Understanding cybersecurity: access control
Physical and logical access controls are key to cybersecurity
There is an old joke that “snowwhiteandthe7dwarfs” is an ideal password because it contains eight characters and a number. It makes us smile because most of us have been annoyed about having to update our log-in credentials at one time or another. But access control is no laughing matter.
The news that two major cyber-attacks in recent months likely started with a weak password and stolen credentials has underlined the importance of having adequate measures in place and a strong cybersecurity culture. People are the biggest cause of security breaches, whether it is because they click on a link in a phishing email or hold a door open to an intruder who follows them into an office building. That is why access control is at the very heart of cybersecurity, which depends on organizations being sure that users are who they say they are and that they have permission to utilize specific network resources or to enter restricted areas. Not only does access contribute to securing assets, but, in the event of a breach, it can also help to trace actions and to determine the cause.
There are two kinds of access controls: physical and logical. Physical controls limit access to premises, workstations and IT hardware, while logical controls are about restricting access to critical cyber assets. Both are essential for cybersecurity and start from the premise that users, devices and any other entities requesting access are unknown until the system can verify them. For this to happen, they must have a unique and known ID, such as a username, email or MAC address for example, that identifies them when they request access.
Principle of least privilege
The traditional “castle-and-moat” model of security relied on making it difficult to gain access from outside the network. Once inside, however, network users were trusted by default. A modern zero-trust approach recognizes that threats also exist inside a network and that weak and insufficient measures are a disaster waiting to happen.
The US National Security Agency found this out the wrong way when the whistleblower, Edward Snowden, leaked documents to the media. As well as dealing with public fallout over the surveillance scandal, the agency also faced criticism about its cybersecurity policies and specifically access control. As a result, the NSA strictly limited network access to the level necessary for individuals to perform their jobs. Known as the principle of least privilege, it is one of the key measures that IEC 62443–2–1 recommends for keeping critical infrastructure and other industrial automation and control systems (IACS) safe from unauthorized access. Similarly, ISO/IEC 27001 recommends the principle of least privilege for keeping data safe:
“Users shall only be provided with access to the network and network services that they have been specifically authorized to use.”
Implementing such a policy requires a comprehensive approach to the principles of identity and asset management. In addition to managing privilege with care, it is also vital to record all user actions in order to be able to create an audit trail in the event of a breach. Finally, adding and removing rights, called provisioning and de-provisioning, must not have a negative impact on productivity. Policies must be in place to add privileges as needs arise and to remove them when projects are completed, or employment contracts come to an end.
Authentication and authorization
A number of international standards deal with the process of authentication — when a device and user’s identity are verified — and authorization, which establishes whether a user can access a specific asset with her or his level of privilege. These include, for example, the IEC 62443 series and the ISO/IEC 27000 family of standards cited above. IEC 60839–11–5 covers physical access controls, including biometrics, such as fingerprints and iris scans, and cards. Read more about biometrics standards here.
IEC Standards take a holistic approach to risk mitigation by addressing not only technologies and procedures but also people. Training and capacity building activities are seen as essential for raising awareness and creating a healthy cybersecurity culture. This is especially important at a time when more people than ever before are teleworking as a consequence of the coronavirus pandemic. The current situation is adding to the complexity of access control, as users log into multiple enterprise applications and subnetworks from their home environments. IEC Standards help organizations manage roles and distribute network rights efficiently while achieving a satisfactory trade-off between usability and security.
A version of this story was originally published on the e-tech website
