The Core Of Security Compliance — Access Control

By Greg Keller Posted December 22, 2015

The Core of Security Compliance– Access Control

Currently, security compliance is a major topic within IT organizations. With security breaches on the rise and happening almost daily, government regulators and industry groups are establishing numerous security requirements. More importantly, customers are asking their providers about their security practices and their ability to be in compliance with the new regulations. It isn’t just high-tech software and infrastructure providers that are worried. Any firm that is collecting customer data is being questioned regarding their security. Often these companies do have valid questions: Is my data safe with you? How can you prove that? The answers are yes and yes. We can. Not only can JumpCloud provide security, but we can show it to you through audits of the compliance regulations.

Limit Users and Access Points to Confidential Data

The core of any security compliance program is access control. As we all know, the intent of compliance regulations is to protect confidential data and systems. What this means is that only the appropriate individuals should be able to access that data and those systems. This is the essence of compliance: having very few access points and limiting those who control them. As a result, everything in the regulations are being  built around the concept of how to protect that confidential data and limiting access. While the data itself is generally encrypted and systems are kept secure, all that is irrelevant if a valid user’s credentials have been compromised.

Regulations and those who create them as well as uphold them, understand this issue. A core part of nearly every statute relates to how one’s business can control who has access to this confidential data. For any organization, this begins with a non-technical discussion about who should have access to this data. Organizations with this in mind, limit this availability to the absolute minimum to help decrease their risk level and also limit the scope of audits. Once it is determined who should have access, the next step is to deliver that access. Generally organizations will use systems (such as a central user management system like JumpCloud’s Directory-as-a-Service) to help grant, modify, and terminate that access.

Increase Identity Authentication and Activity Monitoring

Obviously users and IT admins who do have access need to guard their credentials. To help in ensuring that their credentials are kept secure and can’t be easily compromised, compliance rules specify a number of requirements. These requirements can range from creating complex passwords in order to make it difficult to infiltrate the system to rotating passwords frequently so that if one is compromised, there will be a limited amount of risk. Additional requirements such as disabling the opportunity to reuse passwords as well as public-private key pairs are often employed as well. For highly criticality systems, the requirement of a second level of authentication may be necessary. All of these additional requirements are focused on ensuring that the authorized person is accessing the systems and data.

In accordance with the regulations, all of these activities are required to be monitored. Those in charge of compliance want to make sure that the systems are actually working and if an anomaly occurs, there is a very short window before it is discovered. These potential intrusions can be investigated by monitoring who has logged in, what they have done, and at what time it occurred. Subsequently, activities that aren’t consistent with what is acceptable can be flagged and investigated almost immediately. Monitoring access control is a core activity for compliance and a critical method to potentially discover a breach or intrusion into the system..

Directory-as-a-Service Covers All Bases

Security compliance is about protecting confidential data and the first step towards that is ensuring the right access control approach. This is a core part of Identity-as-a-Service solutions and in particular Directory-as-a-Service solutions. If you would like to learn more about how DaaS can help you with compliance, drop us a note. We’d be happy to chat with you about it.

Greg Keller

Greg is JumpCloud's Chief Product Officer, overseeing the product management team, product vision and go-to-market execution for the company's Directory-as-a-Service offering. The SaaS-based platform re-imagines Active Directory and LDAP for the cloud era, securely connecting and managing employees, their devices and IT applications.

Recent Posts