Access control systems fall under one of these three types of access control models, which determine how access permissions are assigned and controlled within the organization: Show
There are many different types of access control systems for commercial buildings and businesses, but not all systems will be the right fit, depending on the size of the deployment, the number of users and entries, and the level of security required. For example, a single office inside a commercial building will need very different security controls than a hospital or large warehouse facility. So, how do you know which access control system is best for your space? Discretionary access control (DAC)Discretionary access control is the least restrictive, and therefore the least recommended type of access control for commercial and business security. The DAC model gives business owners, rather than security experts, control over access rights and permissions for all users. Unless the business owner is well-versed in security policies and best practices, DAC is not the best type of access control model. Mandatory access control (MAC)This type of access control is best-suited for organizations that require high security and confidentiality. Within a MAC paradigm, one person is given authority to establish access guidelines and assign permissions for the entire organization, such as a Chief Security Officer. Mandatory access control gives the administrator sole discretion over access permissions and security clearance. Role based access control (RBAC)This type of access control is best-suited for organizations that require high security and confidentiality. Within a MAC paradigm, one person is given authority to establish access guidelines and assign permissions for the entire organization, such as a Chief Security Officer. Mandatory access control gives the administrator sole discretion over access permissions and security clearance. Role based access control (RBAC)A role based access control paradigm defines permissions by roles assigned to users in the system. Within a business setting, access privileges are often based on employment status and job title, such as allowing management full building access, while contractors or employees from a specific department will only have access to the spaces they need to do their work. RBAC is a user-friendly model, and allows administrators to group users and adjust permissions from a central database. RBAC systems usually employ the principles of least privilege and separation of privilege, where users are compartmentalized and given the minimum level of access required to perform their job.
Access control is a part of everyday life and is also an integral component of IT and data security for businesses. It’s a broad term that describes a variety of ways to control who has access to your organization’s resources. In addition to giving you greater control over your network, data, website, or other sensitive systems or assets, access controls also help you stay compliant with various industry standards and regulations. By restricting access to sensitive systems or data, you’re limiting the potential risks associated with data exposure. For example, if fewer people have access to your customer database, it’s less likely that the database will be exposed through credential compromise or insider threats.
Sponsorships Available But what is access control? What are the different types of access control systems and models, and how do they work? And what are some of the challenges of implementing access control for businesses? Let’s hash it out. What Is Access Control? Definition & Meaning in SecurityIn the most basic sense, access control in information security is about determining who gets access to what stuff (files, directories, applications, etc.). For example, if I access our company’s file server, I can see documents related to marketing. Someone in our Finance department, on the other hand, would be able to review financial documents. But someone external to the company wouldn’t be able to access any of these things. All of these things are possible thanks to access controls that determine who can access what. Looking for a more technical definition? Access control is a broad term that describes policies and methods that ensure only verified individuals can physically or virtually touch items that they have permission to access. This process involves restricting access or granting permissions that allow someone to do something to a protected item. This includes having permissions to do any of the following to protected items (digital or physical resources):
For longtime IT cybersecurity expert Greg Scott, access controls typically boil down to understanding the relationship between two specific terms: subjects and objects.
In this understanding, objects could be resources that you want to protect from unauthorized access, use, or disclosure. And the subject is the user (or group of users or even non-person entities such as applications or services) that the access controls apply to. So, access controls (in a more technical sense) are the tools, policies, models, and mechanisms that enable you to grant or restrict access to your organization’s digital or physical resources. This includes everything from restricting or granting access to specific files and databases to IT systems and physical locations. If you look at the definitions of access control on the National Institute of Standards and Technology (NIST) website, you’ll see a lot of variations. However, they all basically mean the same thing in a roundabout way: access control is a way for you to ensure that only the individuals (or groups) you choose have access to your sensitive data, applications, technologies, and critical infrastructure. Basically, these types of physical and logical restrictions prevent unauthorized individuals from doing things they shouldn’t with your sensitive systems or data. Furthermore, they also help to prevent inadvertent exposure or disclosure of sensitive items. Where Authorization and Authentication Fit Into the PictureAuthentication and authorization are key components of information security, cybersecurity, and access control. They’re also integral to identity and access management.
So, let’s consider an example. Let’s say I want to access one of my company’s intranet sites to access some marketing related files.
