Three ways to determine critical versus routine access

There’s one question every organization needs to be able to answer: What are the company’s specific critical access points? It’s easier asked than answered, and depending on the system, the users, the assets, and a few other factors, critical access varies by organization and use case. However, there are a few definitive ways to help an organization answer that crucial question and better protect what’s most valuable to them.  Those three ways are:

  1. The Who, The What, And The How
  2. How The Access Point Is Protected
  3. Frequency, Risk, And Urgency

The who, the what, and the how of critical access

One of the first ways to determine if an asset or access point is critical is to look at what that asset is, who is accessing it, and how -- or the amount of privileges -- that user has when accessing it.  The “who” refers to the identities or users who would be requesting access to critical assets. It’s most often a human, but could be another machine, a software program, or a bot. The “who”, or the user, is pretty easy to identify most of the time. Human user groups can include customers, employees, or third parties, and each user group holds its own level of risk. Customers typically present little to no risk. Usually, a customer just wants to access their account with your organization and that’s it. Employees hold a higher level of risk and are traditionally perceived as some of the biggest threats to an organization’s critical assets due to their proximity to critical assets and critical access points. However, this myth has been debunked by recent research reports and data showing that third parties are the biggest risk to an organization’s critical assets.  Identity traits are the characteristics of a user that could help inform how much access they should be granted, as well as the amount of risk a user poses. For example, a third-party rep’s identity traits are what make it one of the biggest threats to an organization. They are outsourced and outside of any internal databases or systems, so their credibility, behavior, and risk level are unknown.  The “what” is the access point or asset itself. This could be a building, a room, a machine, a software program, a server, a database, or data. Ultimately, it’s the thing critical access management is trying to protect. The importance, value, and risk associated with the asset determine if it’s critical and if access to that asset should be treated accordingly. Is the asset a power plant’s IT infrastructure? If so, that’s a high-risk asset with tremendous value to not only an organization but to the general public.  The “how” refers to the privilege a given user has when it comes to an access point or asset. When looking at access points, what privileges are needed to enter? Is it standard or elevated? The level of criticality of an access point depends on how locked down the access is and what privileges a user needs to enter. If more privileges are needed, it means there’s a higher risk involved with the access. Looking at those three parts of access can help an organization determine what’s routine and what’s critical. If two or more factors listed above rank as high risk, that means access is critical and needs to be treated as such.

Routine vs. critical: how is it protected?

Another way to think about what is and isn’t critical is to think about the metaphorical door it is, or should be, behind. Is it a three-foot thick vault door in the back of the building or the often open glass door at the front? Do you need a special key card to even access the elevator that could take you to it? Or is it in your window display?  Access to an internal email account wouldn’t shut down Colonial Pipeline, but access to IT and financial systems did so and led to long gas lines, reputational damage, and vast internal costs. The best way to defend this information is to defend the critical access points and employ the three pillars of critical access management. It’s about installing those vault doors and hiring the best digital doormen to protect it.

The frequency, risk, and urgency of access points and assets

Understanding frequency, risk, and urgency starts with defining how those terms apply to access points and assets.  Frequency: How often a point or asset is accessed. Risk: The stakes for that access point or asset. Urgency: How fast a user would need to access that point or asset for a critical job function. Access to routine, everyday information is most likely high frequency, low risk, and, depending on the organization, low urgency. On the other side of the spectrum, access to information that is low frequency, high risk, and possibly high urgency, would be considered critical. The urgency factor is dependent on the industry or specific organization, so it’s not always an indicator of importance. A hospital would probably consider most, if not all, EMRs as urgent, but an energy company may only consider a sliver of their operations and information as such. The crucial step in this process is evaluating every single point of access to employ critical access management properly.  While determining critical versus routine may take time -- and the right stakeholders who can provide insight into certain assets and access points -- it’s the first step in building a better access management system. What’s next, then? Employing the best practices and strategies of access governance, access control, and access monitoring to make sure those critical access points are thoroughly protected in a changing cybersecurity environment.