Learn what are general and application controls? How it provides visibility into who is accessing applications and what they are doing.
What Are General and Application Controls?
Visible assets such as computers, phones, printers, and data storage devices. Access controls are implemented to protect assets from these risks. The purpose of access control is to ensure that resources are only accessed by authorized users, with their credentials, and within their permission levels.
This is known as the principle of least privilege. Since users should have no more privileges than what is required for them to do their jobs effectively. Administrators and developers can use general access controls to manage risk in their environment.
There are two parts to general access control: hardware and software considerations. Hardware considerations include the physical controls on the hardware devices themselves, such as the locks on doors and cages. So, the physical security of data center rooms, and the encryption used to protect data at rest.
Software considerations include security configurations on operating systems and applications. Also, software controls include configuring operating systems, databases, web application servers, e-mail servers, and other software to protect against threats.
Physical Security of the Data Center
Application controls include security configurations on operating systems and applications. It can be divided into two broad categories. First, the additional software controls that are added to operating system security features, and application-specific controls that are built directly into the application.
The former mostly concerns web applications and the latter mostly concerns desktop applications. Access controls restrict access to data or functionality within an application based upon the identity of the user or the roles assigned to them. Also, application controls are specifically designed to protect against risks faced by that type of application.
For example, one might implement a different set of controls on a CRM system than they would on a web forum. Applications have access to some pieces of information that could be used to attack other systems. Also, it provides insight into weaknesses in other systems or even the application itself.
so it is important to restrict what information can be accessed by what parts of the application.
Application Security Controls
Following are some common application security controls:
Access controls restrict what users can do with an application. For example, it may restrict users from accessing certain sections of code or restricting certain operations from being performed on data (such as deleting). These are usually implemented through permissions and Role Based Access Control (RBAC).
RBAC separates users into roles and grants them permissions for each role. This is done so that administrators can promote users into different roles depending on their job functions. Also, administrators can more easily manage large numbers of users.
Authentication is the process of verifying whether someone is who they claim to be. Authentication techniques include passwords, smart cards, biometrics (fingerprints and retina scans), 2-factor authentication (2FA), and multi-factor authentication (MFA). As people move further away from a computer’s physical location, it becomes more important to use stronger forms of authentication such as multi-factor authentication.