Controlled access to data is crucial for any business that has confidential or proprietary information. Access control is a must for any business that has employees who connect to the Internet. Daniel Crowley, IBM’s X Force Red team head of research, explains that access control is a means to limit access to information only to certain people and under certain conditions. There are two main components: authentication and authorization.
Authentication involves ensuring that the person trying to get access to is the person they claim to be. It also includes verification with a password or other credentials that are required before granting access to a system, network, application, file or system.
Authorization is the process of granting access to certain areas based on functions in a company, such engineering, HR, marketing and so on. The most effective and widely used method to limit access is through access control based on roles. This kind of access is governed by policies that define the data required to perform certain business functions and assigns access to the appropriate roles.
It is easier to manage and monitor any changes when you have a policy for access control that is standard. It is important to ensure that policies are clearly communicated to staff to encourage the careful handling of sensitive information, as well as to have a procedure for revoking access when employees leave the company and/or changes their job or is terminated.