As networks and application delivery models evolve, security remains top of the mind for IT managers. ISPs hold volumes of sensitive customer information that include personal, financial and other data that, if compromised, could have serious consequences. Also, sub-standard access control mechanisms to the data that resides in your company’s computer systems can lead to unfavourable audit risk reports, lack of confidence in IT and spurn a culture of negligent behaviour. This blog, the first in the series, will take a look at five best practices around access control that will help build a culture of security, integrity and accountability across your organisation.
1. Start with a clean sweep
Whether you’re the new IT manager or have been with the company for some time, a comprehensive audit on all access granted to users will give you a baseline from which to work and understand how access control is granted within the business. Staff complements can reach in the thousands and if there is no understanding of who has access to which resources and why, things get can get very muddy. Gartner states in a report on access control, “Security and risk leaders need to fully engage with the latest technology trends if they are to define, achieve and maintain effective security and risk management programs that simultaneously enable business opportunities and manage risk.” But without establishing a security baseline, the technology at your disposal will be of little value to you in achieving strategic, performance and security objectives.
2. Build auditing into your access control policies
Once you’ve established your security baseline, augmenting it with an iterative audit strategy will ensure that loopholes don’t creep into the system. For example, audits run against your employee database might reveal that access for staff that have left your organisation is still active in the system. Now imagine one of those employees left the company under unfavourable circumstances, and the security threat becomes clear. Another way to look at it is that security audits can tell you more about how users access business resources (such as remotely or locally) and allow you to build better security mechanisms around access to the network and even cater to developing trends, such as teleworking.
3. Once access rights have been established, make it easy for users to get in
Most modern software platforms provide integration with technologies such as LDAP and Active Directory. This allows users to have a single sign-on to gain system-wide access to the resources they need. Roaming user profiles also make it easy for staff to move from computer to computer and still enjoy the same access privileges without IT having to configure each machine for appropriate user access. Managing their access control via a policy-based solution means less administrative overheads for already time-starved IT staff.
4. Take a conservative approach to access control
Treat your business information on a need-to-know basis. A simple yet effective policy is that if users don’t need it, don’t grant access to it. Spending hours sorting through folder permissions and application access levels before your annual audit can send you into administrative overdrive. It comes back to performing your own internal audits regularly enough to know what is happening in your environment. Also apply the same policy to your IT staff. It happens often enough that IT staff abuse their access privileges, so when in doubt, deny access. Again, auditing access control gives you better change management insight to how systems and resources are being made available and why.
5. Data encryption for an added layer of security
Database encryption provides a high, but manageable level of data encryption by ensuring that only authorised users are given permission to data assets. Although higher levels of encryption, such as application level encryption exists, database encryption is the most widely used due to its ease of management and high level of security. With databases acting as the repositories of volumes of critical business information, data encryption acts as your last line of defense in the event of a breach.
The daily influx of data highlights the need for effective access control strategies
When one considers that the world creates 2.5 quintillion bytes of data daily and that 90 percent of the data in the world has been created in the last two years (according to a report from IBM on big data), it becomes clear that data is the lifeblood of the modern business. SOLIDitech has built a software platform that gives you access to your information assets through the medium of a comprehensive business solution that boosts business efficiency and breaks down silos while ensuring that your most prized asset - your data - is secured with best of breed security solutions.