Determining the right network access control (NAC) security policy for your organization isn’t an easy task.

It’s often a balancing act between keeping your network secure and ensuring employees can access the systems they need to do their jobs.

Role-based access control (or RBAC) can be a good way of ensuring your network is protected. If you’ve been considering implementing RBAC in your organization but aren’t entirely sure of the benefits, this article will answer your questions.

What is role-based access control?

Role-based access control is a way of restricting access based on a user’s role within an organization. This means that users aren’t assigned permissions directly but are instead given roles that govern their levels of access. Depending on their job and responsibilities, a user may have one or more roles.

Let’s say, for example, you have a staff database on your network, which contains all your employees’ contact details and contractual information.

Everyone in the organization may have access to edit their own personal details. Managers may have access to edit their team’s information, but no one else’s. Your HR team may have full access to the database to view and edit everyone’s data.

RBAC works on the Principle of Least Privilege (PoLP). This means users have the minimal level of access needed to carry out their job.

RBAC isn’t the only access control method available. There are other options you can consider, like attribute-based access control (ABAC), policy-based access control (PBAC) and access control lists (ACL). However, role-based access control is one of the most effective ways of not only keeping networks secure but improving organizational efficiency.

A study by NIST has shown that role-based access control addresses most of the needs of government and commercial organizations.

Why is role-based access control so important when it comes to network security?

Networks are more susceptible to security breaches than ever before. People working from home and the introduction of BYOD policies mean more endpoints that can be compromised.

In fact, according to IBM, it’s estimated that data breaches in 2021 cost businesses an average of $4.24 million.

With this in mind, it’s essential to ensure networks stay safe. Here’s how role-based access control can provide security for businesses large and small.

I. It makes it easy to ensure networks are secure

Setting up permissions for networks is relatively straightforward. However, as people start, leave, and move around organizations, permissions can become less efficient. Users may end up with access to systems they no longer need.

RBAC means IT departments can effectively manage what access people have with a click of a button.

Let’s go back to the example of the staff database above and say that a new staff member has joined the HR team. Rather than setting access at a user level, you can add them into the ‘HR’ role so they can have full access to the system.

A few years later, let’s say the staff member moves into the sales team, meaning they no longer need full access to the staff database. Rather than changing every single point of access they have, it’s just a case of adding them into the ‘sales’ role instead.

II. It reduces the attack surface

It’s estimated that one in four data breaches result from human error. With RBAC, if a member of staff causes an accidental (or intentional) data breach, there will be less impact.

Let’s say someone is a victim of a phishing attempt, and a hacker obtains their login details. The hacker will only be able to access the information that the member of staff has through the roles they have been allocated.

This means even if a data breach occurs, most of your information will still be safe.

III. It eliminates the risk of ‘insider threats’

Disgruntled employees can often try and settle the score by leaking confidential data or deleting important information. Earlier this year, an IT technician in the UK was jailed for 21 months for wiping data from the school he was formerly employed at after being fired.

As role-based access control gives just enough access to ensure staff can carry out their jobs, it minimizes the risk of users causing intentional harm to your networks.

Similarly, if you work with any third parties, you can use RBAC to assign them pre-defined roles and limit what they can view or edit. Once you stop working with them, you can quickly remove their permissions.

IV. It can quickly scale and adapt

As RBAC deals with overarching roles rather than individual permissions, it can grow as an organization’s IT requirements do.

Let’s say you acquire a new application for your organization. Role-based access control makes it easy to create new permissions as well as set different levels of permissions quickly. As a result, you can ensure any new hardware or software stays secure and that the right people have access.

V. It can ensure you stay compliant

Some industries, like healthcare and financial services, are heavily regulated and have stringent compliance regulations in place. For example, the Health Insurance Portability and Accountability Act (HIPAA) states that only certain people should be allowed access to specific systems.

Role-based access controls can ensure that organizations in these industries do what is required of them, minimizing the risk of security breaches as well as fines for willful violations of the law.

