What is Access Control?
Businesses and organizations these days need to make sure that they are keeping their data and assets safe from harm, whether it is intentional or accidental. Not all users or actions need a specific level of access to a company's system or resources.
Access control is one of the best ways to control and assess who or what kind of a system can access the organization's assets. This restriction might not sound important and like extra overhead, but the ability to control access is a necessary layer of security for any organization.
In today's digital and security context, controlling the ability to interact with organization systems will help prevent security incidents. Not only do you need to manage and maintain access control for your digital assets, but you also need to ensure that your physical infrastructure is secure.
What does Access Control Mean?
Access control, as the name suggests, is a way of figuring out who or what kind of system can have access to different physical or digital resources or even to other systems. In the domain of computing, access control is a procedure that users are passed through to figure out if they are permitted to access different computer systems, organizational assets, resources, or data.
In any access control system, a permitted user needs to have the right credentials before they have access to any system or data. Physical access control is not too different in the fact that the required credentials can be in the form of different cards or keys.
There are innovations in security in those secure methods for access control like two-factor authentication that have become relatively commonplace. Any user who wants to access a system needs to show valid and authorized credentials and a second factor to confirm that the identity is permitted.
How Does Access Control Work?
Access control systems work in a very straightforward way as compared to other security measures or cybersecurity concepts. Sure, the internal mechanism of granting access might be different depending on the scenario or the underlying technology that is used, but overall the concept and working of access control is quite straightforward.
Some of the basic working that any access control system would be using include first of all submitting the right credentials to any reader (possibly a human or even a computer system) that sends the credentials to be verified by a control panel. The control panel will then be able to figure out whether the credentials submitted by a user match those in the system's database. If the credentials the user submits match the credentials present in the system, the control panel proceeds to send a signal to grant access to the user. The user will then be able to access the system or information present.
1. Physical Access Control
Physical access control can be thought of as a mechanical form of control. Think of them as a card that you use to enter a room.
The most common places where you will find physical access controls are at institutions where there is either a lot of foot traffic or there is a particular need to control access to information and systems like at military installations, healthcare facilities, governmental offices, data storage centers or any other area where there is a need to limit access to information.
Physical access control might not be the first thing that comes to mind in the context of digital security, but it does play an integral role in making sure that the organization and its assets are protected from any malicious actors. An initial investment in physical access control is going to be cost-intensive, but the payback is going to be worth it.
One thing that you should keep in mind while making a differentiation between physical and logical access control is that the line is often blurred and can be confusing to categorize different elements or components.
2. Logical Access Control
Logical access controls can be conceptualized as tools and software-based protocols that are mainly used for recognition, authentication, clearance, and accountability mainly in computer systems.
Logical access has become a necessity for remote access of different organizational assets like hardware.
Logical access controls help to put in place access control measures for different computer systems, software, processes, and access to data. The logical access controls can be and in a lot of cases are embedded within different operating systems, software apps, or databases.
What Does Access Control Do?
Any kind of access control can be deployed and be centrally administered. As with many other systems, there are different tiers for access controls that are dependent upon the person, data being accessed, or physical locations which may be different depending on the business needs. The outcome of an access control system is that only authorized people will be able to view, access, or utilize the information, areas, and systems they need for and are allowed to.
Access control systems are by design made flexible to accommodate specific business needs and are quite easily changed or updated by staff with administrator-level rights.
Why is Access Control Important?
Access control is incredibly important since it is a valuable security asset and method that can be used to streamline who or what kind of a system can view or use any given asset or resource. The true importance of access control has never been more prominent than today when a company's secrets and private information can be at risk to different hackers and other people who want to take advantage of any situation.
The ultimate objective of access control is to make sure that an organization's assets including information or hardware or even location are safe from harm and that a certain level of security is in place. This helps minimize security risks to businesses or even larger enterprises by helping to keep physical locations, information, and teammates safe.
In modern practice, it is not completely unheard of practice of keeping information under the wraps. Access to information within some organizations depending on the industry can be incredibly restrictive, which makes information silos a popular option for businesses.
