Access Control: Essentials for Modern IT Teams
Access control consists of the policies, processes, and technologies that determine who may access an organization’s information resources. An access control system can go further by limiting the extent of that access based on factors such as the characteristics of a user’s device or network connection. With the right strategy, companies can reduce their attack surface while limiting the damage of successful cyberattacks.
This guide draws the conceptual, technological, and security landscape of modern access control. We will help you understand the trade-offs between different approaches as well as their limitations in the face of the challenges companies face. The topics we will cover include:
- What is Access Control?
- What steps are necessary within an access control system?
- What are the different types of access control?
- What are the technological models for remote access into a network?
- How should you be thinking about Network Access Control in 2021?
- Access Control List: how to leverage ACLs within your access control strategy
- Allowlisting: should you be using it in your access control strategy?
Access control has always evolved in lockstep with changes in technology and the workplace. But the pandemic of 2020 put access control in the spotlight. Old assumptions about productivity and working from home shattered as businesses kept running despite the overnight shift to work-from-home. Now organizations large and small are considering making the hybrid workforce permanent.
Yet remote working introduces very real risks that organizations must address. IT administrators have less control over the security of users’ devices and home networks. At the same time that VPN-based remote access expanded, cybercriminals’ attacks against vulnerable VPN technologies intensified.
With a solid understanding of the advantages and disadvantages of each option, IT teams will be better prepared to protect their organizations’ information resources.
To expand on our earlier definition, access control determines who may join a network or use a resource as well as which devices are included in those permissions. Going further, the policies you set will also determine the context under which those permissions are granted, sustained, and revoked.
The traditional approaches to access control evolved in a relatively simple age. The only way to access information resources was to be:
- A company employee;
- Using a company-owned and managed device;
- Hardwired to a company-owned and managed network.
In this environment, access control was as much about controlling physical access as it was about digital access.
Things became more complicated late in the 20th Century as remote access became essential. Laptops and the internet made it easier for employees to use on-premises company resources while away from the office. But giving people access to a protected network over the internet carried huge risks.
Over time, companies adopted the concept of the secure perimeter to balance security and access. Secure perimeter approaches focus on locking down access to an organization’s physical network from anyone other than trusted employees. By analogy, this approach is often called a castle-and-moat strategy. Companies build a moat of network defenses around their protected resources, their castle. A guarded drawbridge, typically in the form of virtual private networking (VPN) technology, lets the good people in and keeps the bad people out.
Just as technological and social change made medieval castles obsolete, the traditional secure perimeter has not kept up with 21st Century developments. On the technology side, things have gotten much more complex. On-premises, proprietary resources no longer dominate corporate computing. Company-owned applications may run on hosted servers or cloud instances. However, the company may not actually own the application thanks to the rise of cloud-based X-as-a-Service providers.
The population of user devices accessing those resources has also diversified. The steady march of Moore’s Law took us from desktops to laptops and now to smartphones and tablets. Making things even more complicated is the rise of bring-your-own-device (BYOD) policies. Rather than tightly managing fleets of company-owned devices, IT departments must accommodate all sorts of user-owned systems.
Even the question of “who is a user?” is much different today. Employees sitting in the office are increasingly the exception rather than the rule. Our sudden shift to remote working is a permanent change in the way business works. Other long-running trends include the blended workforce of employees, freelancers, and consultants. Increasingly, 3rd parties need the kind of access you once limited to employees.
Cybercrime has become just as complicated. Whether in state-sponsored groups or criminal syndicates, black-hat hackers discover and exploit 0-day flaws to penetrate high-value organizations. Less experienced criminals can simply rent sophisticated capabilities from malware-as-a-service providers.
However, the most common cyber risk is human rather than technological. Why search for 0-day exploits when unpatched security flaws leave the door wide open? Cybercriminals also use the company’s users as attack vectors through phishing and other social engineering attacks. In this complex threat environment, effective access control is more important than ever.
With each high-profile security breach, governments pay more attention to corporate network security. Across the US in 2020, federal and state legislators considered more than 280 bills to combat cybercrime. These bills addressed issues such as:
- Setting up cyber task forces.
- Requiring government contractors to have cyber insurance.
- Telling agencies to create vulnerability disclosure policies.
- Defining data protection regulations for insurance providers.
At the federal level, legislators often focus on criminals or law enforcement. But holding corporations accountable for security breaches is always somewhere on the agenda. The healthcare industry already deals with data protection regulations — and penalties — in the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH). Other industries could follow.
