Are Permissions and Access Controls the Answer to Working From Home?

Even before the current health crisis began to unfold, a shift was taking place. Employers were allowing their staff to user their own devices in the workplace – a trend referred to as BYOD (Bring Your Own Device).

It was a shift that made sense to many organizations as it eliminated the need to buy and maintain expensive devices and equipment. Employees tended to feel more comfortable using their own device, which in turn lead to an increase in productivity.

The obvious step forward was to allow their employees to work remotely, for similar reasons to those mentioned above. The corona virus pandemic simply accelerated the transition; however, the problem is that many companies were woefully unprepared for it.

Many companies were still living in the age of moats and castles, where the bad guys are outside, and the good guys are inside. And while that may not be a true reflection of the current threat landscape, the security measures they had in place would have at least given them some protection.

Now, in light of recent events, such outdated notions have left them in a vulnerable position, which cyber-criminals will seek to exploit at every possible opportunity.

Allowing employees to work from home will effectively widen an organization’s attack surface. Employees will be using different devices, with different software installed, with different levels of protection. Some devices will be password protected, and some may not.

Some employees may choose to work from cafes or other public areas using an unsecured Wi-Fi connection. Devices get lost, stolen and sold, and it’s unlikely that either the employee or the company they work for have the protocols in place to ensure that the data these devices have access to be not compromised.

There are two related challenges that organizations must confront in order to stand a fighting chance of keeping their data secure during these times. The first relates to the access controls they have in place, and the second relates to visibility – or lack of – as the case may be. However, without implementing a robust access control solution, whether you have visibility or not is irrelevant.

What Are Access Controls?

Access controls are typically categorized as either physical or logical. Physical access controls, such as locks, alarms, key-cards, and so on, are undoubtedly necessary to protect sensitive data, however, in the context of securing remote workers, they are not really relevant.

What we are interested in are the logical access controls, which are centered around two core concepts: authentication and authorization. Authentication is used to confirm that a user is who they say they are, and authorization is used to determine what resources that user is allowed access to.

Authentication: Most authentication protocols simply require a username and password, or in other words, something which the user knows. However, advanced authentication protocols introduce additional factors, such as something you have, or something you are. These might include physical security tokens, biometric scans, and so on.

Authorization: This involves some form of access control policy or list, which specifies the resources each user is allowed access to. An access control technique that is popular amongst larger organizations is Role-based access control (RBAC). With RBAC, instead of assigning access controls to specific individuals, access controls are assigned to groups (roles), and individuals are assigned to those groups, thus reducing the organizational complexity of managing access permissions.

Using a VPN to Control Access

In light of recent events, more people are becoming aware of Virtual Private Networks (VPNs), as more companies are asking their employees to use them. In the context of data security, a VPN is used to provide an encrypted communication channel between the employee’s device and the company network, and some organizations are even using VPNs as a form of access control.

For example, a company would setup multiple VPNs, and determine what resources those VPNs have access to. Users would then be given access to those VPNs, based on their role. Of course, were a hacker to gain access to one of those VPNs by obtaining a legitimate set of credentials, they will have access to whatever resources the VPN has access to.

Monitoring the Behaviour of Privileged Users

Using a VPN for access control may be suitable for small organizations; however, it’s an approach that doesn’t tend to scale well.

Not only is it harder to determine who is accessing what resources, they don’t provide enough granularities for organizations where there are many different roles. In which case, they will need a dedicated solution that is more advanced and provides more visibility and control.

So, let’s assume that you have spent time establishing an access control policy – a document that lists all users, and the resources they are allowed access to. As mentioned above, this could be done using RBAC, however, whichever approach you choose to adopt, you must adhere to the “principal of least privilege“, which stipulates that users are granted the least privileges they need to adequately carry out their duties.

In addition to knowing who has access to your network, you need to know exactly what data you have, where that data is located, and how the data should be classified. Some sophisticated UBA solutions offer data classification tools out-of-the-box, which can automatically discover and classify sensitive data.

The next step is to monitor the users that you have given privileged access to. A data security platform will monitor privileged users, and inform the systems administrator in real-time, when user behavior deviates from the norm. The sysadmin can also review all permission changes via a centralized console to ensure privilege escalation does not take place.

If you need help determining which of your users have access to sensitive data, spotting users with excessive permissions and ensuring your access controls are appropriate, schedule a demo of the Lepide Data Security Platform today.