How Portnox can help with your RBAC requirements

Role-based access control can be an extremely efficient way of ensuring network security and can be as top-level or granular as your organization demands. The key is developing a solid strategy before creating and assigning roles.

Which parts of your network need access control, which departments need permissions, and how will you assign people to the right roles?

If you need extra support keeping your network safe, Portnox is here to provide you with peace of mind. Our NAC security solutions come with role-based authentication and access policies to ensure the right people can access your network at the right time.

Contact our team today to find out more.

We live in a world where cybercriminals can penetrate an alarming 93% of company networks. In fact, this trend looks set to continue as we move further into 2022 and beyond. 

Simply put, the cyber threat landscape is becoming increasingly dangerous for organizations and individuals today. For example, cybercriminals are becoming more sophisticated in their methods, shadow IT is widening the corporate attack surface, and network administration errors and misconfigurations are common. At the same time, Crime-as-a-Service (CaaS), where experienced cybercriminals sell access to tools and knowledge needed to execute an attack, is skyrocketing in popularity. The result? More hackers and more successful cyber-attacks. 

We need to strengthen our cybersecurity arsenal if we want to turn this situation around and effectively safeguard corporate systems. And that starts with people – the cybersecurity professionals who find unique solutions to keeping bad actors out. But unfortunately, the widening cybersecurity skills gap is making this extremely difficult. With this in mind, let’s look at the current state of the cybersecurity skills gap and what’s driving it. 

The Current State of the Cybersecurity Skills Gap

According to Fortinet’s 2022 Cybersecurity Skills Gap Report, the cybersecurity skills gap contributed to a whopping 80% of data breaches last year. And these breaches had dire consequences, with 64% of organizations saying they lost revenue or faced fines and 38% reporting that breaches cost them more than a million dollars. 

Companies need skilled cybersecurity professionals now more than ever, but finding and keeping this talent is becoming increasingly difficult. For example, the same report found that 60% of organizations struggle to recruit cybersecurity talent and 52% struggle to retain qualified people, despite 76% of organizations indicating their board of directors now recommends increasing cybersecurity headcount. 

In simple words, organizations urgently need to close the cybersecurity skills gap to tighten their network security and keep pace with nefarious actors, but the gap continues to widen. For example, according to another report, the global cybersecurity workforce will need to grow by 65% to defend organizations’ critical assets effectively. 

At the same time, we continue to make immense strides in technological innovation across industries. Technologies that once seemed like science fiction, such as artificial intelligence (AI), machine learning, and Internet of Things (IoT) devices, are now becoming commonplace. But while these technologies undoubtedly add enormous value, we’re not hiring and training the talent to ensure their security.

Perhaps the most puzzling aspect of this situation is why precisely the cybersecurity industry is struggling to attract and retain talent. On paper, cybersecurity appears to be an attractive job prospect for fledgling tech enthusiasts or even IT workers who might want to transition roles into areas like network engineering, cyber intelligence, or security analysis. 

The appeal for people entering the field should be strong job security, a wide variety of opportunities, the ability to make a real impact, and decent pay (the average salary for a cybersecurity engineer in the US is $101,5481). And IT workers looking to transition into the role get much the same benefits but with a lower barrier to entry. For example, a coder is unlikely to struggle to wrap their heads around firewall types, network access control, and authentication security protocols like 802.1X. 

And yet people aren’t jumping at the chance to work in cybersecurity. Moreover, nearly one-third of the cybersecurity workforce plans to leave the field in the near future. But why? 

Factors Driving the Cybersecurity Skills Gap

Various factors are at play in why the cybersecurity industry faces talent shortages and a widening skills gap. So, let’s get into them. 

An Increasingly Demanding Skill Set and Entry Requirements

Due to the severity of today’s cyber threat landscape, cybersecurity professionals need a massive range of skills, and the list is growing yearly. Organizations increasingly want workers to have strong computer science, network engineering, and other technical skills in addition to computer forensics skills, problem-solving skills, and more. 

