Access controls are not just important for large enterprises. Small- and medium-size businesses also benefit from the security and organization that implementing access controls can provide.

Diva Construction is a small Midwestern construction company specializing in urban condos and building rehabilitations. In the late 1990s, the company needed to upgrade its infrastructure. It consisted of a Windows desktop acting as a file server, a few Windows workstations for the office staff, and a dozen laptops for the sales and field staff. The entire network was set up as a Windows workgroup, with the possibility of discretionary access controls, but only the accountant was implementing them.

There were a number of issues with Diva’s original network environment. Its sales staff was commission-based, and there was some concern about customer poaching because a former employee had contacted customers belonging to other sales staff before he left. Diva management wanted to be able to access files from the field securely, and as the company grew, management wanted to move to a computer-based HR system.

The initial plan for securing sensitive information in Diva’s infrastructure was based on enforcing the current DAC system in place, with each user responsible for securing and granting access to his or her documents. This was quickly dismissed as too intrusive because not all employees are computer-savvy. Expecting them to handle all access control issues was not feasible. The other issue with the current environment was remote access. As it was currently set up, remote access was not possible.

Diva decided to add a Windows server to the environment and migrate from a Windows workgroup to an Active Directory domain. The company also upgraded the workstation acting as a file server to a Windows server. The new environment allowed for MAC to be set up, centralizing access controls. Groups based on user roles were created, including Accounting, HR, Support Staff, Sales, Management, and Construction. These groups were given space on the file server that only they and managers could access. Network shares were turned off on the workstations, and each user’s Documents directory was mapped to the file server with access limited to the owner and management. The Windows domain controller was also configured as a Remote Authentication Dial In User Service (RADIUS) server and had an ISDN modem, allowing users to connect from the field over cellular modems.

By implementing a Lightweight Directory Access Protocol (LDAP) environment using Windows Active Directory, Diva Construction was able to better secure its information, manage that information more efficiently, and enable remote access for its field employees.

Implementing information systems access controls is critical for public sector entities, large and small. Anglican Care is a small aged-care facility in New South Wales, Australia. The facility handles 80 patients utilizing paper records. To stay in compliance with healthcare regulations, the facility needs to convert to an electronic documentation system. Anglican Care could build the system from the ground up with information security in mind. The Australian government worked with Anglican Care to design and implement the system as a demonstration of the use of clinical IT in aged-care facilities.

Anglican Care’s paper records stored personal, financial, and medical information on patients. Contact information for staff and visiting professionals, staff salaries, and other financial information were kept in paper records as well.

The electronic version of the system will replace the use of paper and provide remote access to the health information system (HIS) stored on the server. One PC will be used by the manager, with a number of PCs available for the staff. Doctors and physical therapists can make use of mobile devices that connect with the network.

The access controls must be created for the various system users. The controls need to maintain at least the strictness of the current paper-based system, ideally by implementing a least-privileged scheme. To do this, it is necessary to first understand the sensitive data that are to be stored.

There are two basic kinds of data stored for each resident. The first is static data that are entered into the system when the resident is admitted. This includes personal information such as name, gender, religion, as well as medical insurance information and medical history. Emergency information is also included in this information such as allergies, blood group, primary doctor, and a contact person in case of emergencies. Currently, this information is stored on a card-based system that makes the information available rapidly.

The second kind of information is used and updated in the day-to-day running of the facility. This includes the patient care plan and progress notes. Progress notes are used to update the care plan and medical records. In the current paper-based system, medical entries older than 1 year are archived and filed in a locked room. Recent medical entries are stored in locked filing cabinets in an accessible location controlled by the facilities manager.

To mimic the access levels in the paper system, an LDAP-based data store was created with the following groups:

• Manager—This group has the broadest range of access, with the ability to view most information on the system. This is also the only group with the rights to create entries for new staff and residents, and the only group with rights to remove information. For most information, they have full control. The one exception is doctors’ private notes, to which they are denied access. Any user accessing care plans is also logged, and these logs are reported to the manager group.
• Healthcare workers—Members of the healthcare workers group can view care plans, add progress notes, and access all emergency information. This is achieved by giving them read rights to the care plans and append rights to the notes.
• Doctors—Members of the doctors’ group have access to the medical information of the residents who are their patients. They can modify the medical information and care plans for their patients. Doctors have read, write, and modify privileges for their patients’ medical information. Doctors can also create private notes on each of their patients. This information is not accessible to anyone but the doctor and the patient.
• Patients—Patients have rights to read all of their medical records, including doctors’ notes, but they cannot modify or remove the information.

Implementing these rights allows the facility to move to a paperless environment while maintaining strict access control to sensitive HIS.

One of the major bottlenecks with any access control system is the provisioning and deprovisioning of users. This is especially daunting in large organizations. In the following case study, you’ll learn how the Alabama Medicaid agency handled this issue.

User management at the agency was a manual decentralized process. The creation of a new user required manual entry into the help desk, HR, email, mainframe, resource store, and data store. This was an intensive process that left a lot of room for manual error. User rights had to be audited and crosschecked on all of these various systems. Sometimes, rights and roles were assigned incorrectly. Deprovisioning of users was an even larger problem. With all of the different user areas, sometimes usernames and rights were missed in the manual removal process. There were times when former employees still had email access months or even years after leaving the agency.

User management was obviously a major problem for the agency. The process was very labor- and cost-intensive, and security was a major problem. Although no incidents had occurred yet from a user with incorrectly enhanced rights or a former user that had yet to be removed from the agency systems, it was only a matter of time.

To solve this issue, the agency moved to centralized access controls and centralized user life-cycle management. Now, user information can be entered in one location and propagated out to all of the various systems. This also simplifies the user’s life, as he or she now has a single sign-on. Once users log on to their workstations, they can automatically log on to any other system that they have rights to. By centralizing, rights can be modified easily and quickly. Rights audits only need to look at one location to make sure everyone has the privileges they need and no more.

Decommissioning of users is now a much quicker process. Users are disabled at a central location, and within a half hour, their accounts are suspended on all of the systems. This is a much more secure way of decommissioning users, as there is no longer a worry of missing an account on one of the multitude of systems that the agency has users logging into.

By utilizing single sign-on, the agency was able to reduce workload of the IT department by removing the need to create separate user accounts on every system. This reduced the time it takes to manage users and closed major holes in access controls.