ISO 27001:2022 A 5.15 Access control

Audio version of the article

Access control is the process of granting authorized users the right to use a service while preventing access to non-authorized users. Access control is a security technique that regulates who or what can view or use resources in a computing environment. It is a fundamental concept in security that minimizes risk to the business or organization.The Access Control addresses requirements to control access to information assets and information processing facilities. The controls are focused on the protection against accidental damage or loss, overheating, threats, etc. This requires a documented control policy and procedures, registration, removal, and review of user access rights, including here physical access, network access, and the control over privileged utilities and restriction of access to program source code. It provides the following value:

  • Controlled access to services ensures that the organization is able to maintain more effectively the confidentiality of its information.
  • Employees have the right level of access to execute their jobs effectively.
  • There is less likelihood of errors being made in data entry or in the use of a critical service by an unskilled user.
  • The ability to audit the use of services and to trace the abuse of services.
  • The ability more easily revoke access rights when needed – an important security consideration.
  • Maybe needed for regulatory compliance

There are two types of access control: physical and logical. Physical access control limits access to campuses, buildings, rooms and physical IT assets. Logical access control limits connections to computer networks, system files and data. To secure a facility, organizations use electronic access control systems that rely on user credentials, access card readers, auditing and reports to track employee access to restricted business locations and proprietary areas, such as data centers. Some of these systems incorporate access control panels to restrict entry to rooms and buildings, as well as alarms and lockdown capabilities, to prevent unauthorized access or operations. Logical access control systems perform identification authentication and authorization of users and entities by evaluating required login credentials that can include passwords, personal identification numbers, biometric scans, security tokens or other authentication factors. Multifactor authentication (MFA), which requires two or more authentication factors, is often an important part of a layered defense to protect access control systems.

Control

Rules to control physical and logical access to information and other associated assets should be established and implemented based on business and information security requirements.

Purpose

To ensure authorized access and to prevent unauthorized access to information and other associated assets.

ISO 27002 Implementation Guidance

Owners of information and other associated assets should determine information security and business requirements related to access control. A topic-specific policy on access control should be defined which takes account of these requirements and should be communicated to all relevant interested parties. These requirements and the topic-specific policy should consider the following:

  1. determining which entities require which type of access to the information and other associated assets;
  2. security of applications;
  3. physical access, which needs to be supported by appropriate physical entry controls;
  4. information dissemination and authorization (e.g. the need-to-know principle) and information security levels and classification of information;
  5. restrictions to privileged access;
  6. segregation of duties ;
  7. relevant legislation, regulations and any contractual obligations regarding limitation of access to data or services
  8. segregation of access control functions (e.g. access request, access authorization, access administration);
  9. formal authorization of access requests;
  10. the management of access rights ;
  11. logging

Access control rules should be implemented by defining and mapping appropriate access rights and restrictions to the relevant entities. An entity can represent a human user as well as a technical or logical item (e.g. a machine, device or a service). To simplify the access control management, specific roles can be assigned to entity groups. The following should be taken into account when defining and implementing access control rules:

  1. consistency between the access rights and information classification;
  2. consistency between the access rights and the physical perimeter security needs and requirements;
  3. considering all types of available connections in distributed environments so entities are only provided with access to information and other associated assets, including networks and network services, that they are authorized to use;
  4. considering how elements or factors relevant to dynamic access control can be reflected.

Other information

There are often overarching principles used in the context of access control. Two of the most frequently used principles are:

  1. need-to-know: an entity is only granted access to the information which that entity requires in order to perform its tasks (different tasks or roles mean different need-to-know information and hence different access profiles);
  2. need-to-use: an entity is only assigned access to information technology infrastructure where a clear need is present.

Care should be taken when specifying access control rules to consider:

  1. establishing rules based on the premise of least privilege, “Everything is generally forbidden unless expressly permitted”, rather than the weaker rule, “Everything is generally permitted unless expressly forbidden”;
  2. changes in information labels that are initiated automatically by information processing facilities and those initiated at the discretion of a user;
  3. changes in user permissions that are initiated automatically by the information system and those initiated by an administrator;
  4. when to define and regularly review the approval. Access control rules should be supported by documented procedures and defined responsibilities.

