Master Your Craft and Avoid Security Tool Sprawl With Access Control

Written by David Worthington on January 10, 2022

Share This Article

Teenage me wanted a Gibson Les Paul to perform the grunge music that was flourishing at the time, but I spent more time installing beta software on my PCs and causing mayhem on IRC than learning how to play. My nephew, on the other hand, spent time learning the basics and has become a great player. The lesson is clear: buying something won’t automatically imbue the owner with expertise. The same holds true when you purchase cybersecurity technology. 

Small to medium-sized enterprises (SME) face a perilous threat environment: 43% of breaches target them specifically, and the JumpCloud 2021 IT Trends Report found that IT admins are particularly concerned about software exploits, passwords, and unsecured network access. I understand the urge to feel compelled to buy next generation security solutions given the flood of news and C-level anxiety over cybersecurity. 

Smart access control is one of the fundamentals. It can mitigate risks more than “stuff” that’s never fully utilized ever will (after you take the time to classify data, of course). This article outlines the essentials of managing and keeping data safe as well as how to better leverage specific security features within JumpCloud to implement smart access control. 

The Basics of Keeping Your Data Safe

I wasn’t going to play any guitar well unless I learned the basics. My nephew’s kids guitar was wielded more effectively, because he devoted his time to understanding it. The cybersecurity equivalent to learning chords is to develop an understanding of your organizations’ assets and then take steps to protect them. A user account that’s breached through a simple drive-by phishing attack remains the most common scenario an SME will face. The prudent response is to implement technical and administrative controls to raise security awareness through training and solutions that limit the potential for damage. Adopting a data loss prevention (DLP) system is a good way to reduce that risk, but doing that alone isn’t sufficient.

A comprehensive security program classifies the most sensitive data and labels the remainder for its sensitivity. That’s followed by defining access permissions, adhering to compliance guidelines and governance, and ensuring that you have working backups. You can read this article to learn how to get a formalized security program started. In the interim, let’s assume that the necessary groundwork was done and you’re ready to take fundamental steps to secure your assets.

Zero Trust security, where users only have access to the information and applications that they need from devices that are vetted for safety, is rapidly becoming the preferred approach to access control. The White House has even issued guidance around it to improve U.S. cybersecurity. The JumpCloud Directory Platform has integrated identity and access management (IAM) capabilities to manage data access on top of its core directory role. Let’s explore how it helps.

Implementing Access Control Through JumpCloud

JumpCloud’s access control features include a variety of capabilities that are designed to proactively and logically designate who should access what and under which circumstances that should happen. Smart access control is a core element of good IT hygiene and lifecycle management.

Group Management

To start, JumpCloud’s group management system uses attribute-based access control (ABAC) with suggestions to keep admins in the know. This is made possible through JumpCloud’s directory, a centralized cloud-based service that permits you to always follow least privilege principles when configuring access to your systems by providing a single source of truth throughout the user lifecycle. It includes user attributes that are helpful for implementing smart access control.

For example, an employee who’s been transferred to another department under a different manager (a directory attribute) will be cross-checked and marked for removal from applications he/she no longer requires access to. ABAC avoids overprovisioning users or putting the onus on IT to keep tabs on organizational changes. It also ensures that someone who’s been erroneously added to the wrong group won’t automatically inherit the same privileges.

Smart group management makes it easier to assess access rights for Single sign-on (SSO). SSO logins ensure that passwords aren’t sent over the wire or stored on third-party servers. This is significant given the seemingly endless risk of data breaches on systems that operate outside of your organization’s control.

Read Single Sign-On (SSO) as a Means of Access Control and Governance to learn more about SSO access control.

Conditional Access

Access control is further secured with flexible conditional access rules that cover the categories of identity trust, network trust, and device trust. These account for real-world happenings that require admins to always use multi-factor authentication (MFA) due to the potential risks posed by their higher privileges. Or a team member who’s attempting to access company resources from insecure hotel Wi-Fi while on a trip overseas; a geofencing rule will determine that the login can’t be trusted. Other conditions, such as whether patches are being installed and policies are enabled, can vet the safety of devices.

VLAN tagging is an additional capability that will separate some resources from other network activity, depending on your environment. For example, location (by floor or room or department) could be used to determine whether access is granted. It can also manage network transactions to handle confidential information separately from other internet traffic. Every user account is also protected by global settings within the directory, such as enforcing multi-factor authentication (MFA).

Multi-Factor Authentication

Passphrases alone won’t deliver adequate protection around authentication attempts, which is where MFA comes in. JumpCloud delivers MFA without additional charge for every endpoint, including OS logins across every major operating system, with JumpCloud Protect™. That way, people who are accessing your systems are substantially more likely to be who they say they are, and layered defenses such as mandatory MFA through conditional access rules will help to ensure the confidentiality of information.

Take it from Me

I was an IT director and was guilty of overspending on a SIEM solution despite being too busy and having no proficient team members available to support it. It isn’t always possible to know everything, and buying stuff without having the requisite resources can create a false sense of security. IT admins should instead make sure the fundamentals are set before they invest in a menagerie of budget-engulfing purchases that may never be used effectively (or even at all) and could fail them during an attack. You’ll find that you can solve many of your problems through a combination of processes and mastering the products you have. 

Using these technical and administrative controls together will culminate in a Zero Trust posture. Defense in depth, i.e., following these principles and judiciously selecting security products (without creating silos), will help you to achieve your data management objectives. JumpCloud can be an integral part of a strong beginning on your security journey by establishing the most appropriate access to data and services.

Try JumpCloud

You can easily manage your users in one place with JumpCloud’s cloud directory platform. Capabilities such as domainless user lifecycle management, conditional access for Zero Trust security, attribute-based group membership that applies business logic to access, and MFA secure user accounts and the systems that they can access. Strong authentication is essential for IT admins to never disregard. JumpCloud is available without cost and fully enabled for 10 users and 10 devices, with a limited offer for premium support to help you get started.

David Worthington

I'm the JumpCloud Champion for Product, Security. JumpCloud certified, security analyst, a one-time tech journalist, and former IT director.

Continue Learning with our Newsletter