Overview of models for access controlLink to this section
Security and access control have never been more important with organizations increasingly moving information to the cloud. But, companies also have to strike a balance between security and ensuring employees have access to everything they need to perform their jobs.
That’s why access control models and policies are in place to control permissions to resources within a company. Each access control model outlines a set of rules and permissions that determine who, when, and how access is granted to a resource.
It’s important to understand how each of the five access control models works to help you make an informed decision about which model is the best fit for your needs.
What are access control models?Link to this section
Access control involves the process of authenticating users based on their credentials to grant them access to a system’s resources. Typically, access control models are used in companies as a way to easily assign and safeguard user permissions to company files and resources.
Access control models are used to protect resources from unauthorized users, ensuring that only authorized users can access resources using pre-authorized and secure methods.
Essentially, an authenticated user is granted permission to access specific computers, files, data, and other software needed to complete their job.
Types of access control modelsLink to this section
There are five main types of access control models. Each model offers a specific set of pros and cons, which means it’s important to understand your options before making your pick.
Role-based access control (RBAC)Link to this section
RBAC grants access based on the role of an employee within an organization. Using RBAC, admins analyze the needs of the user and group them into roles which ensures they are only granted access to records and resources that are relevant to their job.
RBAC is based on the ‘least privilege’ model which aims to reduce the chances of resources getting into the hands of the wrong people. Plus, if security breaches do occur, this model makes it easier to spot intruders.
When using the RBAC model, access can be determined in various ways, including:
- User’s department
- User’s job title
- Work duties associated with the user
- Location of the user
- The level of seniority of the user
- The responsibilities of the user
- Membership in a team
- Level of security clearance
Rule-based access control (RuBAC)Link to this section
Using RuBAC, admins set out predetermined rules regardless of the user’s role in an organization. Admins set a control list for each resource and the access control systems examine the list of prerequisites to grant or deny access.
For example, admins can set timeframes for when resources can be accessed which stops users from accessing data outside of work hours. RuBAC is particularly useful when dealing with confidential resources and is typically used in combination with RBAC. This gives organizations an added layer of security.
Setting controls using the RuBAC models can be determined based on the:
- Time: prohibited access outside of work hours
- Threat: prohibited access if other access points have been compromised
- Seniority: prohibited access to employees without a specified grade or level of experience
Admins can set different rules which can either be static or dynamic
- Static rules: unless the admin decides to change rules based on threats and new security measures, rules don’t change.
- Dynamic rules: here rules can change depending on the environment and context. For example, access can be denied if multiple failed attempts to log in have been made.
- Implicit deny rules: access is denied if users don’t meet the set of predetermined rules and don’t have the right credentials to access a resource.
Discretionary access control (DAC)Link to this section
DAC grants access to resources at the discretion of the resource owner. Access is restricted based on the user’s identity and the resource owner can change who can access the resource and with what authority.
The DAC model can limit the number of people who can access resources, however, it can also pose a threat to company security because the resource owner may not be aware of the security risks when granting access.
Mandatory access control (MAC)Link to this section
The MAC model gives access to resources based on the decision by a security professional who has the authority to set and control who and when someone can access objects.
The MAC model prevents resources from being passed to unauthorized users and is unable to be changed by end users. This model is typically used in organizations with sensitive information and data which requires high-level security.
A classification label is attached to each resource, which can include classifications like confidential, secret, and top secret and users and devices are categorized with similar classifications.
When a user requests access to resources, their credentials are used to decide whether access is granted or denied. Planning and long-term supervision are required when using the MAC model to ensure resources and user classifications are up to date.
Attribute-based access control (ABAC)Link to this section
ABAC grants authorization on the basis of user attributes. Users who don’t meet the set of attributes required to access a resource are denied access. This model allows for the correct resource to be accessed by the right people at the right time.
ABAC is typically used by larger companies that are onboarding new users, giving them flexibility and the ability to scale their teams as the business is rapidly growing without compromising security.
Plus, admins have the ability to adjust attributes and access control policies to meet the needs of an organization which is handy for external users like suppliers and contractors who may need access to resources.
Choosing the right access control model depends on your company’s specific needs and requirements. It’s important to understand how each model works and how it bases authorization and access to resources to ensure you pick the right model that balances security with usability.