Manage Digital Certificates like a Boss 14 Certificate Management Best Practices to keep your organization running, secure and fully-compliant. Types of Access Control SystemsAccess control systems can be logical or physical in nature and fall within three sub-categories:
Does your organization require your employees to use an ID badge to access specific areas, such as your server room? That’s an example of physical access control because it prevents just anyone from meandering in. An example of administrative access control is limiting which of your employees — or groups of employees — can make changes to specific files. A technical form of access control would be limiting which IP addresses (or ranges of IP addresses) can access your network through your firewall. For example, here at The SSL Store, only certain individuals can access our customer records. Same with our blog — not everyone has or needs access to add, modify, or delete posts on Hashed Out. (I feel lucky enough to be among the chosen few.) If everyone could access all of our systems, it could spell disaster in the event of credential compromise or an employee being swayed by the power of the Dark Side (as Obi-Wan would say). Some examples of virtual and physical access control systems include:
While access controls may seem inconvenient or cumbersome, they’re integral to the security of your organization. They can help to prevent your sensitive data from being exposed as the result of human error or an employee going rogue by limiting who has access to it. Access Control ListsAn access control list, much like the name would imply, is a list of privileges or permissions that authorize or deny access for specific people or groups to specific objects. ACLs consist of various access control entries (ACEs), which specify the subject and any privileges they have for specific objects. ACLs serve different functions in terms of how and where they’re used and are central to several different access control models — we’ll speak more to those shortly. In the meantime, here are just a few quick examples of common access control lists:
How Access Controls Come Into Play Within Your OrganizationWhen talking about access controls, they can be implemented done through multiple avenues. Let’s consider a few examples of access control that your organization might already be using. File-Sharing Platforms like SharePoint and Google DocsIf you use these types of file-sharing platforms, then you’re already familiar with this type of access control. Whenever you create or share a document, you can choose to either keep control to yourself or give permissions to view or modify the document as a viewer, commenter, or editor. Think about the last time someone sent you a link to their Google doc file. This frequently happens for us when we’re working with guest contributors. We’ll receive a link to a Google Doc file that we don’t have access to, so we’ll have to request access to gain permission to see and edit it. Windows Active DirectoryWe’ll use Windows Active Directory as our next example. You can set up folder permissions for groups and individuals in Active Directory: A screenshot from Active Directory that shows user and group permissions. The image has been edited to remove sensitive information. These permissions can be set for specific objects or groups of objects. Linux Access ControlsDon’t worry, penguin fans; you also can use access controls for filesystems. This process involves the use of Linux ACLs to grant permissions to one of three options: users, groups, or others. The level of access that each of these permission categories could have includes read, write, and execute. Now, I’m not going to go into the specifics here about how to set up Linux ACLs. But you’re welcome to check out this great resource from RedHat that goes over setting up a basic ACL using Linux. WordPress Access ControlsIn WordPress, you also have the option of implementing access control. Think of the different access control settings in WordPress. You may give a few users Administrator access, which allows them to give other users access, whereas you may only give some editors author access. You can also use WordPress plugins like the Advanced Access Manager (AAM) to set more specific, granular access controls. For example, in AAM, you can manage access for any type of role: 4 Access Control Models to KnowThere are actually several models or varieties of access control to choose from in information security to determine user access. If you check out other websites’ lists of access controls, you may notice that there are anywhere from two to five main access control categories. Here, we’re just going to go with four and list them alphabetically to make it easy to follow. 1. Discretionary Access Control (DAC)Discretionary access control enables a file or system owner to control, grant, or limit others’ permissions. For example, think of when you create a Google Sheets spreadsheet in Google Drive. As the file owner, you can choose to grant access to specific individuals to either access, read, or modify the document. You can also set it so that anyone with a link can access the document or open the document up to the public. DACs, which are commonly used for operating systems, rely upon access control lists (ACLs). These lists generally specify individuals (or groups of individuals) along with their access permission levels. Discretionary access controls are also more flexible and less restrictive with the next type of access control we’re going to talk about. However, they’re also the least secure method as well because access control is left up to the file or system owner. Of the different control access models we’ll discuss here, DACs are the least restrictive and are commonly used. 2. Mandatory Access Control (MAC)Unlike DAC, mandatory access control is nondiscretionary and is simply based on the decisions of a central authority such as a security administrator. The file owners and users themselves have little to no say in who can access their files. MAC relies on labels (such as confidential, secret, top secret, etc.) and clearances to associate any programs or levels of access with users. Documents receive labels that determine which levels of clearance you need to have to access, modify, or disclose them. An administrator can set these levels of access for individuals and groups of users, which the users themselves can’t change. This model of access control is the most restrictive and has been adopted by U.S. government and military organizations to exercise control of sensitive information. 