And more often than not, one of the key prerequisites to enter the field is a formal degree and an advanced professional certification like CISSP (Certified Information Systems Security Professional).

But despite these requirements, getting cybersecurity skills while still in education is often challenging. For example, only 43% of the US’s top 50 computer science programs include security courses for undergraduates. In other words, we might be failing to attract budding IT professionals into cybersecurity before they choose their career paths. And when this next generation of IT workers opts for a different discipline, they find themselves without the needed certifications to transition into cybersecurity. 

Cybersecurity is Too Stressful

Sadly, stress is an industry epidemic in cybersecurity. Defending against advanced threats daily or even hourly can take a toll on mental health, which is reflected in the statistics. For example, according to Deep Instinct’s Voice of SecOps Report, 45% of C-suite and senior cybersecurity professionals have considered quitting the industry due to stress. And another study from the UK found that 42% of security leaders say they would be unlikely to recommend a job in cybersecurity due to the stress of the job.

A Thankless Job

Cybersecurity teams typically attract the most attention when something goes wrong (a successful breach). But, when they successfully defend the network, there’s silence. As a result, morale is often low in cybersecurity teams. If you’re going to be stressed, you should at least have your successes championed, right? Unfortunately, too many companies are failing to do this right now. 

Attitudes Toward Cybersecurity

Most companies recognize that network security and cybersecurity are essential in the modern world, but that doesn’t mean they have positive feelings toward them. Many high-ranking employees believe that cybersecurity stifles innovation or that cybersecurity teams are too heavy-handed regarding network access control. They don’t see all the attacks that cybersecurity teams prevent, so they assume the team is needlessly restricting their access to files and apps to exert power. 

Choosing a career in cybersecurity can seem unappealing if you’re anticipating being undervalued by your employer. 

Where Do We Go From Here?

Unfortunately, it’s never been easier to become a black hat hacker. Advanced hacking tools are easy to come by, and knowledge sharing for things like phishing attacks, whaling attacks, and corporate account takeovers is rife. But the barrier to entry for the other side – the good guys who want to protect corporate networks is far higher. So companies that want to strengthen their network security need to take steps to overcome the cybersecurity skills gap and deploy advanced tools to help bridge the gap. 

Enterprises today need to be able to interact dynamically and share information with the right people at the right time. As a result, organizations continually add more interconnected systems to their network to allow information to be readily accessible to those that need it.

However, while this interconnectedness is crucial for modern businesses to thrive, it also leaves them vulnerable to cyberattacks. And as enterprise environments become more complex, it’s becoming clear that traditional approaches to access control and threat monitoring simply aren’t sufficient in an increasingly severe cyber threat landscape. But some leading cybersecurity researchers think there could be a better way – Behavior-Based Access Control (BBAC).

What Is Behavior-Based Access Control (BBAC)?

In simple words, Behavior-Based Access Control is a way of analyzing actor behavior and assessing the trustworthiness of information in real-time using machine learning algorithms. But before we can truly understand BBAC, we first have to understand how enterprises tackle these issues today.

The Current State of Access Control

Companies currently use a combination of different technologies and methodologies to monitor their systems and grant access to information.

The way we approach access control has evolved considerably over time and now includes methods like role-based (RBAC), team-based (TMAC), attribute-based (ABAC), context-based (CBAC), and Situation-Based (SitBAC) access control, among others. But while these approaches do a decent job of locking down information to authorized users, they’re not without drawbacks.

Crucially, most current access control methods are grounded in static policies governed by access control rules. And this presents some significant security risks. For example, what happens if a bad actor steals an access card? Or if an insider performs illegitimate actions within their privilege realm? With traditional access control methods, bad actors can potentially go undetected for a considerable amount of time, exfiltrating data or wreaking havoc on the network.

