CLOUD STRATEGIES FOR SMARTER IT | A ZDNet Multiplexer Blog What's this?

Access privileges for distributed stakeholders

When collaborative groups include employees and third parties, you need comprehensive access control. Here's a look at solutions that restrict unauthorized users while ensuring that legitimate workers stay productive.

"Please send me that file," seems like a simple enough request, but it really isn't.

Does the person who is requesting the file have the right to receive it? If you don't know, how do you find out?

Are they sending this request from within your local network? From another network? From a mobile device? Is there sufficient security at their endpoint?

Is the file too large to send via email? Even if it can be sent, is your email system secure enough to protect it?

Would it be better to just send them a 'share' link, so they can access the file on a server? If you do, do you want the recipient to be able to edit the file or just view it?

These questions, and many more, are exacerbated by the fact that we often collaborate with teams that include people outside our organization. How will access privileges change when dealing with outsiders?

Making it easy makes it worse

A manufacturer of explosives and corrosives for use by the United States military was faced with user complaints about security restrictions on file access. The measures were getting in the way and preventing people from getting their work done in a timely fashion. was Their "solution" was to grant everyone full administrator privileges, so everybody had access to everything. You can imagine the investigation and penalties imposed when their largest customer discovered this. They thought they were making it easier for everyone. They were wrong.

What does access control actually control?

A comprehensive approach to access control occurs at several levels throughout the network.

Begin with the users, who must authenticate themselves to their devices and the network. Can they prove they are who they say they are? Beyond entering an ID and password, we can use multifactor authentication to require something they know (a password) together with something they have (a passcode on a token or mobile device). We can also add fingerprint, facial, or other biometric recognition if the device supports it.

Now that the client device has confidence in the user's identity, it must then communicate to the network, which will also check to assure that the device itself is adequately secure.

Using Microsoft Azure Active Directory or similar domain management systems, the network next determines if the connecting user is part of any identified groups. If they are, they will be granted specific permissions, ownership of certain objects, perhaps inheritance of permissions from higher-level groups, user rights, and object auditing. Groups allow administrators to grant specific rights and permissions to large numbers of users simultaneously, rather than having to control each individually.

The network may also use role-based access control (RBAC) to grant rights and permissions to users based on their identified role, which may include whether they are internal or external to the organization, accessing from within or outside the network, or having specific responsibilities that convey specific rights.

Such domain management provides tremendously granular control over who has access to what, and what they can do with various objects and resources based on where, when, and how they're accessing the network. This also provides enhanced protection of a greater number and variety of network resources by controlling whether users can read a given data resource, modify it, change the ownership of the resources, or even delete them.

Access control in the cloud

Access control becomes even more vital when employees are working with cloud-based resources. Administrators must focus on providing exactly the permissions each user needs. Too many permissions exposes a user account to attackers. Too few permissions makes it far more difficult for users to get their work done. Role-based access control facilitates the granting of just the right level of permissions to entire departments or groups.

Benefits of a controlled access environment

By properly managing the rights and privileges of users based on their group and/or role, users are able to enjoy smooth, ready access to the files and other resources they need. This control also assures stakeholders - and regulators -- that anyone who accesses their high-value data assets can only do what they are intended to do.

For more detail on access control, consult the Access Control Overview in the Microsoft Windows IT Center.