Cyber Security Access Control In Organizations

Information Technology

Access Control In Organizations

In most organizations, an access control policy is a set of rules that dictate certain people's access to specific resources. An access control policy is one of the essential security aspects an organization uses, and it's critical to have in place (Mohammed et al., 2018). It can also become cumbersome when writing multiple policies for every new risk type. Still, many tools are available that can help streamline the process and make it easier to manage.

With these tools, you will create policies quickly and easily without sacrificing their quality or quantity. Additionally, many companies need employees with different permission levels depending on their job function, so not everyone should have an admin account, especially if they don't need it. Therefore, this paper looks at how this can be ensured without compromising security or efficiency.

Access control lists (ACLs) can restrict access to objects. An ACL is typically implemented as part of a layer of security on top of authentication and encryption. Typical uses include preventing unauthorized users from accessing resources on a network, restricting access to data files, or allowing multiple users to share a resource (Sutro, 2020).

ACLs can be divided into two areas: discretionary and mandatory enforcement. Discretionary ACLs are the most common type and allow users to determine what rights they want for each object they create. For example, if a file's owner wants to give their "Group A" read permissions but denies the write permissions, only list members are given the read permission.

Discretionary ACLs can be implemented at the file system level or per user. In the former scenario, a file system may allow group A to read and write the file but deny group B. A user object could use those permissions while logged in (Sutro, 2020). Mandatory ACLs are the other type of compulsory enforcement but only allow users to assign their permissions.

If a user wants to provide access to a folder or a file, they must explicitly grant access to another user or deny it for themselves. It is beneficial for high-security needs as it prevents someone with moderate access levels from accidentally granting themselves access to higher levels that they are not authorized for. In the 1970s, Vinton Cerf and Robert Kahn developed ACLs and access control. In the 1980s, with security becoming a much more sensitive issue, RFC 1334 (Sutro, 2020) defined a new file system access control model.

Access control lists use information about users (and other user principals) to identify whether or not they are allowed access to objects. The systems that implement an ACL model will have a list of users permitted access to various system components. There are three types of ACLs: discretionary, mandatory, and auditing.

Discretionary ACLs are the most common type and allow users to determine what rights they want for each object they create. For example, if a file's owner wants to give their "Group A" read permissions (Sutro, 2020) but denies write permissions, only list members are given the read permission.

Discretionary ACLs can be implemented at the file system level or per user. In the former scenario, a file system may allow group A to read and write the file but deny group B. A user object could use those permissions while logged in. Mandatory ACLs are the other type of compulsory enforcement but only allow users to assign their permissions.

If a user wants to provide access to a folder or a file, they must explicitly grant access to another user or deny it for themselves. It is beneficial for high-security needs as it prevents someone with moderate access levels from accidentally giving themselves access to higher levels that they are not authorized for.

In some systems in use today, the concept of "effective" privilege is used. An effective privilege is an authorization concept that allows users of one system, who may have no rights on the local system, to be treated as if they had certain rights on the local system. For example, a UNIX computer may have a user name "Fred," who has a login "laptop" and password "mypass" (DURAISAMY, 2017).

He may not have "laptop" or "mypass" on the UNIX system, but he may have any of the other three login names if he is a privileged group member. It means that Fred could log in as a member of a group laptop, even though he does not have adequate rights. The current version of UNIX (and many other systems) uses effective privilege for security purposes.

Putting passwords on top-level systems will help organizations control access. However, if they have only one password for all the issues in the company, it is easy for other employees to figure out what it is by asking someone else for help or through social engineering. It does not make sense for someone who wants to compromise, and the system only needs to know the user's password (K., 2017). Even if they follow the procedure of creating a separate password for each user, there are still vulnerabilities that these users need to know about before they can use it. Consider adding other levels of account access based on permissions and read privileges and limiting certain users' rights to network resources (e.g., printing).

Administrators should be restricted from working on their accounts and should not have access to other people's networks, even if they manage them (K., 2017). It is also true for people with a level employee. If an employee is given a "level-3" account, they need to have all the rights provided in the level-3 policy document. If permissions are separated, it will be possible to manage only the different groups' privileges. The advantages of having two separate accounts for administrators are that if one account gets compromised or has its password changed, it is not at risk for other accounts apart from that one account.

Some companies have administrator accounts that give out rights and permissions that different groups use. For example, If an organization wants to set up a Shared folder for their team and give access to a department to use it, they might want to create two accounts (one has full rights, and the other has fundamental rights only). The first step would be to create a shared folder with permissions based on the user role. The second step would be to create an account with only read privileges over that folder. It will allow the departmental users of the organization to share documents without compromising your administrators.

The organization can implement user-based security where they allocate permissions to each user. Managing those resources will make it easier when they give different sets of rights to different users. They should assign administrators the network and system admins on the home computer; the same goes for other accounts. This division can restrict users' authority based on their account or group. An organization can revoke either an entire group's permissions or an individual account's access privileges by revoking their account access altogether (K., 2017). The security policies of the company should be documented. It will make it easier to manage documents and follow the same rules in an emergency.