Acme Insurance has a complicated information access requirement. All customer data are held in an information store. Various entities need access to parts of these data, but not all of it. In fact, sharing the data incorrectly could violate federal law or expose proprietary information to Acme’s competitors.

Some parts of the customer information need to be shared with industry groups, which include Acme’s competitors. If too much information is disclosed, competitors can derive an advantage over Acme.

All of the customer information has to be shared with the agent who signed up the customers. That agent should only have access to his or her own customers. If a customer is linked to the wrong agent, Acme could get into legal trouble, as well as have to resolve the issue with the agents.

Claims inspectors need access to all customer information attached to customer claims they handle. Various third-party vendors need access to some or all of the customer data for claims appraisal purposes, but only for customers on which they have claims.

The solution to this complex problem is a multilayered access control list. Various groups can access what data they need when they need it, not at other times, and only the part of the information they need.

Access controls are not just a computer issue; they can also come into play in the physical realm. Due to lax security, Company X almost lost invaluable trade secrets.

Company X is a major beverage company that relies on trade secrets to protect its drink formulas. The company usually makes sure its trade secrets are secure, but this time, physical security was easily breached. An executive administrative assistant gained access to the company’s trade secrets. He copied the formulas and took two samples of a new experimental drink.

He brought the formulas and samples to a pair of accomplices to sell. They presented the samples and formulas to Company X’s top competitor, Company Y. This is where the scheme fell apart. Company Y had no interest in the documents and instead alerted Company X to the theft. Company X and Company Y then worked with the FBI to set up a sting to arrest the thieves.

In the end no damage was done, because Company Y was not willing to buy the stolen trade secrets and instead notified Company X of the breach. However, you can’t rely on luck and trust every competitor to be honest. Good access control policies, including physical access control, would have prevented the theft in the first place.