Learn why restricting employee access to data can save your business.  

Matt Glade, SecurityMetrics
By: Matt Glade
Do all of your employees have the same access to your card data? If so, you could be making things much easier for attackers to steal it. Or, what if a disgruntled employee decides to take revenge and sells your data? If you don’t use role-based access, your card data could be in real danger.

What is role-based-access?

role-based accessFrom a technical level, role-based access control or RBAC is an approach to restrict system access to authorized users. Put simply, it means each employee has a certain amount of data they can access, depending on their role in your business. By using role-based access, employees only have access to data and tasks deemed necessary by their job function and role.

The most common RBAC is Windows Active Directory. Lightweight Directory Access Protocol or LDAP is a popular Linux application protocol used to communicate with Active Directory, but we will focus on the basic configuration of Active Directory.

To configure Active Directory, you have to use a hierarchical, top-down approach. Take for example the domain name securitymetrics.com. In the world of Active Directory, the domain name securitymetrics.com would be a top-level domain. Under the top-level domain, Organization Units or OUs can be created such as Marketing, Operations, Finance, etc. Within the OUs, groups and users can be added.

Typically, system administrators apply group policies, which are the actual role-based permissions that control what a user is able to access on the OUs. Group policies can be applied to groups and individual users as well, but it’s easier for system administrators to manage role-based access controls at the OU level. Imagine a company with over 1000 users and the amount of time it would take to apply role-based access controls on each individual user. That’s a system administrator’s nightmare.
Many businesses aren't fully implementing role-based access controls, or are even doing it at all.
Here are five reasons why your business should implement role-based access control system.

1. It’s a requirement in the PCI DSS 

PCI Requirement 7 talks about how businesses should restrict employee access to sensitive data on a need-to-know basis. Businesses are required to have a role-based access control system.

PCI 3.2 also requires a defined and up-to-date list of the roles with access to card data. This means you need to have an updated list of employees that can access card data in your business.

In a nutshell, if you aren’t implementing role-based access, you’re not PCI compliant.

SEE ALSO: 5 Simple Ways to Get PCI Compliant

2. It limits social engineering attacks 

Social engineers like an easy target. If everybody has access to credit card data, how easy is it for a social engineer to steal one employee’s credentials and gain access to all the data? Easier than you think.
By limiting access to card data, you make the social engineer’s job harder and less likely to target your business.

Granted, a social engineer could find a way to steal the credentials to someone who has the authorized access to data, but with role based access, it would take more work for them.

While this doesn’t protect you from all social engineering attacks, it does help discourage them.

SEE ALSO: Social Engineering Training: What Your Employees Should Know

3. It keeps data safe from remote access attacks 

One of the biggest ways hackers steal card data is through non-secured remote access software. It’s best to restrict those who have remote access to only the data they can access. This will help keep your data secure from hackers.

While remote access software is convenient, it can easily lead to a data breach if you don’t secure it properly. Some ways to ensure secure remote access software are:
SEE ALSO: Configuring Your Remote Desktop Connection: What You’re Doing Wrong

role-based access control 4. It reduces data attacks

The less people there are logging into your credit data, the less openings hackers have into your card data environment. Restricting access is just one way to make sure your data isn’t vulnerable to attackers.

Remember that just restricting access isn’t going to keep your data completely safe from data attacks. Some additional actions to take include:
  • Segmenting networks: keeping your networks separate will help reduce potential data breaches. 
  • Installing and updating antivirus software: antivirus can help detect and get rid of malware. 
  • Configuring firewalls: many businesses don’t configure their firewalls correctly. Make sure yours is updated and working properly. 
  • Regularly updating and patching software: no software is perfect, and it’s critical to regularly patch vulnerable spots in your software.  
SEE ALSO: 3 Data Security Best Practices

5. It prevents confusion and streamlines responsibilities

By limiting access to employees based on roles, it helps give clarity to an employee’s responsibilities. This will help your business become more efficient in general. This way, you aren’t duplicating or overlapping responsibilities.

Confusion happens when employee’s roles aren’t clear. By using role-based access, you have to make clear your employee’s roles, what’s expected of them, and what information they need access to.

Ways to incorporate role-based access

One reason businesses haven’t used role-based access is they feel it’s difficult to incorporate. Here are some tips to implement role-based access accurately and efficiently into your business:
  • Assign levels of access to employees according to need: If you need to, make a diagram of the range of jobs that involve the most work with card data to the least.  For example, your accountant will need more access privileges than your janitor. 
  • Implement regular employee training: Employees should understand what level of access they have and what others have. This helps prevents social engineers from using stolen credentials to steal card data. 
  • Document everything: The best way to avoid confusion is to document which employees have access, how much information they can access, and whenever new employees are added or taken out. Remember to update these documents regularly.  
Businesses should remember that if an employee transfers from one department to another, they need to evaluate whether or not that employee’s previous RBAC permissions are required for the new role. If not, those permissions must be revoked.

By implementing role-based access in your business, you provide an extra layer of security for you and your clients. Keep your employees on a need-to-know basis and make sure your data can’t be accessed by just anyone.

Matt Glade (CISSP, QSA) is a Security Analyst at SecurityMetrics that focuses on PCI DSS and HIPAA assessments. He is a graduate from Westminster College and has worked within the IT sector for over 20 years.

SecurityMetrics Guide to PCI DSS Compliance