ISO/IEC 27001 Control 8.3: Information access restriction
Control
Access to information and other associated assets should be restricted in accordance with the established topic-specific policy on access control.
Necessity of MidPoint
MidPoint is necessary to implement this control properly.
MidPoint features and capabilities are essential for efficient implementation of this control. While it is theoretically possible to implement this control without a comprehensive IGA platform in place, the implementation is likely to be inefficient, costly, slow and unreliable in the long run. MidPoint can make implementation of this control efficient and reliable.
Implementation Overview
MidPoint is an essential tool for managing information access restriction, supporting it with numerous features.
Implementation Details
MidPoint is designed to manage access control rules and policies, restricting access to information by particular user or group. MidPoint entitlements represent permissions, restricting access to information in applications and databases. Entitlements are applied to user accounts by provisioning mechanism. Synchronization (and reconciliation) mechanism keeps entitlements consistent with access control policies. User records and assignments stored in midPoint identity repository record access rights assigned to particular users. Activation schema can be used in assignments to grant temporary permissions. Organization units (representing groups, divisions, teams, projects, etc.) and roles (representing jobs and business responsibilities) are used to group users, applying policies consistently across the organization using roles-based access control (RBAC) principles. Entitlements are derived from RBAC mechanisms, considering additional dynamic policies, applying the entitlement to user accounts using provisioning mechanisms. Fine-grained access control policies can be applied to various objects, such as file shares, data partitions and spaces and documents. Access request and approval processes can be used to exercise a granular control over access to information, access certification process can be used to remove unnecessary access. Relevant data objects can be synchronized to midPoint, usually in a form of "services" with an appropriate archetype. Mechanism of parametric roles can be used to control access to such objects, using relation parameter to specify access level (e.g. read, write, administration). Information classification mechanisms can be used to set high-level access policies for class of applications, e.g. allowing public and anonymous access only to applications processing public data. This provides partial isolation of sensitive applications, ensuring that only users with appropriate clearances get access to sensitive information. MidPoint can control authentication mechanisms used to access information, including passwords and other credentials. Reporting and dashboarding capabilities can be used to provide access control information as well as evidence. Audit trail records all changes in access control permissions. This information can be used for reference, investigation or analysis.
Implementation Notes
-
MidPoint relies on access control enforcement in applications and identity resource. Applications are policy decisions points (PDP) and, more importantly, policy enforcement points (PEP). MidPoint is managing and distributing the policies, being a policy administration point (PAP).
-
This control requires "configuration mechanisms to control access", which effectively prohibits hard-coded access control rules in the application. Applications have to expose entitlements, which can be assigned to accounts. MidPoint is designed to manage such entitlement assignments using its role-based mechanisms and policies.
-
The control describes advantages of "dynamic access management" mechanism in length. However, it is not clear how is such a mechanism supposed to work. Probably the closest implementation could be a variation of digital rights management (DRM) mechanism, which is notoriously difficult to use, a mechanism with questionable reliability. We recommend not to follow the guidance for "dynamic access management", and rather rely on reliable application of proven and established access control techniques.
Rationale
Management of information access restrictions is an extremely demanding task, especially when it needs to be done on scale. It requires establishing of access control policies, and consistent enforcement of the policies across many applications and identity resources. Identity administration and governance (IGA) platform such as midPoint is necessary to satisfy this control in any medium-to-large organization.
Documentation
Version | Title | Description |
---|---|---|
4.9 | Information Classification and Clearances | Ensuring that only users with appropriate clearances get access to sensitive information |
Development | Information Classification and Clearances | Ensuring that only users with appropriate clearances get access to sensitive information |
4.8 | Information Classification and Clearances | Ensuring that only users with appropriate clearances get access to sensitive information |
Related Features
-
Information classification (planned)
-
Policy (concept) (planned)