There are several ways to implement access control, such as MAC (mandatory access control), DAC (discretionary access control), RBAC (role-based access control) and ABAC (attribute-based access control).
Access control rules can also contain dynamic elements (e.g. a function that evaluates past accesses or specific environment values). Access control rules can be implemented in different granularity, ranging from covering whole networks or systems to specific data fields and can also consider properties such as user location or the type of network connection that is used for access. These principles and how granular access control is defined can have a significant cost impact. Stronger rules and more granularity typically lead to higher cost. Business requirements and risk considerations should be used to define which access control rules are applied and which granularity is required.

Access Control governs the ways in which human and non-human entities on any given network are granted access to data, IT resources and applications. It relies upon managerial staff from various parts of an organisation maintaining a thorough understanding of who needs access to what resources (i.e. HR informing on an employees job role, which in turn dictates their RBAC parameters), access rights are ultimately a maintenance function that are controlled by staff with administrative rights over any given network. The ownership should rest with a member senior management with overarching technical authority across an organisation’s domains, subdomains, applications, resources and assets, such as a Head of IT. This control mentions (but does not limit itself to) four different types of access control, which can be broadly classified as follows:

  • Mandatory Access Control (MAC) – Access is centrally managed by a sole security authority.This is a security model in which the system administrator defines the rules that govern access to resource objects. These rules are often based on conditions, such as time of day or location. It is not uncommon to use some form of both rule-based access control and RBAC to enforce access policies and procedures.
  • Discretionary Access Control (DAC) – The opposite method to MAC, where object owners are able to pass on privileges to other users.This is an access control method in which owners or administrators of the protected system, data or resource set the policies defining who or what is authorized to access the resource. Many of these systems enable administrators to limit the propagation of access rights. A common criticism of DAC systems is a lack of centralized control.
  • Role-based Access Control (RBAC) – The most common type of commercial access control, based around predefined job functions and privileges.This is a widely used access control mechanism that restricts access to computer resources based on individuals or groups with defined business functions — e.g., executive level, engineer level 1, etc. — rather than the identities of individual users. The role-based security model relies on a complex structure of role assignments, role authorizations and role permissions developed using role engineering to regulate employee access to systems. RBAC systems can be used to enforce MAC and DAC frameworks.
  • Attribute-based Access Control (ABAC) – Access rights are granted to users through the use of policies which combine attributes together.This is a methodology that manages access rights by evaluating a set of rules, policies and relationships using the attributes of users, systems and environmental conditions.

Topic-specific approaches encourage organisations to create Access Control policies that are tailored towards individual business functions, rather than adhering to a blanket Access Control policy that applies to data and resource access across the board. This control requires Access Control policies across all topic-specific areas to take the following guidance points into consideration.

  • Determine what entities require access to certain pieces of information and/or assets. This can achieved by keeping an accurate record of job roles and data access requirements, that is in line with your organisational structure.
  • The integrity and security of all relevant applications . A formal risk assessment could be carried out to examine the security characteristics of individual applications.
  • Physical (site) access controls. This can be demonstrated by a robust set of building and room access controls, including managed entry systems, security perimeters and visitor procedures, where appropriate.
  • A company-wide “need to know” principle, when it comes to information distribution, security and categorization by adhering to strict best-practice policies that do not offer blanket access to data across an organisational chart.
  • Ensure restrictions to privileged access rights. Data access privileges above and beyond that of a standard user need to be closely monitored and audited.
  • Adherence to any prevailing pieces of legislation, sector-specific regulatory guidelines or contractual obligations related to data access by tailoring Access Control policies in accordance with any external obligations they have with regards to data, asset and resource access.
  • Oversight of potential conflicts of duty. Policies should include controls that eliminate an individual’s ability to compromise a broader Access Control function, based on their own levels of access (i.e an employee who has the ability to request, authorize and implement changes to a network).
  • The three main functions of an Access Control Policy – requests, authorizations and administration – should be addressed in isolation. Access Control policies need to acknowledge that whilst Access Control is a self-contained function, it’s made up of a number of individual steps that carry their own set of requirements on a topic-by-topic basis.
  • Access requests should be conducted in a structured, formal manner.Organisations should implement an authorization process that requires formal, documented approval from an appropriate member of staff.
  • Ongoing management of access rights. Data integrity and security perimeters need to be maintained through a continual cycle of periodic audits, HR oversight (leavers etc.) and job-specific changes (e.g. departmental moves and role amendments).
  • Maintaining adequate logs, and controlling access to them. Organisation should collect and store data on access events (e.g. file activity) alongside safeguarding against unauthorized access to security event logs, and operate with a comprehensive set of incident management procedures.