While an unrelenting focus on organizational security and privacy is a modern need to ensure the safeguarding of business data and to meet all kinds of data protection legislation and laws, there is also a need for balance in terms of making things accessible to authorized users.
What types of Access Control?
As previously discussed there can be several ways to control access to any system. This ultimately depends on the need for security and the priority put in place when it comes to safeguarding a particular organizational asset.
There can be different types of access control methodologies that move towards a common goal of providing a level of security and control when it comes to who can access data. The only difference will be in the thought process behind limiting access and the method used to prevent unwanted users or systems from gaining access.
Here are some of the different types of access controls that you should know about:
Figure 1. What types of Access Control?
1. Discretionary Access Control
Discretionary access control (DAC) is a popular type of access control that gives or limits the object access through an access policy that is determined and conceived by an object's owning party which may or may not include subjects.
Discretionary access control mechanism controls are listed by user identification through stored credentials during the authentication process, such as the username and the user's password. Discretionary access controls can be thought of as discretionary since the subject which is the owner can transfer objects or data that has been authenticated to other users.
In discretionary access control, every system object which may be a data object or any sort of file has an owner associated with it, and every initial object owner is the acting part that creates the object. So we can correctly think that an object's access policy is thought of by its owner or owning part.
Discretionary access control has several attributes that include giving the user the ability to transfer object ownership to another user or a single user. The user can also analyze and determine the access type of other users. After several failed attempts, authorization failures prevent user access. Unauthorized users are not able to view object characteristics.
2. Rule-based Access Control
Rule-Based Access Control (RBAC) allows the owners of a system to truly personalize the kind of privileges and access a user has based on their position in the organizational hierarchy.
Users can be bunched up into roles depending on their needs of access and responsibilities within an organization as this often helps evaluate whether a user needs certain system access. Access can be granted to each user once their need for access has been assessed. One option can be to put in place strict access requirements for all roles which help to make managing access easy for administrators.
Rule-based access control focuses on the rules linked with the information's access or restrictions. These rules can be in the form of parameters, such as granting access only from particular IPs, rejecting access requests from certain IP addresses that may belong to an ISP or a region.
In a more specific scenario, access from a specific IP address or location can be allowed unless it comes via a specific port like the FTP. These kinds of specific rules prevent cybercriminals and other bad actors from gaining access to an information system even if hackers can find a way to get to the network.
3. Attribute-based Access Control (ABAC)
Attribute-based access control (ABAC) can be described as an access control type in which access rights are given to different users by utilizing policies and attributes collectively. The multiple policies can use any kind of attribute that may include user attributes, objects, resource attributes, etc.). This type of access control supports Boolean logic, where rules come in the form of if or then logic statements which help define what kind of user is making the request and gaining access to the specific resource, and the action being taken.
In contrast to role-based access control (RBAC), which employs already defined roles that have with them a specific set of privileges that are associated with them and to which subjects are given access, the key difference with ABAC is the mindset that policies get to express a complex Boolean rule group that can go through many varying attributes. Attribute values can be atomic-valued, also called set-valued. Atomic-valued attributes can contain more than one atomic value.
Although the concept of attribute-based access control itself has been in practice for several years, ABAC is thought of as a new sort of authorization model since it can provide dynamic, context-dependent, and risk-intelligent access control to assets allowing access control policies that have particular attributes from several information systems.
4. Role-based Access Control (RBAC)
Role-based access control (RBAC) is a type of access control that restricts network access depending on a user's role within an organization. Recently the role-based access control has become a very popular method for relatively advanced access control. The roles in RBAC mean the levels of access that employees have to the resources particularly networks.
Users are only permitted to access data and assets necessary to effectively do their jobs. Access can be based on a variety of factors namely authority, position with the organization, responsibility, and job competency.
5. Mandatory Access Control (MAC)
Mandatory access control (MAC) is a type of access control that is used by the OS or databases to limit the ability of a subject or a user to access or carry out any operation on an object. MAC-enabled systems allow administrators who are the ones making up the policy to implement enterprise-level security policies.
