Who should access your company\u2019s data? How do you make sure those who attempt access have actually been granted that access? Under which circumstances do you deny access to a user with access privileges?To effectively protect your data, your organization\u2019s\u00a0access control policy must address these (and other) questions. What follows is a guide to the basics of access control: What it is, why it\u2019s important, which organizations need it the most, and the challenges security professionals can face.What is access control?Access control is a method of guaranteeing that users are who they say they are and that they have the appropriate access to company data.At a high level, access control is a selective restriction of access to data. It consists of two main components: authentication and authorization, says Daniel Crowley, head of research for IBM\u2019s X-Force Red, which focuses on data security.Authentication is a technique used to verify that someone is who they claim to be. Authentication isn\u2019t sufficient by itself to protect data, Crowley notes. What\u2019s needed is an additional layer, authorization, which determines whether a user should be allowed to access the data or make the transaction they\u2019re attempting.Without authentication and authorization, there is no data security, Crowley says. \u201cIn every data breach, access controls are among the first policies investigated,\u201d notes Ted Wagner, CISO at SAP National Security Services, Inc. \u201cWhether it be the inadvertent exposure of sensitive data improperly secured by an end user or the\u00a0Equifax breach, where sensitive data was exposed through a public-facing web server operating with a software vulnerability, access controls are a key component. When not properly implemented or maintained, the result can be catastrophic.\u201dAny organization whose employees connect to the internet\u2014in other words, every organization today\u2014needs some level of access control in place. \u201cThat\u2019s especially true of businesses with employees who work out of the office and require access to the company data resources and services,\u201d says Avi Chesla, CEO of cybersecurity firm empow.Put another way: If your data could be of any value to someone without proper authorization to access it, then your organization needs strong access control, Crowley says.Another reason for strong access control: Access miningThe collection and selling of access descriptors on the dark web is a growing problem. For example, a new report from Carbon Black describes how one cryptomining botnet, Smominru, mined not only cryptcurrency, but also sensitive information including internal IP addresses, domain information, usernames and passwords. The Carbon Black researchers believe it is "highly plausible" that this threat actor sold this information on an "access marketplace" to others who could then launch their own attacks by remote access.These access marketplaces "provide a quick and easy way for cybercriminals to purchase access to systems and organizations.... These systems can be used as zombies in large-scale attacks or as an entry point to a targeted attack," said the report's authors. One access marketplace, Ultimate Anonymity Services (UAS) offers 35,000 credentials with an average selling price of $6.75 per credential.\u00a0The Carbon Black researchers believe cybercriminals will increase their use of access marketplaces and access mining because they can be "highly lucrative" for them. The risk to an organization goes up if its compromised user credentials have higher privileges than needed.Access control policy: Key considerationsMost security professionals understand how critical access control is to their organization. But not everyone agrees on how access control should be enforced, says Chesla. \u201cAccess control requires the enforcement of persistent policies in a dynamic world without traditional borders,\u201d Chesla explains.\u00a0Most of us work in hybrid environments where data moves from on-premises servers or the cloud to offices, homes, hotels, cars and coffee shops with open wi-fi hot spots, which can make enforcing access control difficult.\u201cAdding to the risk is that access is available to an increasingly large range of devices,\u201d Chesla says, including PCs, laptops, smart phones, tablets, smart speakers and other internet of things (IoT) devices. \u201cThat diversity makes it a real challenge to create and secure persistency in access policies.\u201dIn the past, access control methodologies were often static. \u201cToday, network access must be dynamic and fluid, supporting identity and application-based use cases,\u201d Chesla says.A sophisticated access control policy can be adapted dynamically to respond to evolving risk factors, enabling a company that\u2019s been breached to \u201cisolate the relevant employees and data resources to minimize the damage,\u201d he says. \u00a0Enterprises must assure that their access control technologies \u201care supported consistently through their cloud assets and applications, and that they can be smoothly migrated into virtual environments such as private clouds,\u201d Chesla advises. \u201cAccess control rules must change based on risk factor, which means that organizations must deploy security analytics layers using AI and machine learning that sit on top of the existing network and security configuration. They also need to identify threats in real-time and automate the access control rules accordingly.\u201d4 Types of access controlOrganizations must determine the appropriate access control model\u00a0to adopt based on the type and sensitivity of data they\u2019re processing, says Wagner. Older access models include\u00a0discretionary access control (DAC) and\u00a0mandatory access control (MAC), role based access control (RBAC) is the most common model today, and the most recent model is known as\u00a0attribute based access control (ABAC).Discretionary access control (DAC)With DAC models, the data owner decides on access. DAC is a means of assigning access rights based on rules that users specify.Mandatory access control (MAC)MAC was developed using a nondiscretionary model, in which people are granted access based on an information clearance. MAC is a policy in which access rights are assigned based on regulations from a central authority.Role Based Access Control (RBAC)RBAC grants access based on a user\u2019s role and implements key security principles, such as \u201cleast privilege\u201d and \u201cseparation of privilege.\u201d Thus, someone attempting to access information can only access data that\u2019s deemed necessary for their role.Attribute Based Access Control (ABAC)In ABAC, each resource and user are assigned a series of attributes, Wagner explains. \u201cIn this dynamic method, a comparative assessment of the user\u2019s attributes, including time of day, position and location, are used to make a decision on access to a resource.\u201dIt\u2019s imperative for organizations to decide which model is most appropriate for them based on data sensitivity and operational requirements for data access. In particular, organizations that process personally identifiable information (PII) or other sensitive information types, including Health Insurance Portability and Accountability Act (HIPAA) or Controlled Unclassified Information (CUI) data, must make access control a core capability in their security architecture, Wagner advises.Access control solutionsA number of technologies can support the various access control models. In some cases, multiple technologies may need to work in concert to achieve the desired level of access control, Wagner says.\u201cThe reality of data spread across cloud service providers and SaaS applications and connected to the traditional network perimeter dictate the need to orchestrate a secure solution,\u201d he notes. \u201cThere are multiple vendors providing privilege access and\u00a0identity management solutions\u00a0that can be integrated into a traditional Active Directory construct from Microsoft. Multifactor authentication can be a component to further enhance security.\u201dWhy authorization remains a challengeToday, most organizations have become adept at authentication, says Crowley, especially with the growing use of multifactor authentication and biometric-based authentication (such as facial or iris recognition). In recent years, as high-profile data breaches have resulted in the selling of stolen password credentials on the dark web, security professionals have taken the need for multi-factor authentication more seriously, he adds.Authorization is still an area in which security professionals \u201cmess up more often,\u201d Crowley says. It can be challenging to determine and perpetually monitor who gets access to which data resources, how they should be able to access them, and under which conditions they are granted access, for starters. But inconsistent or weak authorization protocols can create security holes that need to be identified and plugged as quickly as possible.Speaking of monitoring: However your organization chooses to implement access control, it must be constantly monitored, says Chesla, both in terms of compliance to your corporate security policy as well as operationally, to identify any potential security holes. \u201cYou should periodically perform a governance, risk and compliance review,\u201d he says. \u201cYou need recurring vulnerability scans against any application running your access control functions, and you should collect and monitor logs on each access for violations of the policy.\u201dIn today\u2019s complex IT environments, access control must be regarded as \u201ca living technology infrastructure that uses the most sophisticated tools, reflects changes in the work environment such as increased mobility, recognizes the changes in the devices we use and their inherent risks, and takes into account the growing movement toward the cloud,\u201d Chesla says.