Access Control Policy

Access Control policies should clearly communicate the organization’s business requirements regarding the identification of users, access to organizational information resources, user access rights, and special access privileges and restrictions.  The following could comprise the core of an organizational access control policy framework.

  • Roles and responsibilities
    • Need-to-Know:  Access only to information needed to perform assigned tasks.
    • Need-to-Use:  Access only to information resources needed to perform assigned tasks
    • Access levels and privileges by role
    • Periodic review and removal of access levels and privileges
    • Segregation of duties for requesting, authorizing, and reviewing access levels and privileges
  • What is required to identify users?
    • The requirement for vetting users in person
    • A requirement to archive records concerning user identification and credentialing
  • What criteria are used to determine the types of credentials used?
  • What criteria are used to determine the level of access to applications and services?
    • Identification of roles with privileged access
    • Contractual obligations for limiting access granted to vendors and partners
  • What is required from identity providers and from service providers?
    • The requirement to identify the security requirements of applications – both, purchased and developed internally
    • The requirement to determine the Level of Authentication (LOA) required to access a service based on risk

Data owners shall determine, approve and assign the level of access to organizational systems and data based on the responsibilities, job functions, reporting or outreach requirements based on the confidentiality of the data and to the restrictions imposed by federal, state and organizational rules and regulations.

Access Control Program

As data, access, and networks continue to expand, organizations have an ever-increasing need to manage identities and access. The optimum solution for this function may be a well-planned and organization-wide Access Management program. In its simplest form, Access Management ensures that only the right people can access the right services at the right time. However, within a complex organization, establishing an Access Management program is not an easy task. Many stakeholders, technology areas, policies, and processes must work together for a scalable and robust  Program. In addition, governance plays a key role in the success of any Acess Management Program and implementation.

Activities of access control

Access control is integrated into an organization’s IT environment. It can involve identity management and access management systems. These systems provide access control software, a user database and management tools for access control policies, auditing and enforcement. When a user is added to an access management system, system administrators use an automated provisioning system to set up permissions based on access control frameworks, job responsibilities and workflows. The best practice of least privilege restricts access to only resources that employees require to perform their immediate job functions. The steps for access control can be

