Access control is a set of principles that govern who and what can access sensitive information, typically in (but not limited to) computer systems. Proper implementation of access control mechanisms prevents unauthorized access to an organization’s sensitive proprietary data, preventing data leaks, and saving time, energy, and money.
With more and more organizations moving to the cloud, access control has come squarely into focus for many developers and systems administrators. Not to be confused with authentication, although important, access control is the method by which user permissions are verified. Not only should access be granted, but to what degree, to which company resources, and for how long?
Organizations with an eye for security should be using one or multiple forms of access control in their regular operations. There are many forms of access control, but they all aim to provide solutions to a very similar set of challenges. Granting access to company resources and determining who and what is entitled to create, read, update, or delete resources. Follow along to learn more about what access control is and the different types of access control.
What is Access Control?
A good analogy for access control is that if you enter a building and approach the front desk, they may ask you for your ID and make you sign in. After signing in, they will call the office you are visiting to verify your appointment or meeting. Upon verification, the front desk may issue you a guest key card that grants you access to the elevator, but the elevator will only let you off at the floor designated by the front desk. This is essentially the same process, only digitally.
Along with authentication, authorization is the next step in the chain of access control logic. Access control itself encapsulates the process of verifying login credentials, user roles, or permissions and granting/denying access to specific company resources. Access control can also be determined by geolocation, time, and IP-related data. Access control measures can be broad and sweeping rules for company-wide access down to an individually granular level.
Any good access control system will have safety measures in place that allow network administrators to monitor and respond to threats or breaches of data. Two of the main components are logging and real-time monitoring. Logging is a great way for owners and administrators to look at patterns of access, determine a model’s viability, and keep detailed access records. While real-time monitoring allows administrators to respond quickly to threats and address employee issues. Both are essential to ensuring a fully functioning access control system.
Access Control Types
What type of access control your organization implements will depend on the security needs of the organization and the sensitivity of the data being transmitted. While we are not going to dive into physical access control, you will learn about the types of digital access controls, their benefits, downsides, and use cases.
Mandatory Access Control (MAC)
This is the most restrictive and secure access control method. Access control settings are preset by the owner or system administrator and can only be modified with their permission. Not only are mandatory access control systems incredibly secure, but they are also the most inflexible; requiring system administrators to change permission. Because these systems do not rely on an access list, administrators have to reprogram user access, as well as entry point security lists. There are two models of Mandatory Access Control; Biba and Bell-LaPadula.
Biba is a model of mandatory access control that focuses on the integrity of information. This model prescribes that low-level clearance can typically “read” high-level resources and high-level clearances can “create” or “update” low-level resources. This model is great for organizations where it’s important for low-level employees to need to read high-level information, while high-level executives can “write down” information to inform low-level employees.
The Bell-LaPadula model prescribes that users can only write to the level of clearance that they currently possess. This means that users with top-secret clearances can only write resources with top-secret clearances, and is particularly useful for governmental agencies and military applications. This model ensures that only users with appropriate security clearances can access “need-to-know” information associated with their level of security clearance.
Mandatory access control used a numbering system at one time that would apply a number to files and employees. The higher the number, the higher the classification and anyone with a number lower than the one associated with a resource could not access it. No longer is the numbering system being used, though, as this method has shifted to a ranked naming convention. While government classifications are: TOP SECRET, SECRET, CONFIDENTIAL, and UNCLASSIFIED; there are no standardized naming conventions used with this method. It is only recommended to follow a similar convention to that of governmental classifications.
Discretionary Access Control (DAC)
The discretionary access control method is the least restrictive and offers the most flexibility. Providing the broadest allowances compared to other methods of access control. With great flexibility comes great risk. This method should only be considered by organizations needing the most flexibility and ease of use for their users.
Discretionary access control methods prescribe that the owner of the system can designate restrictions on how many users have access from a given location. Whichever mode of authentication, whether it be a username, token, key card, fingerprint, or pin code; the system will either grant or deny access based on the credentials being confirmed against a list of authorized users. Credentials at a discretionary access control point are verified against a list of authorized users.
Role-Based Access Control (RBAC)
This is probably one of the more popular types of access control methodologies. It eases the burden of assigning permissions on an individual basis by assigning a group of permissions to a role or title. By applying a role to a user, that user will then inherit all of the permissions granted to that role. Assigning multiple roles to a user enables the user to inherit the permissions assigned to each of the roles.
Another added benefit is that if a user no longer needs a group of permissions, for whatever reason, removing them from a role simply removes that group of permissions from the user. It’s an easy concept to grasp and adopt.
A good example of this would be if one team has shared resources it wants other teams to have access to, while not giving complete access to that team’s full resources. A role can be created for users who need those permissions to access that shared resource.
Rule-Based Access Control
Not to be confused with role-based access control; this method of access control is a nice bolt-on addition to other forms of access control. It allows owners and system administrators to apply an even greater level of refinement to a set of access conditions. Rule-based access control adds conditional logic to pre-existing access control roles.
To apply rule-based access control, system administrators will need to program this into the system. By using conditional logic to grant access, you can account for all sorts of additional criteria; including working hours, geolocation, and frequency of access. There are any number of conditions you can apply using this model.
How Does Access Control Benefit Your Organization?
There is some debate about which models work best, given all of the ways in which employees can now access organizational resources. With the shift so heavily towards hybrid and remote workplace cultures, there are understandably going to be some challenges in implementing access control effectively across the board. Access control models have often been static and don’t account for all of the dynamic ways in which employees may interact with organizational resources.
It is recommended to work with trusted cybersecurity experts that can help assess the company’s information security demands. Picking the right access control models can mean the difference between maintaining operational status or losing sensitive data and profit.
Access control, not to be understated, is a critical component of any organization’s information security policies. Access control measures and your business need to evolve with the times to ensure the privacy of your users and the security of sensitive proprietary information. Threat actors are evolving just as fast as the technologies used to thwart them. When vulnerabilities rear their ugly little heads, access control models help mitigate any effects from vulnerabilities being exploited.
For instance, if an employee using a BYOD (Bring Your Own Device) downloads malware and then connects to your organization’s network, access control measures will stop any penetrative exploitation by malicious code. Or if someone forgets to set a firewall rule, threat actors might be able to SSH into your Linux VPS. Closely controlling rules, permissions, and policies to prevent any sort of root access will help ensure no damage is done. With good logging and real-time monitoring in your access control policies, security experts can detect and address issues quickly.
Several information security professionals already understand the nuts and bolts of firewalls, roles, and permissions, and should be consulted when making the decision as to which models will work for your organization’s security requirements. Access control models are undoubtedly one of the core components of any secure system, helping save data, and preserve privacy. It is important to regularly audit your organization’s information security needs and address them quickly. Choosing a reputable cybersecurity firm to aid in that process can save time and money in the long run.