Featured Image

Building an Advanced Cybersecurity Plan: Access Control

Access control in an advanced cybersecurity plan go well beyond usernames and passwords. It means defining, implementing, and monitoring rules to control which persons and systems may access resources within your company’s network and computer systems.
Jun 03, 2022

“Access control” includes the definition, implementation, and monitoring of rules to control which persons and systems have authority to access resources within a company’s network and computer systems. This goes well beyond assigning credentials (usernames and passwords) to those who have access to the network. Implementation of access control policies should address which systems and which content a user can access within those systems. A simple example of this would be the controls that allow individual customer service personnel access to order status and shipping information but blocks them from accessing customer financial information.

The definitions and implementation of access controls in an advanced cybersecurity plan go well beyond this simple example. The rules for granting access to network and system resources should be broken down to a very granular level to address (1) user rights and methods to access individual systems and functions within those systems, (2) the definition of whether individual users have read, write, and/or edit capabilities for each system and function, and (3) the definition of how software systems (either inside or outside a business) interact with other systems – much the same as if those systems were another type of user.

When defining the criteria for access control, some fundamental rules should be considered:

  • Define unique sets of rules for accessing system resources for each different type of user and software system – be as granular as possible.

  • Grant access only to those systems and functions within a system required for a specific individual’s job.

  • Do not grant access privileges greater than necessary for one’s job responsibilities.

  • Segregate access between those who can view information from those who can change/edit information.

  • Restrict administrative rights (ability to change the configuration of any software or hardware resource) to a carefully vetted set of users

  • Treat access to the internet, or any other connection to resources outside the company, with the same rules as are applied to systems within the company – grant access to only that which is necessary to successfully complete required tasks.

A key part of this interaction mapping addresses the access and exchange of information between software systems and databases within a network infrastructure. Applying access control criteria to each of these interfaces is an important element that needs to be incorporated into an advanced cybersecurity plan – an element that is often overlooked by many companies. A majority of cybersecurity breaches are the result of an attack on a weak link in security defenses and then using the interfaces between systems to penetrate deeper into a company’s resources.

From personal experience, I can attest that the above scenario is real. At our small office, our monthly phone bill for long-distance services was typically around $200 (yes, way back in the day when we had landlines and paid for long-distance services). One month, our bill came in at $85,000. Hackers had found a vulnerability in our fax service and were able to tunnel through the fax system to gain access to our phone system. They were then selling long-distance international phone service hosted through our system. This is just one example of how security breaches can come from any direction and why every point of access to a company’s network and every interface between systems within the network needs to be individually addressed to block unauthorized access. Today’s hackers are a lot more sophisticated, and security breaches can be a lot more expensive.

Applying access control functions between systems within a company’s infrastructure has a lot of parallels to adding locks on doors within your facility – if an intruder penetrates one lock, they have limited access until they find a way to penetrate the next lock. A common security failure encountered at many companies is that they have their one favorite security method that they deploy throughout their system (which makes things easy). This is the same as having locked doors to control access throughout your facility and all doors using the same key. While it may take more resources to implement different security tools dispersed throughout a business’s network, such an effort is necessary to improve the reliability of your security implementation.

Another key factor in implementing access controls for an advanced cybersecurity plan is to verify that the security plan is functioning as expected. This includes:

  • Monitor who is accessing systems and information within the network

  • Limit login attempts for individual sets of credentials and lock out a user after successive failed attempts

  • Implement active warning methods to notify and log specific approved and non-approved system access

  • Implement time-based lockout on inactivity and for any highly restricted access sessions

  • Monitor and record all remote access

  • Encrypt all remote access

  • For wireless access, implement separate methods for network access and account access

  • Consider tablet and cell phone access as both an interface to a company’s network and as an access point to the outside world

Access control is a complex subject and demands a high level of attention as part of the development and implementation of an advanced cybersecurity plan. For more details on addressing access control, you may want to reference Section 3.1 Access Control in NIST standard SP 800-171.

For more on this topic, we invite you to explore the Building an Advanced Cybersecurity Plan article series.

Part 1: Engagement and Reinforcement

Part 2: Interaction Mapping

Part 3: Access Control

Part 4: Electronic Media Protection

Part 5: Identification and Authentication

Part 6: Activity Logging, Auditing, and Traceability

Part 7: Network Resource Configuration Management

Part 8: Communications, Network, and Database Security 

Part 9: Personnel and Infrastructure Security

Part 10: Maintenance and Incident Response

Part 11: Risk Assessment and Vulnerabilities Testing

John Turner
Director of Technology for FA Consulting & Technology (FAC&T) and member of the MTConnect Institute.
Recent technology News
Digital manufacturing uses operational data for more informed decision-making, which helps increase workflow efficiency. But a major challenge is the quality of data. Learn more about this crucial factor in digital manufacturing decision-making processes.
Art and engineering, Robot retires to do what it loves, Projects for standards in measurement, US air force offers am experience for students.
Digital manufacturing is company-specific strategy that uses data from manufacturing operations to support more informed decision-making and increase efficiency. Find out what goes into building a unique digital manufacturing strategy for your business.
KOVAL smartly deploys advanced monitoring technology in the service of creating a reliable, consistent (and delicious) product.
Any cybersecurity implementation involves a trade-off between a company’s tolerance for risk and the effort and costs associated with protecting the company’s resources and customers. Learn how to assess risk and test for vulnerabilities in your network.
Similar News
By Stephen LaMarca | May 12, 2023

In April, Silicon Valley Robotics hosted its annual Robot Block Party in Oakland, California. The event served as a hub for robotics enthusiasts, hobbyists, and makers to showcase their projects and products. Think public school book fair – but for robots.

4 min
By Nina Anderson | May 23, 2023

Does a year-over-year percentage growth truly reflect industry change? Do increased robot installations in sectors with less robot density look the same in ones with more density? Derivatives help expose how total change is affected when variables change.

5 min
By Stephen LaMarca | May 12, 2023

Roboangelo. AI is so big it needs 7 research institutes. Raspberry Pi on steroids. Exhaustion? No. Errors? Rarely, but yes. Captain planet is a LIAR!

5 min