Access Control Process for a SaaS Provider
Kazmi, Syeda (2019-06-17)
Access Control Process for a SaaS Provider
(17.06.2019)
Julkaisu on tekijänoikeussäännösten alainen. Teosta voi lukea ja tulostaa henkilökohtaista käyttöä varten. Käyttö kaupallisiin tarkoituksiin on kielletty.
avoin
Julkaisun pysyvä osoite on:
https://urn.fi/URN:NBN:fi-fe2019092329507
https://urn.fi/URN:NBN:fi-fe2019092329507
Tiivistelmä
Access control is a process of limiting access to systems and services. It is a way by which the users are granted access and privileges to information and resources of an organization. The process involves controlling, managing, logging and reviewing access. It ensures that individuals in an organization are able to access and use the systems they need to do their job but do not have more than the needed access.
An organization's major asset is the information regarding customers, processes, products, and suppliers which are critical for its operations. The internet-based technologies provide integration of corporate applications, internal and third-party systems, decision support systems, knowledge management, and repositories. The most common threat to these critical resources is unauthorized access that can pave ways for malicious activities that are harmful and can lead to loss of confidentiality, integrity, and availability. In order to minimize the risks and ensure business continuity, access control process following the best practices should be in place.
In this thesis, an access control process for a SaaS organization is designed, implemented and tested. Protection of the proprietary information and resources is of prime importance for such an organization. The existing access control process is not following industry standards and best practices. As the organization is growing fast, the business and organizational requirements are also changing. In order to comply with standards for access control, the new access control process is carried out as per the guidelines provided by security standards while keeping in view the growing organization needs. All controls have been designed as per the requirements of SOC 2 and ISO 27001. The process is implemented mainly on the basis of role-based access (RBAC) model and the principle of “need to know”.
Client satisfaction, legal harmonization, and financial returns are among the benefits that the organization gets by having an access control process in line with security standards. Moreover, the organization is not only able to prevent data breaches but also meet the regional and worldwide regulations.
An organization's major asset is the information regarding customers, processes, products, and suppliers which are critical for its operations. The internet-based technologies provide integration of corporate applications, internal and third-party systems, decision support systems, knowledge management, and repositories. The most common threat to these critical resources is unauthorized access that can pave ways for malicious activities that are harmful and can lead to loss of confidentiality, integrity, and availability. In order to minimize the risks and ensure business continuity, access control process following the best practices should be in place.
In this thesis, an access control process for a SaaS organization is designed, implemented and tested. Protection of the proprietary information and resources is of prime importance for such an organization. The existing access control process is not following industry standards and best practices. As the organization is growing fast, the business and organizational requirements are also changing. In order to comply with standards for access control, the new access control process is carried out as per the guidelines provided by security standards while keeping in view the growing organization needs. All controls have been designed as per the requirements of SOC 2 and ISO 27001. The process is implemented mainly on the basis of role-based access (RBAC) model and the principle of “need to know”.
Client satisfaction, legal harmonization, and financial returns are among the benefits that the organization gets by having an access control process in line with security standards. Moreover, the organization is not only able to prevent data breaches but also meet the regional and worldwide regulations.