Types of Access Control

Access control is one of the pillars of building a solid information system. There are four main models of access control. Each of these has their place when designing an information system. Choosing the wrong one can severely weaken an information system, and choosing one that is too stringent for the organization can be an unnecessary overburdening hinderance.

Access control is one of the most basic pieces of any security plan. It’s so fundamental that it applies to security of any type — not just IT security. Access controls are based of three core components: identification, authentication, and authorization. Each of these components help to illustrate the profile of the entity that is trying to access the information system and control or prevent unauthorized entities from accessing the information. In many systems access control takes the form of a simple password mechanism, but many require more sophisticated and complex control. Implementing access controls should be part of the foundation of the business use case, such that the design is complementary to the protection necessary for the operation of the information system and the business need.

Access controls are the foundation of security controls. These controls span throughout the entire information system and control the flow of data, or at least they should. These controls are often overlooked, poorly implemented or half heartedly enforced. Failure to maintain these controls can result in weak security and ultimately can be exploited to result in a data breach. But with so many types of access control, what implementation should be used? Each access control methodology has its purpose and should be taken into consideration.

Role Based Access Control

Role Based Access Control (RBAC) is used mostly within organizations where duties and responsibilities can b can be and allows an administrator to assign privileges based on the users function or role. For example, someone in the human resources department would have different access than someone who worked in Information Technology department.  This method usually also allows an individual to fill more than one role, and have privileges based on all of their roles and can be even more granular based on the role or position in the department.

Rule Based Access Control

With Rule Based Access Control, access is determined by a set of rules defined by the organization. These rules can determine who, when and where resources can be accessed. For example, file access to sensitive data is only allowed during working hours. This prevent malicious actors from performing file manipulations outside the windows of normal operation when there may not be someone or something to monitor changes.

Mandatory Based Access Control

This access control method dictates access to resources is strictly controlled. In fact it is the strictest of the controls. This is performed by a central authority. Labels are assigned to data that set its classification, setting in place who has access to the data. This is a common scheme seen in the government both military and civilian. System wide policy that determines who is allowed to have access. Unlike discretionary access control, this policy cannot be changed by an individual user. Using a system like this also allows the court access to records without the individuals permission as long as the system administrator is willing to make such deviations in the model.

Discretionary Access Control

Discretionary access Control is where an individual user sets the access control for other individuals as they desire either allowing or denying access.  Access is controlled by the owner of the system. Access is granted and revoke at the discretion of the owner. This is commonly seen by files created by individuals. The disadvantage to this method is the same as its benefit, it allows the user to control the access policy on their data.

When it comes to access controls, no one method is superior to another. Each of the four methods have their ups and downs. Discretionary access controls works best with an individual or small group of users and their files. Mandatory access controls works best when dealing with files of stringent classification as found in the military. Rule based and role based are best for defined sets or organizations with clearly separated responsibilities.

Attribute Based Access Control

Attribute Based Access Control (ABAC) is “next generation” although it has been around for a while, its jut now being formally defined.  Unlike RBAC, that has defined roles, ABAC uses attributes to define access. Attributes can be anything ranging from security clearance, to age or eye color. They can be just about anything for any one and can include roles.

Conclusion

When it comes to access controls, no one method is superior to another. Each of the four methods have their ups and downs. Discretionary access controls works best with an individual or small group of users and their files. Mandatory access controls works best when dealing with files of stringent classification as found in the military. Rule based and role based are best for defined sets or organizations with clearly separated responsibilities.