Cybersecurity: Access ControlSam Musa | Cyber Security Adjunct Professor, University of Maryland University College
Cybercrime can pose a significant threat to higher education institutions and their students, but there are a few security measures institutions can put in place to minimize their vulnerabilities; access control is the first.
Access control approaches determine how users interact with data and other network resources. Furthermore, access control measures ensure data are protected from unauthorized disclosure or modification.
In order to implement and enforce access control measures, universities must first develop a formal document outlining the purpose, scope and roles and responsibilities of users, as well as the policies and procedures associated with access controls. The second task is to define and categorize access for data resources based on confidentiality, integrity and availability of the data. For example, access to research or payroll data should be granted only to users from those departments.
Account management is one method a university could use to manage information system accounts. Identification, authentication and authorization of users to network resources are measures that can be used to manage accounts. Users may authenticate to network resources using one, two or three factors of authentications: the first factor is something they know, such as a password; the second factor is something they have, such as a smart card; and the third factor is something they are, such as finger print or iris scan.
Access to accounts can be enforced through four major types of controls.
1. Mandatory Access Control (MAC)
In MAC, users do not have much freedom to determine who has access to their files. For example, security clearance of users and classification of data (as confidential, secret or top secret) are used as security labels to define the level of trust.
2. Discretionary Access Control (DAC)
In DAC, the data owner determines who can access specific resources. For example, a system administrator may create a hierarchy of files to be accessed based on certain permissions.
3. Role-Based Access Control (RBAC)
RBAC allows access based on the job title. For example, a human resources specialist should not have permissions to create network accounts; this should be a role reserved for network administrators.
4. Rule-Based Access Control
An example of this would be only allowing students to use the labs during a certain time of the day.
Another access control measure universities are encouraged to practice is enforcement of information flow. Universities are encouraged to regulate where information is allowed to travel both within the university and outside of it. For example, no traffic should be allowed from the students’ labs to the enrollment department. Also, if a professor from one university needs to download a sensitive file from another university, he or she must go through a series of security measures to ensure the confidentiality and integrity of the data both in motion and at rest. Measures such as encrypted tunnels and secure file transfer methods may be used. Documents may also be secured with strong encryption, such as FIPS 140-2-approved encryption. An interconnection security agreement and/or memorandum of understanding can be developed to ensure both universities protect their boundaries through the Assessment and Authorization (A&A) process. The concept of A&A of academic systems will be discussed in a later article.
There are several access control best practices universities can adopt to increase security; separation of duties is one such practice. It reduces fraud activities by ensuring that no one person has power over all activities. For example, the person that determines the access level should not be the same person that creates the accounts. Another best practice may include the concept of least privilege, which ensures granting users the right level of privileges. If a person needs to read a file, then there is no need to grant them delete access. Passphrases, locking accounts after three invalid attempts, disabling unused accounts and setting expiration dates on accounts are also good security practices. Moreover, universities are encouraged to limit remote access to their resources. If they have to allow remote access, it should be done through a Virtual Private Network (VPN) with two-factor authentication required. Furthermore, publicly accessible content would need to be physically and/or logically separated from the internal network by placing them in front of the firewall, an area commonly known as the demilitarized zone (DMZ).
In conclusion, access controls measures can be implemented within different areas of universities’ systems. Access measures may include physical controls, such as security guards, technical controls, such as intrusion prevention systems, or administrative controls, such as security awareness training. Awareness and training will be discussed in the next article.
To see the other articles in the Cybersecurity series, please click here.
Author Perspective: Educator
My institution uses several of the measures Musa discusses, depending on the department area. For example, we have discretionary access for our finance folks, but role-based for administrative staff. I understand that many institutions have a similar variety in their access controls. My question is, how can we create greater cohesion among the different departments with different access control policies?
Thank you for your comment James. In my opinion, management commitment is an essential ingredient in establishing cohesion among different departments with different access control. I also believe both employees and management need to collaborate aggressively in joint initiatives, in order to make significant harmony among different departments. While it is mainly the management’s responsibility to establish policies and procedures for effective implementation of security access controls, different departments need to understand that security is everyone’s responsibility. In addition, in many cases, security policies simply reflect federal laws (Privacy Act, Family Educational Rights and Privacy Act, and the Health Insurance Portability and Accountability Act). This can be used as the driver for bringing the departments together into one common goal, which is, security is everyone’s responsibility. Thank you again James.
Useful best practices, particularly regarding splitting access and other controls among various staff as opposed to concentrating it in one person.
Institutions would do well to develop a clear, thoughtful policy on access and privacy. Many use a piecemeal approach, adopting a practice only when a new technology is implemented or when there are staffing changes. This exposes them to greater risks for privacy breaches and fraud.
Great ideas on access control! Universities have a wide range of options available these days. The security and lock industry is changing rapidly at the moment! Secure access control systems are getting much cheaper.