The Six Ws of Granular Access Control

Security experts are in general agreement that passwords will simply no longer suffice when it comes to system security. As the numerous breaches within the past years have shown, it is too easy to crack passwords and gain access to all the data across entire systems. So, what can an organization do to better protect its systems? This is where granular access controls, a key feature in certain privileged access management solutions, comes in.

What exactly is granular access control? With all the buzzwords floating around the cybersecurity world, it’s easy to stumble across a term that could use additional explanation. This article takes a closer look at why granular access control is so effective by placing limitations on who can get into your organization’s system, where, when and how they can access it, and what they can do with it.

In its simplest definition, granular access controls define who can have access to each part of a system, as well as what they can do with that access. However, setting up permissions for each individual user is impractical and would be incredibly time consuming to track and maintain. Instead, privileges are granted based on roles defined in a corporate directory. For example, a database administrator would be granted permissions for all database servers, whereas a web administrator wouldn’t need access to those particular servers and would therefore not be give permission to access it.

While these role permissions can be set up manually, this would still be immensely time consuming for an IT team, and nearly impossible to keep up with. Employees who leave an organization may still retain permissions for days, even months after their departure, leaving an organization incredibly vulnerable. Privileged access management solutions turn this crucial security protocol into a doable task. Rules and permissions can be changed instantaneously, protecting users from making mistakes, and organizations from leaving doors open to private data.

Once these roles have been established and assigned, users must also authenticate their identity before logging in. This can be done in a number of ways–passwords, tokens, etc. However, as mentioned above, passwords are no longer enough when it comes to critical data. This is where privileged access management solutions come in. They can step up the level of authentication needed for roles with administrator access, adding an additional layer of protection.

How one accesses a system may seem like a simple concept, but when it comes to access, the details matter. There are different levels of connection on can make to the server. For example, an admin can securely access the server over ssh, transfer files with sftp, and escalate privileges with sudo. Some admins may only need to copy files to or from a server but won’t need access to the server itself. Others may need full administrator privileges and all the commands that come with it. Granular access controls assign only the necessary connection capability to each user class.

When using granular access controls, it is ideal to practice the principle of least privilege. That is, unless otherwise specified, a role will be assigned the least amount of access possible to a system. As a role is more defined, the necessary access becomes clearer and is assigned accordingly. For instance, a web administrator would only need access to web servers and a select number of privileged commands.

However, it is not only the access to different parts of the system that are defined–the level of permissions must also be determined. As stated earlier, database and web administrators only need access to select servers and commands, while, Linux administrators typically need access to all servers and all privileged commands. Being this explicit in access and permissions prevents accidental and intentional tampering that can result in data breaches or loss.

While it’s an advantage not only to organizations and employees that work can be accomplished from anywhere, it also requires extra vigilance. Since people can access servers everywhere, it no longer looks suspicious when an organization has numerous IP addresses logging in globally. It also isn’t feasible to require IT teams to comb through these addresses to try and ensure that logins are only coming in from locations where employees are located.

Granular access controls can skip these issues altogether simply by limiting the amount of locations from where a server can be accessed. For example, if no employees are located in Canada, then no Canadian IP addresses can have access to an organization’s system.  

Restrictions must also be placed on the type of access users have when using VPNs (Virtual Private Networks) outside an organization’s offices. Allowing for major changes from thousands of miles away leaves systems incredibly vulnerable. The highest level of access should always be reserved for those logging in directly from the physical server.

A crucial component to configuring granular access controls for maximum security is timing. Staff in an organization rarely need access to systems or data 24 hours a day. In fact, someone signing into their account outside of normal business hours could be considered suspicious. On the other hand, someone logging in during strange hours may only indicate that they’re located in an office in another country. Granular access controls are sophisticated enough to establish rules based on not only role, but on the window of time that a group can be expected to be working. Limiting access to a set timeframe can prevent an error or threat from remaining undiscovered for hours. 

Additionally, granular access controls can provide temporary access for a limited amount of time. For example, a contract employee could be given credentials that are set to time out at the end of their contract. Alternately, a sales person traveling abroad may be given credentials to log in from another country for the length of the trip.

As mentioned above, passwords have become insufficient protection from internal and external breaches. The key to system infiltration comes down to credentials. Once someone has the necessary credentials to access a system and use privileged commands, the damage can be catastrophic. The more employees with these high-level credentials, the higher the risk is that someone could get full access to the system, even with a simple phishing attack. Even when considering password vaulting technologies, a single password is still all that prevents someone from getting through the door. The flexibility of granular access control ensures there are multiple ways to prevent someone from having complete access.  

Risks of malicious insider attacks are also mitigated through granular access control. Organizations that provide full credentials to every employee make it incredibly difficult to track what employees are doing, making it possible to provide an insider with an open window to private data for months without the threat of detection.

Attempting to control privileges like this manually would take numerous additional employees, who would still be unable to make updates and adjust rules in real time. Privileged access management solutions, like Core Privileged Access Manager (BoKS), allow IT teams to efficiently protect your organization’s data. You can restrict privileges so that no one employee has full control of your system, yet still give users the credentials they need to get their work done.