3. Role-Based Access Control (RBAC)As you can probably guess from the name, role-based access control gives access permissions based on user roles. What I mean by “role” is the functions that an employee performs. Users may have one or more roles and may be assigned one or more permissions as a result. Doing this gives users who have those roles access to the info they need to do their jobs without affording them access to information that they don’t need. RBAC is a broader form of access control than, say, MAC. In Windows, for example, you can use Groups to set RBAC. Let’s say, for example, that you want to grant access to employees’ benefits information to human resources specialists John Doe, Jane Smith and Lois Lane, and HR manager Kermit D. Frog. Rather than having to manually grant access to each person individually, you could instead grant access to the group of human resources specialists and their manager. Since they’re already identified as having specific roles within your organization, they’ll automatically be granted access through this type of RBAC. NIST says that the first formal general-purpose role-based access control model came about in 1992, although the concept of specifying roles and responsibilities has been around since at least the 1970s. There have been several variations of the RBAC model that incorporate varying levels of hierarchy — from partially-defined to fully-defined hierarchy. A unified standard was adopted by the International Community for Information Technology Standards (INCITS) as ANSI INCITS 359-2004 in 2004. 4. Attribute-Based Access Control (ABAC)The next type of access model is known as attribute-based access control (ABAC). According to NIST:
ABAC helps us to link people or groups with the types of data that they can use within specific parameters. It supports the use of Boolean logic to create more granular policies that are also more flexible. Attributes could be specific characteristics or specifications that are applied to either subjects (subject attributes) or objects (object attributes). Some examples of subject attributes include management levels, employee IDs, organizational roles. Some examples of how you can use this type of access control include:
Why Access Controls Matter Regarding Data Security & ComplianceWhether you’re a small business or a large organization, controlling access to your data or physical infrastructure is integral to security. Scott says that strong access controls are important for all organizations, regardless of size. It helps them to:
Scott calls out the importance of DACs in particular:
What some people may not realize is that permissions and access controls are central to several industry data privacy-related regulations. For example:
Of course, this isn’t a comprehensive list. There are other data privacy and encryption laws that call out restricting access. But this brief list at least gives you an idea about some of the types of regulatory compliance concerns that your business faces. Access Controls Are Central to Zero-Trust SecurityMaintaining strict access controls is also essential to the concept of zero-trust security. That’s because the zero-trust model requires users to have authorization and to authenticate themselves before they can access or modify any systems or data — and they must continue to do so to maintain said access. Basically, the idea here is that everything is treated as being suspicious — even when it’s something that’s coming from inside your network. Check Point’s 2020 Cyber Security Report underscores the importance of access control as part of a zero-trust network:
The Challenges of Controlling Access for Organizations & BusinessesAccess control systems are critical to your organization’s information security and cybersecurity overall. But when restrictions and permissions aren’t implemented well, and if these controls aren’t regularly maintained, then it can be disastrous for your business. So, what are the challenges for managing access for businesses large and small? There’s a Perception That Access Controls Limit EfficiencyConsidering that access controls are among the most basic ways to protect your data and property, it might come as a surprise that some organizations are resistant to doing so. Why? The answer often comes down to human nature. People are frequently resistant to change. They also prefer for things to be convenient and to have fewer steps involved to accomplish a task. Basically, it’s just human nature. For example, people frequently reuse or recycle their passwords across multiple accounts. But this can lead to issues considering that Verizon’s 2020 Data Breach Incident Report (DBIR) shares that 37% of data breaches resulted from the use of stolen or compromised credentials. Scott says that the callous mindset toward access restrictions can often be found at all levels of organizations:
Flexibility & Consistency Are Key to Monitoring & Managing Access ControlsTraditionally, access control processes were static. But for modern access controls to be effective, they need to be flexible in their capabilities and consistently supported. Administrators need to continually monitor them to identify any potential security holes or non-compliance concerns, too. For example, there should be a procedure in place for terminating access for employees who leave your organization. Whether they quit, get laid off, or get fired, you don’t want someone to have access to things they shouldn’t. Final Thoughts on Access Control Systems, Lists, and ModelsI hope that this article has given you a better idea of what access controls are and the roles they play in information security. There’s a lot to know when it comes to access controls, and our intention with this piece was to provide you with a greater overall understanding of access control systems and how they work without getting too technical. Access controls can be physical, technical, or administrative in nature. But what makes information access control systems especially valuable for businesses is that they give you greater control over your data. Just how you go about doing so depends on the method you choose:
Be sure to share your insights regarding effective access control systems and implementations in the comments below. *** This is a Security Bloggers Network syndicated blog from Hashed Out by The SSL Store™ authored by Casey Crane. Read the original post at: https://www.thesslstore.com/blog/the-role-of-access-control-in-information-security/ |