Under MAC, users cannot override or change policies set by the admins, either accidentally or with a purpose. This gives security administrators the ability to compose a central policy that is bound under all expected circumstances to be enforced for every user of the system.
What are the Components of Access Control?
Access control consists of many components that make it an effective security strategy. To make sure that access control is effective, there is a need to ensure that all of its components are looked after within an access control policy.
If any component within access control is not up to the mark, it can compromise and become a problem for the whole access control system set in place. This is why any access control policy or system needs to have all of its components in line with the needs of the business and should not compromise other aspects of access control.
Authorization is described as a component that allows a system or takes away the privilege to access some data or perform a specific action. Oftentimes, a user needs to log in before they can use a system through any means of authentication.
Authorization is one of the critical components in access control given how it is incredibly important within certain kinds of access controls that depend on authorization levels like role-based access control.
Without effective authorization protocols in place, many access control systems would be pointless since they would not be able to give enough access to relevant people within an organization to do their job effectively.
Access is one of the most important components within access control (a pretty obvious fact). To be able to use resources to view or use data, a user will need access to that data.
Within the context of access control, understanding what kind of a user will have access to certain data is vital to ensuring that any and every user has the proper access. Coming up with relevant policies for granting access is then the responsibility of the administrators to figure out and enforce.
Managing the policies set by the administrators of the access control policies will be critical in ensuring that a baseline of security is maintained and that users are limited to what they can do or extract from a particular system.
The management of access control systems depends on several things. The most important is the type of access control being enforced by the organization. As an example, role-based access control can be easier to manage if there is stricter enforcement and allocation of access based on different roles within the organization.
Regardless of the kind of access control you choose for your organization, knowing how to manage it effectively is going to be a critical part of limiting access to success.
Auditing within the context of access control can be described as the component that is responsible for event tracking and reviewing, access, errors, and authentication tries on a particular system.
To make sure that an access control system is ready to be updated and is not at the mercy of a catastrophic event to trigger a change, auditing regularly becomes essential. Auditing and keeping track of the performance of access control is going to be a core concern for organizations and how they plan to keep their information or other assets and resources safe.
Authentication is a component within access control that verifies that a particular user is bound to the entity that makes a claim it is the same user. Authentication goes on an assumption that an initial validation of the user's identity. There are quite a few methods of identity proofing that are available, including physical validation to anonymous methods that allow the user applying for access to remain anonymous, but they will be known to the system if they make another attempt.
What is Mandatory Access Control?
Mandatory access control is a method that is used to limit access to assets and other resources depending upon the value and sensitivity of the data that the assets contained in them and the authorization access of a particular user.
The admins are the ones that are in the position to define the sensitivity of the assets by using a security label. The security label is made of a security level and zero or more than zero security categories. The security level shows a level or hierarchical distribution of the data. The security category describes the category that the information belongs to.
Users have the ability or privilege to only access data within an asset that their security labels give them access to. If the specific user's security label does not have the needed authority, the user cannot have access to the data stored within a resource or asset.
What is an Access Control List?
An Access Control List can be thought of as a packet filter that sorts or filters out packets based on a set of rules. A single or multiple rules help to describe the packet matching scenarios like the source and destination address or the port number of packets.
For different packets that match the access control rules listed and managed on a device, the device then can forward or discard these data packets under the policies used by the service module applied to the ACL.
The standard category of access control lists is that it is almost always applicable close to the destination (but there may be some variance). The extended category of access control lists is usually applied closer to the source (but again, there may be some variance). Staff or more specifically admins can only assign a single access control list per interface per protocol in use per direction, meaning that a single inbound and outbound access control list is permitted per interface.
Users can't remove even a single rule from an access control list if they are using a numbered access control list. If there is an attempt to remove even a single rule then the whole ACL has to be removed. If a named access control list is in use then specific rules can be deleted without having to delete the whole list. Every new rule that is added to an access control list needs to be placed at the very bottom of the access control list. This means that before the access control list is implemented, teams must adequately analyze the whole scenario so no surprises are found after the list has been enforced.