IT and Operations. The first step in developing an access control policy would be to perform a comprehensive discovery process.

• Identifying departments or roles to assign to users
• Identifying resources accessed by users
• Evaluating technologies in place to provide access control
• Mapping out who can access what and what technologies will control the access
• Developing guidelines and approval processes and building this into company policies

Implementing Access Controls
Once the discovery is complete, you can start using tools to implement secure access. These tools vary depending upon the resource you are protecting. OATI believes in controlling access at both the application layer as well as the network layer.

• Using directory services such as Microsoft Active Directory to manage users and groups
• Leveraging these resources to control access to file shares
• Applying role-based access controls within applications
• Configuring firewalls to limit access to/from network segments or hosts

Developing, implementing, and auditing an access control policy can be very basic or extremely advanced. If you’re just starting out, the best thing you can do is discover your resources, develop roles, and start applying technical controls. As organization and staffing levels continue to grow, so should your access control policies. 
 
Stay tuned for more security blog posts on ways to keep your business secure. If you have any questions, please contact sales@oati.net.