Access Control
2025-01-01

Overview#

Access control governs how identities prove who they are and which resources they can use. Mature programs combine strong authentication, precise authorization policies, and continuous evaluation (e.g., device posture or risk signals) to maintain least privilege without blocking the business.

Core objectives#

  • Define ownership for access policies, enforcement points, and supporting identity stores.
  • Keep privileges tightly scoped to job functions and revoke them quickly when they are no longer needed.
  • Provide auditable records for who accessed what, when, and under which approval.
  • Align with regulatory and contractual requirements (e.g., ISO 27001 A.9, SOC 2 CC6).

Implementation notes#

  • Standardize on one identity provider for workforce identities; document exceptions explicitly.
  • Use role-based access control for predictable access and attribute-based policies for contextual risk signals (device health, location, time).
  • Enforce strong authentication (FIDO2/WebAuthn where possible) and conditional access for administrative roles.
  • Separate duties for provisioning (HR feed), approval (manager/data owner), and enforcement (PDP/PEP such as IAM gateways, cloud IAM, or service meshes).

Operational signals#

  • Leading indicators: spikes in privileged role grants, bypassed MFA prompts, stale break-glass accounts, or overdue access reviews.
  • Lagging indicators: unauthorized data access, failed audits, or incidents caused by over-privileged service accounts.
  • Feedback loops: monthly access review cadence, automated removal based on HR offboarding events, and retrospective tracking of approval accuracy.

Runbook essentials#

  • Standard request flow: requester → manager approval → data/application owner approval → automated provisioning.
  • Emergency access: break-glass accounts with hardware tokens, short expiry, and mandatory post-use review.
  • Recertification: quarterly reviews for high-impact systems, semi-annual for standard business apps, with evidence preserved for auditors.
  • Pair with identity proofing for high-risk roles and just-in-time elevation for admin sessions.
  • Integrate with SIEM to alert on anomalous privilege escalations or access from risky devices.
  • Combine with network segmentation and data classification to keep technical controls aligned with data sensitivity.