  1. Requesting access – Access can be requested using one or any number of mechanisms, e.g.
    • A standard request
    • A request for change
    • A service request (submitted via the request fulfillment system)
    • Executing a pre-authorized script or option
    • Rules for requesting access are normally documented as part of the service catalogue
  2. Verification – It needs to verify every request for access to a service from two perspectives:
    • That the user requesting access is who they say they are
    • That they have a legitimate requirement for that service
  3. Providing rights – It does not decide who has access to which services. It only executes the policies and regulations defined. It enforces decisions to restrict to provide access, rather than making the decision. As soon as a user is verified, it will provide that user with the rights to use the requested service. In most cases, this will result in a request to every team or department involved in supporting that service to take the necessary action. Ideally, these tasks should be automated.
  4. Monitoring identity status – As users work in the organization, their roles change as do their needs to access services, e.g. job changes, promotions/demotions, resignation or death, etc. It should understand and document the typical user lifecycle for each type of user and use it to automate the process. Access controls tools should provide features that enable a user to be moved from one state to another or from one group to another, easily and with an audit trail.
    • Job changes – In this case, the user will possibly need access to different or additional services.
    • Promotions or demotions – The user will probably use the same set of services, but will need access to different levels of functionality or data.
    • Transfers – In this situation, the user may need access to exactly the same set of services, but in a different region with different working practices and different sets of data.
    • Resignation – Access needs to be completely removed.
    • Death – Access needs to be completely removed.
    • Retirement – In many organizations, an employee who retires may still have access to a limited set of services, including benefits systems or systems that allow them to purchase company products at a reduced rate, alumni information, etc.
    • Disciplinary action – In some cases, the organization will require a temporary restriction to prevent the user from accessing some or all of the services that they would normally have access to. There should be a feature in the process and tools to do this, rather than having to delete and reinstate the user’s access rights.
    • Dismissals – Where an employee or contractor is dismissed, or where legal action is taken against a customer (for example, for defaulting on payment for products purchased on the internet), access should be revoked immediately. In addition, access management, working together with information security management, should take active measures to prevent and detect malicious action against the organization from that user.
  5. Logging and tracking access – Access management should not only respond to requests. It is also responsible for ensuring that the rights that they have provided are being properly used. Information security management plays a vital role in detecting unauthorized access and comparing it with the rights that were provided by access management. Access management may also be required to provide a record of access for specific services during forensic investigations. If a user is suspected of breaches of policy, inappropriate use of resources, or fraudulent use of data, access management may be required to provide evidence of dates, times and even content of that user’s access to specific services.
  6. Removing or restricting rights – Just as access management provides rights to use a service, it is also responsible for revoking those rights. Again, this is not a decision that it makes on its own. Access management will execute the decisions and policies made during service strategy and design and also decisions made by managers within the organization. Removing access is usually done in the following circumstances:
    • Death
    • Resignation
    • Dismissal
    • The user has changed roles etc.

Challenges of access control

Many of the challenges of access control stem from the highly distributed nature of modern IT. It is difficult to keep track of constantly evolving assets because they are spread out both physically and logically. Specific examples of challenges include the following:

  • dynamically managing distributed IT environments;
  • password fatigue;
  • compliance visibility through consistent reporting;
  • centralizing user directories and avoiding application-specific silos; and
  • data governance and visibility through consistent reporting.


Many traditional access control strategies — which worked well in static environments where a company’s computing assets were help on premises — are ineffective in today’s dispersed IT environments. Modern IT environments consist of multiple cloud-based and hybrid implementations, which spreads assets out over physical locations and over a variety of unique devices, and require dynamic access control strategies. Organizations often struggle to understand the difference between authentication and authorization. Authentication is the process of verifying individuals are who they say they are using biometric identification and MFA. The distributed nature of assets gives organizations many avenues for authenticating an individual. Authorization is the act of giving individuals the correct data access based on their authenticated identity. One example of where authorization often falls short is if an individual leaves a job but still has access to that company’s assets. This creates security holes because the asset the individual used for work — a smartphone with company software on it, for example — is still connected to the company’s internal infrastructure but is no longer monitored because the individual is no longer with the company. Left unchecked, this can cause major security problems for an organization. If the ex-employee’s device were to be hacked, for example, the attacker could gain access to sensitive company data, change passwords or sell the employee’s credentials or the company’s data. One solution to this problem is strict monitoring and reporting on who has access to protected resources so, when a change occurs, it can be immediately identified and access control lists and permissions can be updated to reflect the change. Another often overlooked challenge of access control is user experience. If an access management technology is difficult to use, employees may use it incorrectly or circumvent it entirely, creating security holes and compliance gaps. If a reporting or monitoring application is difficult to use, the reporting may be compromised due to an employee mistake, which would result in a security gap because an important permissions change or security vulnerability went unreported.

Leave a Reply