Misuse of information should be a top priority for any modern enterprise. Still, the situation becomes especially serious for companies that deal with highly sensitive data, like those in the healthcare, finance, and government sectors. And companies in these sectors (or sufficiently large companies in any industry) are increasingly moving towards large-scale distributed systems, where various components are spread across multiple computers on a network. But these systems are often as complex as they are large. As a result, managing access control at scale quickly becomes unmanageable, and errors often slip through the net.

The Current State of Threat Monitoring

On the monitoring side, companies leverage technologies like the Snort or Bro network intrusion detection system or the Host-Based Intrusion Detection System (HIDS). And while these cybersecurity monitoring systems help safeguard corporate systems, they have several limitations. Namely, these types of solutions are typically signature-based and narrowly focused on specific parts of the overall systems. Signature-based monitoring can’t account for sophisticated attacks, like zero-day attacks, where signatures are yet unknown.

Lastly, while companies today often collect vast amounts of useful security such as server logs, they don’t analyze this data in real-time. Instead, this data is used for offline forensics, potentially days, weeks, or even months after a security event. By this time, attackers have likely already completed their nefarious activities and are long gone.

How BBAC Works

BBAC leverages machine learning to dynamically analyze actors’ intent and assess the trustworthiness of information within the system. But how?

BBAC uses a combination of rule-based behavior signatures with statistical learning methods to create a more robust and flexible way of assigning and managing trust. So, for example, BBAC can analyze patterns in the network and adjust access over time and as needed. It can also respond to potential security events in real-time. For example, the machine learning algorithm can create a baseline for expected user behavior by using historical and real-time data. Anything that falls outside of this could be considered suspicious and warrant immediate action, either manually or through automation.

This is contrary to how isolated traditional rule-based systems work, whereby once an actor gains access, they can essentially operate with impunity within their access rights.

The idea here is that BBAC can diminish the risk of misplaced trust and deter the abuse of authorized privileges by continuously monitoring behavior. It analyzes observable behaviors on several different layers in real-time to check for intricate patterns that would otherwise go unnoticed. And by employing this type of sophisticated analysis, IT teams eliminate the need for draconian deny rules at specific layers in the system.

At the same time, user-based BBAC can help alleviate some of the problems companies face when defining access. For example, let’s say a particular policy is set up to deny access to specific files if a user isn’t in an approved location. The machine learning model might detect that users continually request this type of access and alert the security team. Armed with this information, businesses can adjust their policies to allow more flexibility within certain contexts.

The Nuts & Bolts of BBAC

So, what’s actually going on here? How does this machine learning thing really work? Machine learning is all about getting computers to “learn” and make decisions without explicit instructions. And for a machine-learning algorithm to learn, it needs to process vast amounts of data.

For BBAC, the significant data comes in the form of network flow information (TCP and UDP), Higher-level transport protocols like (HTTP, XMPP, and SMTP), audit records (like those produced by web and DNS servers), and application-level content like PDF documents or email and chat messages.

So, that’s the data that feeds the model, but what about the model itself? BBAC models are still in their infancy, but current examples use a combination of supervised and unsupervised machine learning to achieve full BBAC functionality.

Supervised learning leverages labeled datasets designed to train or supervise the algorithm in classifying data and accurately predicting outcomes. So, for example, the algorithm becomes competent at separating data into specific categories, like expected network traffic and unexpected network traffic. This is called classification. The regression supervised learning method can also be used to understand the relationship between dependent and independent variables, which can be useful for predicting outcomes using numerical data.

By contrast, unsupervised learning uses unlabeled datasets and allows the algorithm to discover hidden patterns without human intervention.

Wrapping Up

Behavior-based access control has enormous potential to make enterprise environments more secure, flexible, and responsive. And as we progress through the 2020s, we expect to see more research in this area and likely adoption of this technology by reputable firms. The Department of Defense is actively interested in BBAC, so that should tell you something about where this approach is heading!