Managing Authorization and Access Restrictions using ITIL Best Practices
Thanks for all your feedback, input, and comments on my previous blog post. I appreciate your growing interest in my ITIL specific blog posts. As always, I would also like to thank our content expert who is always helpful and supportive. I hope you will enjoy reading this blog as well. This week, I have selected Access Management and how it is done using ITIL best practices.
What Is Access Management?
Access Management is about granting access/rights (authorization) to concerned users so that they can use a service or bundle of services at agreed times based on policies defined in Information Security Management. In simple words, it is about access control (or access restrictions) to service(s) and making sure that only authorized users can use service(s) as per policy defined in the Information Security Management process which is part of Service Design stage of IT service lifecycle.
This process was not thoroughly addressed in ITILv3 (previous version) but it is now considered as an important one in ITILv2011 due to the increased awareness and challenges related to network security and the increased need of better security practices. This is one of the 26 processes discussed in ITIL Foundation training and it is closely related to another process called ‘Information Security Management.’ Access Management belongs to the ‘Service Operations’ stage of IT service lifecycle which we know is the fourth stage and deals with day to day operations, incidents and maintenance related matters.
Access Management also addresses service access requests, restricting and altering access rights as per policies. It also deals with audit of access rights to make sure that un-necessary privileges are not assigned and service(s) are used fairly/properly.
How Access Management Works In An Organization
Let’s suppose you work in an organization where an employee from the marketing department is authorized to use the printer, but not authorized to access the database. In such situations, an access-control process can make sure that an authorization mechanism is in place to honor the policies set out in the Information Security Management process. In this case, the employee should be granted the proper authorization to use the printing service but not the database service.
Benefits Of Implementing Access Control
Access control can help organizations manage all three basic security parameters known as CIA Triad (Confidentiality, Integrity and Availability). Confidentiality is about keeping information/data/files/folders/objects/programs secret or private from unauthorized users.
In network security, encryption is commonly used to keep data confidential. Integrity is about making sure that data/file/information is not compromised. Or in other words, the data has not been altered, modified, amended, or changed by an unauthorized user. A hashing algorithm is usually used to verify the integrity of the data.
Access Control and Network Security
Let’s get into the details of access-control from a network security perspective (ITIL doesn’t cover that information). There are generally four ways to implement access-control which are known as access-control mechanisms:
1. Mandatory
Mandatory access-control is usually used in government or security conscious organization where both subjects and objects are classified/categorized into various levels of security clearance and depending upon one’s security clearance, a subject can access an object.
A subject can be a user, program, process etc. whereas an object can be a file, folder, process etc. So if you have secret-level security clearance, you can access all data/files etc. which are tagged as the same security-level or lower than that.
2. Discretionary
Discretionary access-control is used by most of the operating systems where the owner of a file/program or network administrator can assign access rights to any user at their discretion.
3. Rule-Based
Rule-based access-control deals with restricting a user or allowing a user to use a service during specific timings or days (as per set rules). This means their access to data is governed by a pre-determined set of rules.
4. Role-Based
Role based access-control is beneficial when you want to assign rights based on user’s job role and responsibilities.
Your Role As An ITSM Professional In Access Management
Access Management can be initiated by a service request where the service-desk or IT operations management is responsible for access-management as per an organization’s policies. They ensure that all users who are using services are authorized and are in adherence to defined policy.
As an ITSM professional, you have to acquaint yourself with your organization’s policies on access management and have to be able to come up with recommendations based on industry best practices. You have to develop an understanding of how different departments work within your organization, what kind of access they will require, and what kind of approvals they will require before they are granted said access. At the same time, you have to look at access from a network security point of view and should be able to identify and rectify possible vulnerabilities.
In my upcoming blog, I will be discussing Information Security Management process in continuation of my ITIL specific series of blogs. I hope you will continue to read and won’t hesitate to share your response/feedback with me. If you have any questions about this blog post or ITIL in general, you can find me at ExpertConnect.