To head off aggressive regulations, the business community has begun paying more attention to security. Corporate audits now commonly include System and Organizational Controls (SOC) reports that evaluate all aspects of the company’s network security — including access control.
As we will see, organizations adopt many different approaches to access control. In general, these systems perform the same functions:
- Audit and Reporting
Each of these steps is an essential component without which the entire access control system will fail. The following overview will help you understand how these five steps work. The particular importance of authentication and authorization deserves more attention. You can read our in-depth article “Authorization vs. Authentication: Understand the Difference” for more complete coverage.
A user trying to access a networked resource must first get through the authentication stage. Here the access control system uses one or more factors to decide whether the user is who they say they are. Authentication factors are often summarized as:
- Something you know — PINs or passwords that the user enters into the access control interface.
- Something you have — Physical identifiers including one-time password security fobs are always in the user’s possession.
- Something you are — fingerprint and face recognition scanners use biometrics to identify the unique characteristics of the user’s body.
Each one of these authentication factors has points of failure that would compromise a network security system. Passwords or key fobs can be stolen, and biometrics can be spoofed. This is why single-factor authentication is not sufficient for an effective access control strategy. Multi-factor authentication requires identity validation using two or more factors.
Confirming users’ identities is a necessary first step, but it is not enough to grant users the access they request. Authorization determines whether the user is allowed to access that resource and to what extent.
Criteria for access to your company’s most sensitive resources may be more restrictive than access to more general systems. For example, access criteria should deny a salesperson’s request to access the R&D division’s servers.
This is also where the context of the user’s connection comes into play. A research scientist can have full access to R&D resources from the lab. When they travel to a conference, however, their access to company resources over the internet should be more limited.
Once users have been authenticated and authorized, they can access the network or resource. But those permissions should never be permanent. In short timeframes, sessions should time out. Each new session should require re-authentication and re-authorization before allowing users back in.
The system should also monitor context and revoke permissions when anything changes. Someone who moves from their home office to the local coffee shop should not retain their access. Company policies may also reset permissions when new security updates arrive for the user’s device.
Over longer timeframes, security administrators should monitor authorizations across the user base. As people move within the company and take on new roles, they should not keep their previous authorizations. Layers of old authorizations create opportunities for cybercriminals to dig deeper into the company network. Constant oversight of user permissions requires more resources but is essential for proper access control.
Access control systems automatically log user access requests and network activity. Automated reporting and regular security audits can surface issues before they become critical security risks. These audits of your access control system will produce actionable insights by:
- Identifying unusual user behavior.
- Flagging privilege abuse.
- Measuring compliance with security policies.
- Performing forensic analysis of attacks and breaches.
All of the reports and audits in the world will mean nothing if your organization fails to act. Letting things slide or making exceptions creates a lax security culture. Users who violate access policies should be coached, cautioned, disciplined, or terminated depending on the degree and frequency of their bad behaviors. Simply knowing that the organization takes access control seriously is enough to keep most people honest.
Accountability is not just about users. Everyone on the IT team, especially security administrators, must be accountable for their actions. Anyone with privileged credentials must be held to higher standards than users. Sharing passwords or collecting privileges just because it is easier must stop. Any change to access control parameters must be justified, documented, and signed by the person who made the change. And all this activity must be logged, reported, and audited.
Although access control systems follow the same five steps, they implement these steps in quite different ways. Access control systems generally fall into one of these four categories:
- Mandatory Access Control
- Discretionary Access Control
- Role-Based Access Control
- Privileged Access Management
The following summary provides a high-level description of these four categories. For more detail, be sure to read our deep dive into the types of access control systems, “Access Control Models: MAC, DAC, RBAC, & PAM Explained”.
The US military developed mandatory access control (MAC) to protect the highly classified data stored on Pentagon servers and at defense contractors. MAC is a centralized approach to security that removes all policy discretion from the hands of users.
Users and resources are assigned security labels that define their classification levels and clearances. Security labels also define the boundaries of compartmentalization. Resources security labels include a compartment of authorized users. Each user’s security label includes a compartment of resources they are allowed to access.
The MAC system compares the user security label and the resource security label. The user only gets access if classifications, clearances, and compartmentalization align. All other access requests are denied and flagged for investigation.
Mandatory access control maintains the strict security needed by the military. In business settings, however, MAC is inflexible and stifles collaboration. Still, some businesses apply MAC in certain settings. Highly-regulated investment banks, for example, may use MAC to protect their trading platforms while using more flexible security models for their back-office systems.
