Access control is a fundamental component of data security that dictates who’s allowed to access and use company information and resources. Through authentication and authorization, access control policies make sure users are who they say they are and that they have appropriate access to company data. Access control can also be applied to awhole range of activities.
How does access control work?
Access control is used to identify users by verifying various login information (usernames and passwords, PINs, biometric scans, and security tokens, etc). Many access control systems also include multifactor authentication, a method that requires multiple authentication methods to verify a user’s identity.
Once a user is authenticated, access control then authorizes the appropriate level of access and allowed actions associated with that user’s credentials or IP address (conditional Access).
There are various types of access control and the choice to which to use is determined based on the organization’s choice that satisfies their security and compliance need. They are as follows below.
Discretionary access control (DAC): This form of Access Control was originally defined by the Trusted Computer System Evaluation Criteria (TCSEC) as “a means of restricting access to objects based on the identity of subjects and/or groups to which they belong. The controls are discretionary in the sense that a subject with a certain access permission is capable of passing that permission (perhaps indirectly) on to any other subject (unless restrained by mandatory access control)”.
DAC gives subjects full control of objects they have created or been given access to, including sharing the objects with other subjects. Subjects are empowered and control their data. Standard UNIX and Windows operating systems use DAC for file systems: subjects can grant other subjects access to their files, change their attributes, alter them, or delete them. This means the data (information) owner or administrator of the protected system, data, or resource sets the policies for who is allowed access.
Note: DAC systems are generally easier to manage than MAC systems. The distrusted administrative model puts less of a burden on the administrator. The administrator is not responsible for setting the permissions on all the systems.
DAC systems can be a little less secure than MAC systems. This is in part due to the distributed management model. Since the administrator does not control all object access, it’s possible that permissions can be incorrectly set, possibly leading to a breach of information.
Mandatory access control (MAC): This model is the complete opposite of the DAC model. In a mandatory access control (MAC) model, users do not have the discretion of determining who can access objects as in a DAC model. An operating system that is based on a MAC model greatly reduces the number of rights, permissions, and functionality a user has for security purposes.
Role-based access control (RBAC): Role-based access control (RBAC) is a method of restricting network access based on the roles of individual users within an enterprise. RBAC lets employees have access rights only to the information they need to do their jobs and prevents them from accessing information that doesn’t pertain to them.
This means, RBAC grants access based on defined business functions rather than the individual user’s identity. The goal is to provide users with access only to data that’s been deemed necessary for their role within the organizations. This widely used method is based on a complex combination of role assignments, authorizations, and permissions.
Some of the designations in an RBAC tool can include:
– Management role scope: It limits what objects the role group is allowed to manage.
– Management role group: You can add and remove members.
– Management role: These are the types of tasks that can be performed by a specific role group.
– Management role assignment: This links a role to a role group.
By adding a user to a role group, the user has access to all the roles in that group. If they are removed, access becomes restricted. Users may also be assigned to multiple groups in the event they need temporary access to certain data or programs and then removed once the project is complete.
Rules-Based Access Control: This is a strategy for managing user access on IT systems, where business changes trigger the application of Rules, which specify access changes.
Rule-based Access Control is commonly used as an add-on to the other types of access control. In addition to whatever type of access control you choose, rule-based access control can change the permissions based on a specific set of rules created by the administrator.
Implementation of Rules-Based Access Control systems is feasible so long as the number of triggering business events and the set of possible actions that follow those events are both small.
Attribute-based access control (ABAC): ABAC is often referred to as the policy-based access control for IAM, and this defines an access control paradigm whereby access rights are granted to users through the use of policies which combine attributes.
Attributes are sets of labels or properties that can be used to describe all the entities that must be considered for authorization purposes.
Why is access control vital? Access control helps keep the information confidential. This includes customer data, Personally Identifiable Information (PIN), and Intellectual Property from getting into the wrong hands. Without a robust access control policy, organizations risk data leakage from both internal and external sources.
For more information, see the following reference.
– https://nvlpubs.nist.gov/nistpubs/specialpublications/NIST.SP.800-162.pdf
I hope you found this blog post helpful. If you have any questions, please let me know in the comment session.