Access Control and Authorization
Access Control and Authorization
For your data security in your organizations and organizations, access control, authorization is an important building block, a starting point. Authority levels are critical to planning roles correctly, assigning the right people to the right roles. In the planning of the process, defining screens towards roles is the essence of the process.
Not every user should be able to access every resource. The basic principle is to access the authorized information as much as its authority. The resources that users can access should be identified, the authorization pre-work and planning should be carried out for the roles they belong to.
It is important that the user’s request for access to the source is checked by the access control protocol, the authorized user is allowed to request access, otherwise the request is rejected. It should be clarified whether the prerequisites for issuing authorization have been met before authorization is made and it should be ensured that the procedure is completed.
What is Access Control/Authorization?
Authorization is the process that determines what data the user can access and what actions they can take. Resource security is provided through access control. Access rights represent a variety of access processes supported by a system: Authorization decisions such as reading, writing, adding, running, deleting, searching, changing owners, changing permissions, etc. include the option to allow access, limit access, prevent access, and cancel access.
Access Control Policy
Access control policies are needed to consistently design and implement access control functionality. In SaaS (Software As a Service) applications, architects, designers, users; identifies security requirements for access control and authorization. These requirements need to be internalized by users in the form of correct authorization policies and processes to be created.
Role-based Access Control
In Role-Based Access Control, access rights and decisions are shaped by an individual’s roles and responsibilities within the business. Employee roles are defined by analyzing the overall structure and objectives of the business for security purposes. The user must not be able to access the skis reached by the more authoritative individual. The employee must have access to the resource he/she needs for his/her own work, the authority to carry out his/her work. Powers should be checked periodicly. Authorization processes
A role-based access control framework should provide security administrators with the ability to track who takes what actions, when, where, in what order, and in what circumstances, under what relational conditions.
“Outsourcing/Outsourcing Service Purchase”
In the event that the processed data and practice are used as “Outsourcing/Outsourcing Services Purchase”, it is of utmost importance that the “Confidentiality Agreement” is regulated and that all processes and service contracts have been signed before authorization is carried out.
As a result of any work to be done regarding information processing services and activities within the scope of the corporate information management system, it will be appropriate to regulate the “Confidentiality Agreement” in order to keep confidential information to be provided to the contractor and confidential information to be obtained by the contractor in any way and/or confidential information from the contractor under the terms and commitments specified in the confidentiality agreement.
Thus, any confidential information that the parties obtain, written or oral from each other, from their employees, their assistants, and other relevant third parties, regardless of whether they are commercial with or relating to the business and parties expressly expressed or not confidential; security, integrity, accessibility. It is important to make awareness announcements to employees and to sign security commitments.
Authorization of Different Groups & Privileged Account Control
The authorization process is rated. Maximum attention should be paid to the competencies of high-level users authorized to authorize authorization. If there is a segment of authorization, information about each segment/group should not be seen by users of other groups at this stage. This is privileged account management. The right to define these powers is defined to a privileged account and governance is defined to you in SaaS applications. Failing to do these authorizations correctly may result in the loss of their data and the loss of unauthorized persons. Keep in mind that you are responsible.
The mandate definitions should be clearly and clearly presented in writing and the powers should be checked through internal audits and reviews.
Authorization should be made in accordance with the job description.
User Accounts and Rights;
Attention should be paid to the default user accounts and passwords that come with the setup. Accounts that have not been used for a long time, accounts of personnel leaving the institution, accounts that are over-authorized must be monitored and unused accounts should be removed. Users should be given a password policy and they should be obliged to comply with this policy and the adequacy of password policies should be examined.
The issue on which and how the authorization is made, whether written assignment is made with approval from the competent authority for authorization, the cancellation of authorization in case of a change of position of the authorized person over time, and whether or not re-authorization has been made should be treated as risky issues. Coordination with human resources departments to frequently review, update and instantly inform authorized personnel in institutions of relocation must be ensured.
Determination of Roles related to Duty-Authority and Responsibility;
In order to ensure that unauthorized transactions are not carried out, the mandate stipulated in clear and clear written form of the authority and responsibilities of the users of the database and the administrative roles they undertake must be made and made this situation should be checked with audits. It should be noted that data breaches are subject to criminal sanctions in terms of legislation such as the KVKK/GDPR.