Discretionary access control (DAC) is the most widely used approach to network access. Whereas MAC removes policy discretion from users, DAC lets resource owners decide who does and does not get access. Decentralizing security policy in this way makes the organization more responsive to changing business needs and fosters more collaboration between users.
Administering DAC policies for network access is usually delegated to network administrators within the organization. Compared to MAC, there are security limitations to this decentralized approach. Control over policies is more diffuse which leads to security gaps as policies and enforcement diverge across the organization.
Typically used in combination with principles of “least privilege”, role-based access control (RBAC) goes beyond simply giving a user access to a network. Instead, the user only gets access to the networks and resources they need to fulfill their role in the organization.
Our earlier example of the R&D department demonstrated RBAC in action. A salesperson and a scientist have distinct roles in the organization. The former’s role does not justify access to R&D systems while the latter’s role requires access in most circumstances.
RBAC can get complicated, especially in team-based workplaces where people wear many hats and roles change frequently. Yet with the right up-front planning, RBAC dramatically reduces the number of over-privileged users without disrupting business operations.
Privileged access management (PAM) is a special form of role-based access control that holds those with privileged credentials accountable to security standards. Privileged users are a cybercriminal’s preferred target since they hold the “keys to the kingdom”. Compromise a privileged account and you can unlock a company’s entire network.
PAM access control systems use RBAC to determine whether a privileged user needs access to a resource each time they try to connect. Logging, reporting, and auditing systems provide the information security leaders need to enforce PAM policies and eliminate the shared passwords and other insecure practices IT personnel can fall into.
Over the years, companies have adopted various technological models to give employees remote access to the company’s information resources. The most common approaches include:
- Virtual Private Networking
- Remote Desktop Protocol
- Software-Defined Perimeter
- Zero Trust Network Access
The modern incarnations of these approaches offer distinct trade-offs that you should be aware of before adding them to your organization’s access control strategy.
As we discussed earlier, the castle-and-moat approach requires a way for remote users to cross the network’s secure perimeter. VPN gateways have traditionally provided this portal into the network. The technology is a known quantity with many vendors offering competitively-priced solutions. However, VPN was first developed in the 1990s and shows its age.
VPN gateways are bottlenecks through which all remote traffic must flow. When many users share the gateway, bandwidth suffers and impacts business operations.
User access to company resources must pass through the VPN gateway regardless of geography. A user’s data may travel across the country even if the resource is in the next building. This backhaul impacts network performance and requires expensive upgrades to solve.
VPN was designed to connect networks. As a result, any permissioned user or device will have full access to the network the VPN gateway is supposed to protect. A compromised device exposes the entire network.
VPN gateways broadcast their presence to the public internet. Simple scanning tools let cybercriminals find VPN gateways to target.
Because VPN gateways open a path to company networks, cybercriminals focus on discovering and exploiting VPN security flaws. At the same time, too many companies fail to keep up with VPN vendors’ frequent security updates. Many high-profile security breaches have been the result of unpatched VPN gateways.
Microsoft developed Remote Desktop Protocol (RDP) to let a Windows computer control another Windows computer remotely. Today, RDP and similar solutions are the modern equivalents of thin clients. They provide users with remote access while keeping all applications and data on secure, managed systems.
Users run a client application on their personal devices. In the case of RDP, the client connects to a virtual instance of a Windows desktop environment. This virtual desktop functions just like a physical computer on the company network. From the user’s perspective, they can do everything they could do at the office. However, their device only receives the virtual desktop’s graphical “monitor” output. Likewise, the only data the virtual desktop receives from the user are keyboard and mouse inputs.
Companies in healthcare, insurance, law, and other highly-regulated industries rely on virtual desktop solutions such as RDP to keep protected data secure. However, enabling and managing these solutions is expensive.
Software-defined perimeters (SDPs) emerged from a US Department of Defense IT modernization program. SDP replaces the traditional castle-and-moat approach of the secure perimeter. Rather than defending an organization’s networks, SDP focuses on defending each resource.
Redrawing the perimeter around each resource makes SDP solutions network-agnostic. As a result, SDP is more effective than VPN technologies in a modern network environment. You can establish a software-defined perimeter around a cloud-based resource just as easily as you can around an on-premises application.
SDP reduces an organization’s attack surface dramatically. Access granted to one resource does not extend to any other resource. Unlike VPN technologies, SDP solutions and the resources they protect can be hidden from the public internet. These and other features make software-defined perimeters more difficult to discover, penetrate, and exploit.
