What are Access Control Best Practices?
Proper Access Control is an important part of securing your data. If your rules are too permissive, the wrong users may get access to sensitive information. The guidelines here will help steer you in the right direction. If you have further questions, don’t hesitate to ask.
See also: access control basics.
1. A User for Everyone!
First and foremost: make sure there is a distinct user for every person who uses your product. Each user should have their own username & password (ideally they should use MFA as well).
It is bad practice to share logins, or have an “office” login that represents a group of people. Doing so makes it impossible to lock down specific access based on unique user attributes. Even if all users in that office should have the same access, this makes it impossible to correctly correspond Audit Log entries with the person who took the action. That audit log gap violates HIPAA. If that’s not enough to convince you, it’s just plain bad hygiene. It’s likely these users would share credentials using email or sticky notes, which greatly increase the chance of outside compromise.
Moral of the story: make sure each human being has their own user.
2. Less is More
The principal of least privilege is the cornerstone of a good security policy. Simply put, this principal says that if someone doesn’t need access to something, don’t give it to them. For example, if you’re building a health care application for doctors in a hospital, you could give all doctors access to all patients. But is that necessary? Would it be sufficient to give doctors access to all patients that the doctors actually work with? This may not seem like a big deal on the surface: you trust these doctors so why restrict their access? But this means that a compromise of a single doctor compromises the entire patient set. A doctor is as likely as anyone else to have malware on their computer or to fall for a phishing scam.. You should minimize any user’s access, regardless of how much you trust the user, to mitigate the loss if their account is compromised.
3. Keep it Current
You should regularly audit your access control rules to ensure they are current. You can do this from the TrueVault Management Console on the Groups tab. Each group shows what resources are accessible and which actions are allowed. This declarative nature makes it straightforward to understand the net-effect of a group policy. Each group also lists every user who is a member on the right, so you can ensure membership is current as well.
4. Keep it Simple
The best way to stay true to #3 is to make it easy to audit your access control rules regularly. That’s why we try to make common patterns like Ownership as concise to express as possible. When you’re writing your own policies, do your best to keep them simple and organized so they can be easily audited. Don’t let this trump the other rules though; simplicity is not as important as enforcing minimal access.
5. Get some help!
We have a team of experts on staff who can help you decide how to model your access control. Once you sign up, don’t hesitate to ask for help along the way, or get a second pair of eyes before you go live.