Why Do Organizations Need Granular Permission Control?

Imagine having the keys to your house stolen only to find out later that a thief has taken everything valuable you own. Or waking up one day to discover that a disgruntled staff member has sabotaged your business overnight. Such are the equivalent scenarios in the cyber world when organizations fail to implement granular permission control. 

In 2015, the U.S. Office of Personnel Management suffered a data breach due to an employee’s hacked credentials, compromising 21.5 million individuals’ information. This allowed the attackers to waltz into the OPM’s systems, akin to burglars with stolen keys. Three years later, Tesla’s internal systems were maliciously tampered with by an employee, who, despite not being in a top-level position, was handed extensive access. This rogue employee not only altered the company’s manufacturing operating system but also exfiltrated confidential data, leaving the company scrambling to contain the damage. These episodes underscore the hazards of lacking adequate permission controls and stress the immediate need for the implementation of granular permission control.

What is Granular Permission Control and Why is It Important?

Granular permission control, also known as fine-grained access control, is a method that many organizations use to control the access each individual user has to access sensitive data. Permissions can be granted to either an individual user, multiple users or groups, allowing different users different levels of access depending on their need, role or other attributes.

These controls can be applied to users to give them access to databases, apps, pages, web servers, software, systems and files. At the same time, however, it also helps protect data and confidential information such as registered trademarks or personally identificable information (PII) such as passwords and bank account information.

Since attackers only need passwords and user credentials to gain access and inflict serious daamge to your system and network, granular access controls are yet another safeguard for your organization against attackers.

How Does Granular Access Control Work?

Granular access control gives only specific users or groups access to certain tables of data in databases. These different levels of control helps prevent malicious users from gaining access to sensitive data. The types of controls are determined by different characteristics of the users, such as their role, action, identity, attributes, and level of security clearance.

What are the Main Types of Granular Access Controls?

Granular permissions are based on the security concept of Principle of Least Priviledge (POLP). It is referenced in the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) in the section about access control requirements as part of the Protect function.

In POLP, users only have access to the data or information that they need. For example, a developer on a development team has access to the part of the code that their team is working on. After the code is written, it will be compiled and run. With POLP, that same developer does not have access to the production environment in order to execute the code.

Once you need to determine the specific security requirement for granular permissions at your organization, however, there are a few options:

1) Role-Based Access Control (RBAC)

In RBAC, or Role-based Access Control, employees are assigned permissions based on their role. They may have access to accounts as a viewer, editor, or admin depending on their responsibilities. For example, a database administrator might need full access to all the data in the development environment or he or she might only need the default permissions for specific web servers and commands.

Some other types of roles might be:

• Instance roles – These permissions are related to an instance (i.e. one occurence of a class or object). The default role can be applied to all users while the instance administrator has the authority to modify the settings of user permissions at the beginning of an instance. Settings can be changed to require authentication and additional granular access control actions.
• Custom roles – This type of permission can include multiple permissions from different categories such as roles, groups, applications and resources and datasources. For example, a user might have permission to execute a query of the database, delete or edit the datasource or only view it.

2) Attribute-Based Access Control (ABAC)

ABAC combines the attributes of users and data, allowing access based on object, user and environment. This allows for a more flexibile yet complex approach to security than RBAC. For example, ABAC might allow different developers different types of access to the source code of the product depending on their title, responsibility and location.

Attributes can be based on:

• Subject/ user attributes – What are the attributes that signal that an individual is attempting to gain access? (e.g., title, organization, age, department, security clearance)
• Resources/ object attributes – What are the attributes that signal the type of resources that are being accessed?
• Action – What are the actions a user wants to apply to the resource? (e.g., view, edit, delete or transfer)
• Environmental attributes – What are the attributes that add context to the request for access? (e.g., time, device, location)

3) Mandatory-Based Access Control (MBAC)

In MBAC, the system administrator has the authority to implement controls. Controls are based on the sensitivity of the information in the resource. The classic example of MBAC is used in security clearance. Administrators are able to permit or deny access to files based on a user’s level of security clearance (e.g., confidential, secret, top secret).

4) Discretionary-Based Access Control (DBAC)

These are controls based on the rules granted by the requestor. For example, an administator might only allow a salesperson access to files while he or she is away on a business trip for work. DBAC functions based on the identity of the user or group. This approach offers flexibility to users but also can create potential vulnerabilities when permissions are not updated or need to be configured.

Limiting Access Control

The concept of limiting access control is fundamental to an organization’s cybersecurity strategy. It is based on the “need-to-know” principle, which is straightforward – access to information should only be given to individuals who need that information to perform their roles. This principle extends not only to who should access the information but also to how much information they should access and for how long. By limiting access to sensitive information, organizations can significantly reduce their vulnerability to data breaches and other forms of cyberattacks.

Limiting access control often incorporates a “just-in-time” approach, whereby access rights are granted only when they’re needed and revoked immediately after. This minimizes the time window during which a potential breach could occur. Similarly, “just-enough-access” limits users to the bare minimum permissions they need to perform their tasks, reducing the potential damage from any breach. Limiting access control in this granular way makes it much harder for malicious actors to gain unauthorized access, providing a stronger, more resilient defense against cyber threats.

How Panorays Will Help

As your organization grows increasingly reliant on third-party partners, it becomes crucial to ensure their access control policies align with your own cybersecurity standards. It is vital to inquire about their access monitoring practices to maintain a consistent security posture across all parties. Want to learn more? Get started with a Free Account today to help build cybersecurity trust with your third parties.

FAQs