A software-defined perimeter also provides performance and financial benefits. User-to-resource connections are made directly rather than through a gateway. This eliminates backhaul and competition for bandwidth. In addition, the network-agnostic nature of SDP lets companies adopt less expensive and easier to manage network architectures without sacrificing security.
Zero-trust Network Access (ZTNA) addresses a fundamental weakness of VPN and other approaches to access control: trust. These traditional technologies rely on an assumption that validated users or devices can be trusted as if they were on-site and connected to the company LAN.
As its name implies, ZTNA never makes assumptions about the trustworthiness of users, devices, or even networks. ZTNA’s operating paradigm is to never trust anybody — and if you do, don’t do it for long. That paradigm leads to policies that:
- Deny access to all users and devices by default. ZTNA never establishes connections until both have passed security risk assessments.
- Regardless of the source, authenticate and authorize every connection attempt. This applies to connection attempts on-premises just as much as it does to remote access requests.
- Use context to assess each attempt’s risk profile including device security posture, connection source, and network path. Assume on-premises networks are as risky as airport hotspots.
- Use least privilege principles to issue limited, role-based permissions. Users should only be allowed the level of access justified by their roles in the organization. Even then, the session’s context should determine the degree of access granted to the user.
Twingate combines SDP and ZTNA to provide a modern approach to network access. Establishing hidden, secure perimeters around each resource lets Twingate customers eliminate the inefficiencies and security risks of their old VPN technologies. At the same time, they gain more control over resource access through role-based, least privilege permissions.
Network access control (NAC) governs admission to and through a network. A feature of enterprise networking hardware, NAC lets you automate policy enforcement within your network infrastructure. NAC adds compliance to the traditional authentication and authorization steps by evaluating the security posture of devices attempting to connect to the network.
Network access control systems evaluate and enforce security policies in two situations:
- Pre-admission NAC occurs when a user first attempts to connect to a network.
- Post-admission NAC occurs after the user connects to a network and whenever that user tries to move through that network.
In all cases, the NAC system blocks the new connections by default while it performs its authentication, authorization, and compliance assessments.
Large corporations often use NAC to manage their segmented networks. Post-admission NAC automates the traffic control between protected sub-networks. In addition, NAC is a common way to implement role-based policies within traditional network architectures.
NAC’s compliance features protect networks from devices that pose a security risk or have been compromised. Both pre- and post-admission NAC will only grant permission to a device if its security posture complies with company policies.
Monitoring and automation tools also make NAC a popular choice with enterprise security administrators. The company can observe the status of every device on the network and take action when new risks emerge.
You will find network access control solutions in place at many large enterprises. But there are several disadvantages to NAC that prevent small and mid-sized businesses from adopting NAC.
In-house staff at many businesses do not have the expertise or bandwidth needed to design and manage NAC systems.
Smaller companies do not have the large user bases and deeply-segmented networks that make NAC beneficial.
NAC is a sophisticated solution that may be overkill for the typical needs of small and mid-sized businesses.
Companies with segmented networks and large user populations benefit most from network access control. Enterprises have also found NAC a useful approach for handling newer trends in corporate computing:
IT departments have less control over the devices connecting to company resources. BYOD policies are convenient for employees and reduce certain expenses. At the same time, user-provisioned devices expose the company to myriad security risks. NAC can ensure that, before connecting to the network, all user devices have the most recent operating system and antivirus updates.
The number and diversity of devices connecting to the company network are growing. Joining workgroup printers on the network are an array of environmental sensors, smart lighting solutions, and other internet of things (IoT) devices. However, security updates to IoT devices can be haphazard or non-existent. NAC policies limit networked devices to specific subnets and prevent devices with weak security from becoming attack vectors.
Managing the mix of employees, freelancers, contractors, and consultants accessing an enterprise network is always a challenge. Implementing NAC within the network along with role-based access policies makes managing these blended workforces easier.
You can learn more about NAC, its benefits, and its limitations in our article “Network Access Control (NAC): Why is It Important?”
The most commonly used form of access control is the access control list (ACL). These deceptively simple tables consist of an ordered list of rules. Administrators deploy these tables to gateways, routers, and other network hardware to control how traffic flows through the network.
You can read our article, “Access Control Lists (ACLs): How They Work & Best Practices”, for a more detailed explanation. In its simplest form, the ACL is a table that links a subject with a permission. The subject is usually some property of the data packets entering the hardware. The permissions could be a simple permit/deny statement or they could specify the packet’s next destination.
