Identity and security have always been closely linked but, for modern entrepreneurs, this relationship is more important than ever. Cyber attacks are costing UK enterprises billions of pounds, forcing a worrying 60% of small businesses to fold within six months of a data breach. With this huge risk associated with a data breach, employers need to be certain about who exactly is using its resources.
One approach to corporate security is known as Zero Trust, which simply means companies should be constantly wary of who attempts to access their network. Assumptions shouldn’t be made about users being who they claim to be, and access should be blocked when their identity cannot be proven. As the security experts at Wandera explain, a core component of Zero Trust is something called role-based access control (RBAC), which grants permissions and privileges based on particular roles instead of individual users. Though you may not have heard of it before today, this could prove to be a game-changer when it comes to your business’s security strategy.
What is RBAC?
RBAC restricts network access according to an employee’s particular role within the business. For instance, someone in your marketing department would be able to access all the resources they require to do their job, but wouldn’t be able to engage with materials used by HR or manufacturing teams. In short, every member of staff is limited to the parts of a company’s network relevant and specific to them and forbidden from accessing anywhere else.
To implement this, everyone must be given a set of network permissions which determine what they are authorised to do. When assigning roles, you will need to take factors like responsibility and job competency into account and consider where to limit the specific tasks they can perform. Perhaps they may need to view and create files but won’t require the authority to edit existing ones. This can help protect your company’s sensitive data, as it means lower-level employees can’t access or alter important information and documents.
RBAC is also particularly beneficial for businesses that employ freelancers or contractors. In most cases, it would be tricky to effectively monitor how they engage with the company network. But, with RBAC, you can assign particular permissions and keep your resources secure as a result.
Why does your business need it?
RBAC has the potential to significantly reduce your company’s attack surface. This refers to the digital area exposed to both local and remote attacks but generally consists of a company’s entire network. Even with firewalls, password managers, and other security measures in place, your sensitive data is still not completely protected—especially when you take all the user-based risks into account.
In Proofpoint’s 2019 State of the Phish Report, 83% of organisations revealed they had experienced phishing attacks in 2018. These attacks involve a would-be intruder sending digital correspondence appearing to be from a reputable source, often including links to fake websites or malware-infected attachments. The aim of these messages is to gather personal information which the attacker can use to their advantage. Additionally, if employees access corporate data from a smartphone, they could be putting the network at risk if the device is running an out-of-date operating system, or inadvertently downloading malicious apps.
While RBAC won’t eliminate all the security risks your business faces, it will reduce its attack surface. Rather than allowing your employees free access to everything on the network, segmenting it means you’re limiting the number of materials that could be made vulnerable by each person’s actions. With fewer privileges, there are fewer opportunities for a malicious party to attack. However, instead of implementing RBAC as a solitary measure, including it as part of a wider-reaching, holistic, Zero Trust approach is the best way to keep your business safe.
How do you implement RBAC?
- Define the resources and services where you need to control access. This could include email systems, customer relationship managers, content management systems, and file shares.
- Analyse your team and establish which individuals share access requirements, using this information to create a list of roles. Members of the same team may need to be given slightly different privileges. Although two employees may need access to a customer database, perhaps only one requires full control to do their job effectively.
- Assign employees to these defined roles, and set their access levels. You could use a simple database, or perhaps a distributed directory like Microsoft’s Active Directory.
- Integrate RBAC across all your business’ systems, and conduct frequent training sessions so every employee understands the principles.
- Monitor and regularly update staff access privileges depending on each role. If you realise a team can freely use a resource they no longer require, remove this permission from the defined role.