If you’re still in the startup stage, you may be tempted to allow open access for all resources to all employees. But as your team grows, your attack surface widens, making your business more appealing to bad actors. That’s where an access control policy template comes in.
To ensure that your employees have the proper levels of access, you need access control policies. But, getting these policies in place and creating turnkey templates can be easier said than done. In this post, we will address best practices for access control policies and how OpenVPN can help you get started.
To protect your company from attack, you need to reduce your attack surface, which starts by answering who, what, when, where, and how your data, assets, and resources are being accessed.
To do this, you should start with access control policies.
NIST defines an access control policy as “High-level requirements that specify how access is managed and who may access information under what circumstances.”
An organization's access control policy dictates how people access and interact with both physical and digital resources, assets, and properties.
Physical access control policies would apply to physical security. For example, who can access your building, who has a physical key, who has a key card, and when they can access specific parts of the building.
A similar concept applies to digital access control policies — the only difference is that the resources being accessed are purely digital.
In other words, access control policies are used to grant users or groups access to the services and tools they need to do their jobs, while limiting their access to tools they do not need for their specific job function. You also use these policies to restrict other services and tools without granting full access to everyone in your network. You can think of this as the way to enforce the principle of least privilege (PoLP), or least privilege access.
The access control policy document itself should include:
It is estimated that over 15 billion stolen credentials are available for sale on the dark web, and the dark web continues to grow. That means there’s a good chance that somewhere along the line, one of your employees had their credentials compromised. If someone were to access your network, you would not want them to have unlimited access to all of your company assets and resources.
Access control is ultimately used to ensure confidentiality, integrity, and availability in security. Aside from being a tenet of ZTNA, access control can limit potential exposure and reduce your risk by reducing your attack surface.
For example, if one of your employees is a victim of a phishing scam and a bad actor gains access to your system through compromised credentials, they will not have access to every system in your company’s ecosystem.
By reducing the level of access a bad actor could realistically gain, you’re also making sure that the rest of your systems are not affected by an attack and are therefore not forced to have significant downtime due to an attack. If someone in your sales team is hacked and your sales systems are impacted, the production systems will not go down, for example.
There are a few types of digital access control policies to consider:
Access control policies have a few key components to be effective. That doesn’t mean each employee needs unique and specific controls set up for them, rather that groups, roles, and responsibilities should be mapped out and standardized. You won’t want to have a blanket control for everyone that is the exact same. These key components include:
Each employee fulfills a specific role — and in other news, the sky is (sometimes) blue, water makes things wet, and the hills are alive with the sound of music. Tell us something we don’t know, right?
But the most important part is to have your IT or security team work with your HR team and department leaders to understand which roles require access to which platforms, websites, and applications. Within each department, this can be broken into levels as well.
For example, in marketing you may have leaders who need access to data reporting software like Tableau, while other team members in the same group don’t need that access but may need access to something like WordPress or HubSpot, with different access levels within those programs themselves.
Defining the roles and responsibilities will give you a clear understanding of which groups to create and how many people will be in each group of your access control policy.
You’ll also need to define the scope of access control policies. That means you’ll need to define the types of assets that need to be protected, as well as the programs, apps, systems, and users that will be included in the access control policies. You’ll also need to define when and where the policies will be enforced, if not everywhere and at all times.
There are three access control principles to be mindful of when setting up your access control policy.
Going one step further, you’ll also need to identify within your IT and security teams who has the responsibility of updating role information, who holds the highest level of authority, and how to divide internally to create a more transparent and protected environment.
At least two people should be involved in upgrading or changing any level of access to ensure that if a threat actor gains YOUR credentials, your business is still protected.
There should be a formal process in place for any employee who is requesting access to a system outside of their control group. Although this may seem tedious and time consuming, it is crucial that you don’t grant access to every employee to every system unless it is necessary to perform their business function.
Recommended Reading: Tutorial: One Overlay Network Can Meet a Variety of Needs
As mentioned in the key components section, you will need to first establish who is on each team and what access level or assets they need to access to perform their essential job duties. This is part of answering the who and what.
All employees should be put into a specific access group that matches their responsibilities. This can be broken down by department and job level. You will need to work with HR and the department leaders to establish who needs access to which resources, and which resources or assets contain the most private or privileged information.
Now, we address the when.
There are times when an employee outside of an access group may need to utilize resources or assets that belong to another group. There may also be times when you need to grant temporary access to contractors or temporary employees. In those cases, while setting up your access control groups, you will need to set up a temporary access privilege policy and process.
You’ll also need to determine which user groups should have permanent access privileges, and how often to audit those with permanent access. When someone is terminated or leaves a role, or is promoted to a new role, you will need to make sure to routinely check these permissions.