When packets from a user’s device enter the network hardware, they are compared to the list of rules. Those packets that pass the ACL’s rules are routed onwards through the network while those that fail are dropped.
Organizations can use different types of ACLs to exert more nuanced control over their networks:
- Standard access control lists evaluate the source of each packet.
- Extended access control lists evaluate the source, destination, port, or protocol of each packet.
- Dynamic access control lists make ACLs more responsive by adding temporary rules to the ACL upon user authorization.
- Reflexive access control lists create temporary ACL entries that are session-specific.
By implementing ACLs, organizations gain more control over network traffic. For example, they provide a way to replace general network access with more granular role-based access control policies. The automation enabled by ACLs makes the creation and management of segmented networks easier.
Network performance can be improved depending on how you implement access control lists. Latency can improve if your network hardware executes access rules in-device rather than querying central control servers. At the same time, network throughput can increase since the hardware drops all packets that fail the ACL rules.
ACLs provide security benefits beyond controlling access. Internet-facing ACLs make spoofing and denial of service attacks less effective. Internal ACLs can hinder successful breaches and prevent bad actors from jumping to different subnets.
Despite their many advantages, access control lists have scaling issues. The ACL system you use for an on-premises network only works within the network perimeter. Some cloud service providers do not support ACLs. Those that do use their own systems that you must manage in parallel. The overhead needed to manage ACL also increases with the volume and frequency of permission changes. Blended and hybrid workforces make ACL management challenging.
Twingate makes ACL policies easier to implement and manage. Within the same system, you can incorporate ACLs of your on-premises and cloud-based resources alike — even if those cloud services do not support ACLs or interoperate with each other. Twingate’s simple administrative console reduces overhead by making it easier to build and update ACLs in one central location.
Allowlisting is a contemporary term for a registry of trusted entities. The entities may be users and devices, or they could specify IP addresses. Security and access policies determine which entities are trustworthy enough to access a resource. Anything not on the list is automatically blocked. As a result, allowlisting significantly reduces the attack surface of an organization’s most sensitive resources.
Read more about allowlisting in our article “Whitelisting: is it required for secure access control?”
Antivirus and anti-malware vendors take the opposite approach. They maintain lists of known security threats which their applications scan for and block. However, an antivirus application is only as good as its list of known threats. An out-of-date list, or a previously unknown threat, lets attacks go unnoticed.
Allowlists are much more efficient as they do not need to know about every threat to the networks they protect. They only need to know what they can trust. The system denies access to any device, IP address, or other entity not on the list since, by definition, they must be untrustworthy.
The control of applications running on managed devices is a common use case for allowlists. Since malware and user-installed software are not on the allowlist, the system will not let them launch.
Allowlists also have applications in access control. At the network’s edge, allowlists can block internet traffic that does not come from a regional office. Within the network, allowlists can restrict access to an assembly line’s network. Many cloud-based service providers have allowlisting capabilities of their own.
As we saw with VPN technologies, however, the assumption of trust inherent to allowlisting creates a security risk. Should an entity on the allowlist be compromised, then the cybercriminal would have free access to whatever networks and resources the allowlist was supposed to protect.
Although it appears counter-intuitive, Twingate’s zero-trust approach protects the integrity of your trust-based allowlist systems. Twingate creates an identity-based list of permissions that organizations can apply to their on-premises and cloud-based resources. Centralized management within Twingate extends allowlists to applications and third-party services that do not have that capability.
The events of the past two years have shown everyone the importance of access control. Top executives who never gave it much thought are now keenly aware of the issues their organizations face. Remote access is essential to keeping their businesses running but they need it done in a way that protects the company’s valuable IT assets.
Understanding today’s access control landscape is an essential first step towards developing your own strategies. Each technology implementing the main access control approaches has unique advantages and disadvantages.
Perhaps the most important consideration is how well an access control solution addresses the diversity of modern networking:
- Resources are on-prem, off-site, cloud-based, or provided by a third party.
- Users access resources through desktops, laptops, tablets, and smartphones.
- Devices may be company-owned and managed but are increasingly user-owned.
- Users may be company employees but are increasingly freelancers, contractors, or employees of other businesses.
Twingate bases its modern approach to access control on principles of zero-trust, least privilege access through software-defined perimeters. As a result, you can improve security and administrative efficiency while improving business operations in an increasingly complex network environment. Contact us to learn more.
Visualize and Analyze Network Log Data with Twingate and Datadog
Improve security and monitoring by making real-time network log data observable with Twingate and Datadog.