A Guide to Access Control (2024)

Article 21(i) of the EU’s new NIS2 directive calls for human resources security, access control policies, and asset management. In this blog, we will explore how these 3 concepts are connected and why they are important to strengthen your cybersecurity posture.

What data and resources does your company have that need protection? Who should be able to access them? How do you regulate this? And what can Lansweeper do to help?

What is Access Control and Why Do You Need It?

Access control is the process of regulating which users can access certain resources and data or perform specific actions in your environment. This is to ensure that only authorized users are granted access to resources while preventing unauthorized users from gaining entry. It usually consists of 2 main, closely related, components: authorization and authentication.

Authentication verifies whether a user is who they claim to be. In its most basic form, this can be done with the combination of a username – to identify the user – and a password – to prove it’s really them. However, it can also include for example biometric scans, security tokens, or multi-factor authentication (MFA).

Authorization then determines what data and resources that user has access to and in what circ*mstances, such as the device they are on, their location, their role, and more. This is to determine whether or not they have permission to access the data or resources they are trying to access.

Secure access controls are a vital part of any IT security strategy. It ensures that all users have the right level of access to resources and keeps everyone else out. In case of a data breach, this limits the attack vectors that attackers can exploit. It keeps confidential information safe from being stolen by malicious actors or unauthorized users and puts a lid on web-based threats. Access control is also essential to comply with various data privacy regulations, not only NIS2, but also for example PCI DSS, HIPAA, SOC2, or ISO27001.

Different Types of Access Control

There are many ways to manage your access control. However, most systems will fall into 1 of 4 main types, each with their own unique way of administering access to sensitive information.

1. Discretionary access control (DAC): In this form of access control, every resource, system, or piece of data has an owner or administrator. The owner decides who to grant access rights to, at their own discretion. They can do this case-by-case or by specifying certain rules that define access rights. Some systems also allow users who have been granted access to provide access to other users in turn.
2. Mandatory access control (MAC): In a MAC model a central authority decides how to assign, regulate, and organize access rights. Every resource is assigned a security level and access is granted or denied based on the security clearance level of the user. This model is very common in government and military organizations.
3. Role-based access control (RBAC): RBAC models grant users access based on their roles, the groups they belong to, and the actions they need to carry out. These systems usually follow the principle of least privilege, only granting the user access to the data and resources they need to do their job and nothing more.
4. Attribute-based access control (ABAC): ABAC is the most dynamic model. It grants users access based on a combination of attributes like roles, permissions, and environmental conditions. This allows for granular control and allows organizations to enforce access rules tailored to specific scenarios.

What About Identity and Access Management (IAM)?

Within the realm of access controls, you have probably encountered Identity and Access Management (IAM) before. IAM is a specific framework within the realm of access control, focused on managing digital identities (such as users, groups, and roles) and controlling their access to resources. While access control deals with the overall regulation of access, IAM solutions specifically adresses the management of identities, authentication, authorization, provisioning, and de-provisioning of user accounts, and the enforcement of access policies.

Why Asset Management and Human Resources Security?

The NIS 2 directive mentions access control in the same bucket as human resources security and asset management. This makes sense as asset management is a prerequisite for access control, and human resources is an important player in enforcing access controls.

Asset Management

In order to properly manage access to resources, you need to know what resources you need to protect in the first place. That is where asset management comes in. Proper IT asset management helps with identifying and categorizing all assets in your organization including, hardware, software, data, and infrastructure. This will give you a better overview of the scope of the resources that need to be controlled.

Once you have identified the assets you need to protect, you can move on to conducting a risk assessment. Assess the potential impact of unauthorized access to these resources. That information can then be used to determine the appropriate level of access control needed.

Human Resources Security

Human Resources Security focuses on safeguarding your organization’s data and resources by managing the human factor associated with security risks. It refers to a series of policies, procedures, and practices used to ensure that everyone employed by or associated with your organization is trustworthy, adequately trained, and aware of their responsibilities regarding information security.

These policies and practices include pre-employment screening, employee training and awareness, contractor and Third-Party Management, and also the employee exit process. Specifically, when an employee leaves your organization, HR is responsible for revoking their access to information systems, data, and other resources

Getting Started on Your Access Control

When getting started with access control, start with determining why you are doing so. Identify the resources (data, systems, and applications) that you need to protect. Once you have this information you can conduct a risk assessment. Classify your assets based on their importance and sensitivity. Determine the potential impact of unauthorized access to these resources. This will help you determine the appropriate level of access control.

Once you have done the necessary assessments, you can put your access control policies in place. Decide who should be able to access which resources, and under which conditions. These policies need to be aligned with your organization’s security requirements and compliance standards.

It’s also important in this stage to make a decision on which of the aforementioned models is the best fit for your organization. While the MAC model is popular with strictly regulated organizations like governments and the military, the more flexible nature of the ABAC model makes it more suitable for complex organizations.

You may also want to put emergency access accounts into place. These will prevent you from being locked out of your systems in case of a misconfigured policy. Make sure to test any policies before you enforce them in your environment.

Once you have everything in place, remember to train your users. The best security systems in the world can fail without employee awareness. Make sure that your users are educated about your systems, best practices; and their role in maintaining security.

Managing Assets, Users, and More With Lansweeper

Since good access control starts with good asset management, a proper IT Asset Management tool like Lansweeper should be your first resource when starting your Access Control journey. Lansweeper’s unrivaled discovery scans all your hardware, software, and users, giving you a complete and always up-to-date inventory to start your risk assessment.

Thanks to the active directory scanner, Lansweeper can scan all users within a Microsoft Active Directory user path or Azure Active Directory, no matter their status. This means you can easily track all your users, groups, and their properties, including rights and permissions. This information is essential when managing your access control policies and for IAM in particular. Like all data in Lansweeper, this information can easily be reported on using built-in or custom-made reports, giving you clear insights into your user information in a click.