This may seem basic, but once you know what should be protected, who should access each level of information, data, or resources, you need to establish how to put this in place.
Typically, your VPN, such as Access Server, can grant access to your network in an encrypted manner over the insecure Internet through access control and user management that operate on three levels:
Your VPN provider can also ensure the use of SSO or specific MFA measures as well so that your team is using the most secure login methods.
Of note: Network-level access control applies to network destinations and can control access to application servers and protocols, but cannot enforce finer granularity (for example, file folders, document) access. Those policies would need to be managed by the application directly.
Now, let’s talk about where sensitive information will be the most secure.
Within each group, there is likely to be highly sensitive information. For example, in healthcare you may have HIPAA protected data that needs to be only accessed by clinicians, whereas insurance codes will need to be accessed by the front office staff. Identifying which types of information are the most sensitive — and therefore the most important to protect — can help you know which assets need enhanced security.
Enhanced security can look like cloaking an app and making it only accessible through the VPN, encrypting data, or requiring additional login/SSO security access for a specific asset or group of assets, regardless of the user group attempting to access it.
You may also want to deploy automation to help protect sensitive data — and to flag when sensitive data is accessed and by whom so that you can flag any suspicious activity.
Now, let’s talk about communicating the why.
Getting employee buy-in on zero trust policies, including least privilege access, is crucial — especially if your company previously had a more lax policy that gave access to every platform to every employee.
Communicating these new policies and the reasons behind them can help get employees to understand why it is necessary to limit access based on user role and group.
As we’ve mentioned, there’s no shortage of bad actors who are looking for ways to gain unauthorized access to your apps and resources. Fortunately, with OpenVPN, you can beat bad actors by setting least privilege access to apps using network-level access control.
Access Server provides access control at the user, group, and global levels. The following rules apply:
You can create access control policies for Access Server by granting access to servers, subnets, and IP addresses at the user, group, and global levels.
CloudConnexa access controls allow the configuration of strict policies. Controls can be put in place that will restrict access from Networks, Hosts, and User Groups to fine-grained services defined under Networks and Hosts. These controls include:
Beyond access controls, OpenVPN supports secure access through Access Visibility. Access Visibility uses Sources and Destinations data to generate tallies of all traffic flows that were allowed or blocked due to access controls over the last 24-hour or 7-day period. This feature gives administrators transparency and traceability of traffic flows through a WPC by providing insights into who accessed what resource and when, as well as whether the traffic was allowed or blocked due to access groups configuration.
Secure remote access is one of OpenVPN’s primary uses. OpenVPN’s multi-layered solutions protect your hybrid or fully mobile workforce while logging into corporate networks and third-party cloud services safely and securely.
“I like the control I have over the environment, user access, and connectors. The administration of the platform is simple and configuring it to fit your specific use-case is easy.” - Ryan B., Director of IT Operations
Once your access control policy is in place, you may find some issues with employees feeling impeded by the limitations placed on their user group. It’s important to continually assess whether security is creating performance issues, both with people and network speeds, and adjust accordingly. Access controls are not meant to be something you set and forget, but rather can be changed as needed.
You will need to make sure you have a reliable VPN solution in place to ensure that your employees can connect to the resources within their user group. Whether you choose a self-hosted solution or a cloud-delivered solution, you will need to make sure that your team understands that many of their connectivity issues will be resolved by using their VPN.
Whether you choose to audit monthly, quarterly, or annually, you will need to conduct regular audits. You will need to audit and look for any employees who have changed job level or team, or who have left the company, to ensure they are removed from their access control policy or user group. You will also need to review activity logs for suspicious behavior or attempts to access restricted assets, which can help you spot attacks.
By leveraging OpenVPN’s template, IT managers can implement robust access controls more efficiently with a ready-to-go framework that also allows for customization to fit the unique needs of each organization, freeing up time to focus on other strategic priorities.
To learn more about OpenVPN’s cloud-delivered CloudConnexa or self-hosted Access Server, check out our product comparison.
The Principle of Least Privilege is a tenet of ZTNA that states that if nothing has been specifically configured for an individual or the groups he/she belongs to, the user should not be able to access that resource. In other words, everyone defaults to NO access, rather than full access, unless they have been configured as part of an access control group.
It also means that employees should have access to resources and assets that are necessary to their job function, and nothing beyond that.
Your access control policies may be part of a regulatory requirement, depending on your location or type of business. However, we recommend that you review these policies at least once a year, if not on a quarterly basis.
Access Visibility can help create automated logs of who accessed what types of resources or assets.
If you suspect unauthorized access, you should revoke the user’s access and have the employee reset their passwords immediately. You should also connect with the employee to ensure if the suspicious activity was performed by them. You should also review logs for any program that employee has access to.