Most of the conventional password-based security models were formulated at a time when corporate resources were accessed only by corporate-owned PCs, within the office premises. These security models are becoming incapable of ensuring optimal data security. So, organizations are resorting to Zero Trust framework-based security models. With a multi-pronged approach defining strict, granular access policies, Zero Trust Network Access framework has been formulated with particular focus on securing the increasingly mobile enterprise resources.
Granular access control policies can be used by organizations to limit who can access what, when, how, from where. They enhance security by essentially defining what each user could potentially do with the data they access, under different scenarios. Defining granular access policies also helps generate detailed logs to ensure audits and regulatory compliances.
Who: Each user should be given privileges which are just enough – nothing more, nothing less, to do his work. It may not possible to define a policy for every single user in an organization and so users can be put into groups, like owners, admins, members, visitors, etc., and each group will have to be given appropriate rights.
What: What is being accessed lies at the core of the granular access control policy. The criticality of the data has to be identified, depending on which other facets of the policy have to be defined. The more critical the data, the more stringent the policy should be.
When: Access to any given data will not be required by users 24×7. The access policy can be defined to deny access requests at odd hours by users and such requests should also be considered suspicious and probed into. Limiting access within a set window will also limit the possibility of undetected malicious presence.
How: The device and network used for access should also be used to define access policies. With the increased enterprise mobility and ever-growing adoption of BYOD, organizations are often not in a position to allow access only from corporate devices. Access requests from users’ personal devices or vendors’ devices have to be treated with more caution, and has to be strictly checked for security posture by verifying AV status, Windows Version, etc.
Where: Access from anywhere, other than office-provided corporate networks, may trigger security concerns if not treated with care. Users from alien networks, like users’ home internet or vendors’ private network, have to be strongly authenticated and their devices must be checked for security compliance before giving complete privileges. Also, the policy can be defined based on geolocations to approve/deny/restrict access. Geolocation details may help underline impossible travel by users, and play a critical role in identifying malicious activities and suspicious access requests.
By defining access policies based on all these factors, organizations may minimize the impact of any security threat and prevent any malicious presence in the corporate network, even when users are geographically dispersed, and using their own devices and networks for work.